Incident Response (IR) time is critical when your business discovers a data breach, cyber intrusion, email intrusion or other cyber security threat. IR time will be lengthened or rendered useless if there is no IR plan in place before an incident occurs. Therefore PREVENTION is step one. PREVENTION includes both technical and human factors analysis and training. Solid IT personnel are critical to building appropriate security systems, but the human factors variable is very difficult to train and control. The tendency of human beings to make quick and sometimes rash technical responses to emails and pop ups, and the sophisticated and well disguised phishing or cyber intrusion is difficult to control or stop. Some user reactions are incredibly innocent and can hardly be blamed as the sophistication of email intrusion for example is hard even for experts to discover before its too late. Companies need guidance from legal and technical professionals on such pre-incident IR training. It is wise to set up, in advance, a partnership with an outside IR vendor who can be called 24/7 to assist with Incident Response. It is also critical to determine what is private on any company server or device. PRIVACY is a specific lawyer discipline and good legal counsel should be retained to assist with a PRIVACY audit and evaluation. Do a PRIVACY AUDIT with the benefit of outside legal counsel to determine best methods for securing data and for intrusion prevention. Also – do an INSURANCE COVERAGE AUDIT to determine what coverage you have for data breach. You may indeed have coverage for both first party loss (your own loss) and third party liability (another person’s loss) but the limits of coverage on many policies is very small. Consultation with your insurance broker and knowledgeable insurance coverage counsel is wise. Limits of coverage can make all of the difference in any such loss.
MITIGATION through execution of the IR Plan is the best practice when an Incident is discovered. Good IT professionals can quickly gauge the criticality level of an Incident and respond accordingly. Killing running processes and uninstalling unwanted programs or malware to accomplish remediation is within their sphere or should be brought in from the outside through an experienced vendor. They should focus on preventing malware from moving laterally throughout the company data environment and onto personal devices. Like with the recent Microsoft Exchange Server vulnerability hack, there are patches which can be installed to prevent future internet intrusions of the same kind. Activity logs can be searched to determine whether an intrusion occurred or whether there may be an internal problem. Implementation of an IR plan should be done in consultation with any existing in house IT resources, outside technical resources and legal advice from a competent cybersecurity law firm. The plan must be tailored to your business model and your IT structure. It should categorize response protocols for different levels of Incident from High Criticality to Low, and everything in between. Escalation steps should be pre-planned and implemented depending on the nature of the breach. Stake holders and legal counsel should be immediately alerted.
CRITICALITY level depends on the type of information that you have stored on internet accessible servers and those that contain personally identifiable information of employees and customers/clients (PII) should be seen as most critical. Business trade secrets, legal information, and protected client business information are also high on the list of information that raises the criticality level. Good IT staff, my immediately need outside IT and forensic resources to preserve data and activity logs. Most Microsoft servers are defaulted to storing email activity logs for 90 days, but the level of the system may alter that timeline. Low end tech systems may have to be modified to set them at 90 days or upgraded to do so. Higher end systems can be set to store logs for a longer period of time. Hackers and intruders do not generally just hop onto a system for a single day and hope to strike it lucky. Bad actors generally intrude and monitor for many days or weeks and therefore the storage of activity logs which could show the timing of a long term intrusion may be really important. The logs may not recover any stolen money, but they can be incredibly important in determining legal liability if any, for cyber incidents. Remember that the company which is intruded/cyber attacked may not be the company or person who suffers the actual financial loss, so lawsuits, insurance claims and litigation are often a by-product of these Incidents.
NOTIFICATION of interested or affected parties is both wise and required in some cases by law. NOTIFICATION of all insurance carriers is also critical as many Cyber insurance policies or endorsements have very short notice provisions which can be used to bar or exclude coverage if not followed. Nearly every state in the county has specific laws on NOTIFICATION of people whose data was compromised. A cyber incident or intrusion which results in a breach of Personally Identifiable Information (PII) (or HIPAA protected information) may trigger certain legal reporting requirements. See (Westlaw’s link): Pennsylvania Statutes 73-2301: Breach of Personal Information Notification Act. Her is a link to the actual Pennsylvania statute: https://www.legis.state.pa.us/WU01/LI/LI/US/HTM/2005/0/0094..HTM . Here is a summary of the Pennsylvania Notification Act:
- Enacted in 2006, Pennsylvania’s data breach notification law requires entities doing business in Pennsylvania that maintain, store, or manage computerized personal information of Pennsylvania residents to notify affected individuals of any data breach that results or could result in the unauthorized acquisition of their unencrypted and unredacted personal information.
- Notice must be made without unreasonable delay
- If more than 1,000 individuals must be notified, breached entities must also notify all consumer reporting agencies that compile and maintain files on consumers on a nationwide basis.
- Breached third parties must notify relevant data owners or licensees.
- Substitute notice is permitted in specific circumstances and notification may be delayed for law enforcement purposes.
- Entities which maintain their own notification procedures as part of an information security policy consistent with state law are deemed to comply with the notification requirements of this law if the entity makes notifications in accordance with its policies.
- Financial institutions compliant with the Federal Interagency Guidance Response Programs for Unauthorized Access to Consumer Information and Customer Notice are deemed to comply with this law, as are entities that comply with relevant notification requirements of federal regulators.
LITIGATION is often an unfortunate outcome of a data breach Incident. Frequently, the hacker is in control of both ends of a cyber transaction. Therefore the knee jerk reaction of one entity’s IT person is to declare that he checked the logs and “there was no intrusion on our end”. Query about how long the logs were set to record activity and what indeed was searched. The best course is for the two aggrieved parties to work together to investigate in a bilateral incident. The FBI and local law enforcement should immediately be notified if criminal activity is suspected, but don’t expect instant investigation. That’s why it is important in the IR to have an outside vendor to make evidentiary copies of the data on both sides of an Incident if it is a bilateral incident (like a planned cash transaction/wire where the money is directed illegally to be wired to the wrong place. Lawsuits can have claims ranging from the simple negligence, to breach of contract, consumer protection claims and class actions (particularly for mass theft of credit and PII from large databases.
See the Houston Harbaugh webpage on Cybersecurity and Data Breach for additional information: https://www.hh-law.com/business-litigation/cyber-breach-and-data-security/
Here are some statutes and resources which should be helpful and some of which are forming the bases of lawsuits being brought over these incidents:
Computer Fraud and Abuse Act – https://www.law.cornell.edu/uscode/text/18/1030
Stored Communications Act – https://www.law.cornell.edu/uscode/text/18/2701
Health Insurance Portability and Accountability Act – https://www.congress.gov/104/plaws/publ191/PLAW-104publ191.pdf
General Data Protection Regulation – https://eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=CELEX:32016R0679
California Consumer Privacy Act – https://leginfo.legislature.ca.gov/faces/codes_displayText.xhtml?division=3.&part=4.&lawCode=CIV&title=1.81.5
The Payment Card Industry Data Security Standard – https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-2-1.pdf?agreement=true&time=1624462929313
Children’s Online Privacy Protection Act – https://uscode.house.gov/view.xhtml?req=granuleid%3AUSC-prelim-title15-section6501&edition=prelim