Best Practices in Preparation for a Data Breach
The risk of a cyber-based attack is not only a reality, but lately feels more like an inevitability. Any organization connected to the Internet can suffer a data breach, and no company is immune. Year after year, companies boost spending on cybersecurity in an increasingly fruitless attempt to protect their data.1 In the last two years alone, major companies like Sony Pictures Entertainment, JPMorgan Chase & Co., eBay Inc., Home Depot Inc., Target Corporation, and Facebook Inc. all suffered major online attacks that resulted in the leak of sensitive customer data, employee personal data, and/or corporate correspondence.2
A data breach, however, can take a serious toll on a company of any size.3 A recent study calculated that the average annualized cost of a typical data breach was $11.6 million in the United States (a 30 percent increase from the previous year), with that number likely to rise even higher as cyber-based attacks continue to increase in frequency.4 As cyber-based attacks become larger and more widespread, those impacted will turn to the courts to seek redress—not only against the cyber criminals, but also to hold those who experienced the attack responsible. In fact, two states, California and Connecticut, already place a larger onus on companies by requiring some form of free credit monitoring (paid by the company experiencing the data breach) in their amended data breach notification laws.
Whatever the root cause of the data breach (commonly malicious/criminal attack, system glitch, or human error), companies must be proactive to develop a preparedness plan to swiftly prevent further data loss, customer backlash, and/or significant fines.5 Preparation is, therefore, key to the proper handling of any cyber-related attack to avoid future headaches for clients. Attorneys should promote the following five best practices, as gleaned from the U.S. Department of Justice and elsewhere, that client companies should consider to be fully prepared for the realities of a cyber-based attack. While these best practices cannot guarantee a cyber-related attack will not occur, they are a good starting point to minimize the risk.
Step One: Secure Appropriate Legal Counsel
Although cybersecurity was previously believed to be the province of information technology (IT) staff and risk management, lawyers are truly the ones best suited to assess compliance, apply relevant laws to the facts and circumstances of the company, and inform decision making for companies’ cybersecurity efforts.6 Indeed,“[a]n organization faced with decisions about how it interacts with government agents, the types of preventative technologies it can lawfully use, its obligation to report the loss of customer information, and its potential liability for taking specific remedial measures (or failing to do so) will benefit from obtaining legal guidance from attorneys who are conversant with technology and knowledgeable about relevant laws....”7 Only by engaging appropriate legal counsel can an organization be fully prepared.
Step Two: Identify Critically Sensitive Information
Every client has different mission-critical needs. “For some organizations, even a short-term disruption in their ability to send or receive email will have a devastating impact on their operations, [while] others are able to rely on other means of communication to transact business, but [ ] may suffer significant harm if certain intellectual property is stolen.”8 Before formulating a plan (step three), a company should identify its ‘crown jewels (i.e., the data, assets, or services that warrant the most protection during a cyber-based attack).9 At the same time, systems should be examined and evaluated for their general security needs to uncover potential vulnerabilities not previously realized.10
Step Three: Have an Actionable Plan in Place
During a cyber-based attack is not the time to start thinking about emergency procedures or considering for the first time how to best respond. Companies should develop data breach response plans and educate the entire organization on proper protocol in the event of a breach.11 Critically, the plan should be actionable,meaning that it should provide “specific, concrete procedures to follow in the event of a cyber incident.”12 At a minimum, procedures should address: 1) who has lead responsibility for different elements of a cyber incident response; 2) how to contact critical personnel any time; 3) how to proceed if critical personnel are unreachable; 4) what mission critical data should be prioritized for greatest protection; 5) how to preserve data related to the intrusion in a forensically sound manner; 6) what criteria will be used to ascertain whether data owners/customers should be notified if data is stolen; and 7) procedures for notifying law enforcement.13
Step Four: Have Appropriate Technology and Services in Place
Companies “should already have in place or have ready access to the technology and services that they will need to respond to a cyber[-based attack].”14 “Such equipment may include off-site data back-up, intrusion detection capabilities, data loss prevention technologies, and devices for traffic filtering or scrubbing.”15 For a complete record of what goes on in the systems, companies should also collect detailed logs and report data.16 Likewise, all of the necessary technology to thwart a cyber-based attack “should already be installed, tested, and ready todeploy,” and any additional services that may be necessary should be identified prior to such an incident.17
Step Five: Engage with Law Enforcement Before an Incident
It would be beneficial for a company to attempt to establish a relationship with local federal law enforcement officers well before a cyber incident occurs. “Having [such] a point-of-contact and a pre-existing relationship with law enforcement will facilitate any subsequent interaction that may occur if an organization needs to enlist law enforcement’s assistance.”18 A company's legal counsel can help them reach out to law enforcement and facilitate communication with the appropriate authorities. The principal federal law enforcement agencies responsible for investigating criminal violations of the federal Computer Fraud and Abuse Act, a law intended to reduce instances of malicious interferences with computer systems and to address federal criminal offenses, are the Federal Bureau of Investigation and the U.S. Secret Service.19
These best practices can minimize the harm of an attack and, by preparing ahead of time, potentially expose existing weaknesses in security systems and software. Given the rising costs and likely inevitability of cyber-based attacks, however, it may also be advisable to secure cyber insurance to defray costs of notification to affected persons, responding to a data breach, and the public relations campaign necessary to restore confidence in a company that experiences such an attack.
For further information on this issue, please contact Jonathan Klein (215.864.6887; firstname.lastname@example.org) or another member of our Cyber Law and Data Protection Group.
Originally published in New Jersey State Bar Association Federal Practice and Procedure Section Newsletter.
1. Dan Burrows, The Surprising Cost of Cybersecurity, InvestorPlace (2015).
2. See id.
3. Experian, Data Breach Response Guide, at p. 4 (2014).
4. Ponemon Institute, 2013 Cost of Cyber Crime Study: United States, at p. 3 (2013).
5. Ponemon Institute, 2015 Cost of Data Breach Study: Global Analysis, at p. 2 (2015).
6. Hanover Research, The Emergence of Cybersecurity Law, at p. 18 (2015).
7. U.S. Department of Justice, Best Practices for Victim Response and Reporting of Cyber Incidents, at p. 4 (2015).
8. See id. at p. 1-2.
10. National Highway Traffic Safety Administration, A Summary of Cybersecurity Best Practices, at p. 7 (2014).
11. Data Breach Response Guide, at p. 4.
12. Best Practices for Victim Response and Reporting of Cyber Incidents, at p.4.
14. Id. at p. 3.
15. See id.
16. Observe It, 10 Best Practices for Cyber Security in 2015, at ¶ 3 (2015).
17. Best Practices for Victim Response and Reporting of Cyber Incidents, at p. 3.
18. See id. at 5.