Cyber Incident Response When You Didn t Have a Plan April F. Doss Saul Ewing LLP
How serious is the cybersecurity threat? Some sobering numbers from 2015: Over half a billion personal records were stolen or lost Spear-phishing attacks targeting employees increased 55% Ransomware increased 35% 1 in 220 emails contained malware 431 million new varieties of malware were launched 78% of websites were vulnerable to cyber attack Some challenging trends: Mobile devices and bring your own device are greatly increasing cybersecurity risk Regulators and enforcement agencies are taking note: DHS OCR; FTC; FCC; SEC
What is the best response? One that s based on a plan Where the plan is: Tailored to your organization Tested through tabletop exercises and scenarios Trained for executives and line personnel Updated regularly And Puts relationships in place where needed With outside counsel With forensics experts With crisis communications firms But it doesn t always work that way
It s surprisingly easy Really? How can anyone not have a plan? They linger on a to-do list for too long The existing plan gets out of date People have turned over and no one remembers how to actually execute the actions in the plan Urgent trumps important in planning Resources (personnel time, funding) aren t available
How much does a cybersecurity incident cost? Two answers: It depends A lot Some data The average cost in 2015: $7 million per breach $221 per stolen record Biggest costs are often lost business Indirect costs outweight direct costs Regulated industries have the greatest costs But anyone with data on computers is at risk Some practical examples FTC decision In re LabMD, Aug. 10, 2016
Some quick wins to save money and reduce risk Know your IT Astonishing how many organizations don t have anyone who really knows their IT Where does different information map to? What internal access controls exist? Resist the temptation to DIY it Know the limits of what you know If you get contract help, read the contract carefully review indemnity clauses and manage vendor risk If you switch IT providers, get detailed documentation A forensic image might not be a bad idea
Don t Panic A cybersecurity incident creates a lot of chaos But it can be managed if you: Think fast Act deliberately Keep first things first And resist the temptation to DIY it Don t let the first incident you handle be your own Plenty of other people specialize in this: legal, forensics, crisis communications
So, you ve had an incident. What s first? Practical steps First: Do No Harm Act quickly towards three goals: Prevent the spread of damage (ransomware, unauthorized access, etc.) Assess what s at risk Understand your legal liability Some starting questions: What kind of incident is it? What kind of system has been compromised? How can you isolate that system and preserve information? What kind of data is at risk? What legal obligations are associated with that data?
What next? More practical steps Figure out who you need to call C-Suite? Board? Other leadership? Figure out how you re going to reach them Have work email accounts been compromised? Figure out what outside help you need Outside counsel? Forensics experts? Crisis communications/public relations? Think about attorney-client privilege early and often Advantages to having counsel run the investigation and engage outside consultants
What s next? Questions to ask What precipitated the event? External hacker? Carelessness? Disgruntled employee? Has any kind of information been compromised? Personally identifiable information? Financial account or payment card information? Protected health information? Protected student information? Intellectual property? From what kinds of entities? Customers Employees Others
What s next? More questions to ask What laws are you subject to? Sectoral laws? HIPAA Gramm-Leach-Bliley State breach laws? Often tied to residence of the subject of the PII For some states, location of business International laws? E.g., European customers or business components Deadlines? Some states have open-ended deadlines Others have very strict, rigid deadlines Some sectoral laws have strict deadlines Burden of proof?
What to expect when you re handling a breach Expect to be on the phone every day The facts can and should unfold quickly Counsel should be on all calls and emails Counsel should be directing the investigation Expect to think about privilege a lot Not everything done at counsel s direction will be privileged, but you risk waiving any claim of privilege if you don t preserve it at the outset Expect to ask lots of questions Especially about data inventory, file directories, network connections, backups of data, and burdens of proof If you re not comfortable knowing what IT-related questions to ask, bring in someone who is
What if you need to make notifications? Consider optional, as well as mandatory notification Should you reach out to law enforcement? FBI, Secret Service, local and state police What s involved in your notifications? Notice to enforcement agencies & regulators? Notice to individual victims? Call centers? Credit monitoring? Can you handle the logistical burden? Outside consultants can provide support services
What should be your internal after-actions? Like everything else, it depends But here are some general considerations in using this incident to be better prepared next time Internal issues: How complete was your data inventory? Can you now create or update a plan? Does leadership understand the importance of planning? Is the business identifying resources personnel and funding to put towards preparedness?
What should be your external after-actions? Respond to all regulatory and enforcement requirements Prepare for possibility of litigation Assess whether indemnification may be available From your IT or other vendor for lax cybersecurity? From your provider of employee background checks for not catching concerns about insider threat? Review all your third-party vendor contracts for any potential issues going forward Consider requiring vendor IT security questionnaires Consider incorporating security requirements Check indemnification provisions Update employee policies and training Good IT can t fix the problems created by bad habits
Where does that leave you? Do you now have a data inventory? Have you assessed your IT preparedness against future threats? Have you updated personnel and IT policies and training? Is training on those policies now required, regular, and effective? Have you created an incident response plan? Have you identified members of the incident response team? Have you set a schedule for reviewing, training, and exercising that plan?
Better prepared for a future You can t drive cybersecurity risk to zero But, with preparation, you can: Reduce the risks of: incident Financial impact Reputational damage Interruption to business operations Respond more quickly Recover more effectively At lower cost
Remember: An ounce of prevention is worth a pound of response But if you find yourself underprepared and having to react, these tips may prove helpful
Baltimore Lockwood Place 500 East Pratt Street, Suite 900 Baltimore, MD 21202-3171 (tel) 410.332.8600 (fax) 410.332.8862 Boston 131 Dartmouth Street, Suite 501 Boston, MA 02116 (tel) 617.723.3300 (fax) 617.723.4151 Chesterbrook 1200 Liberty Ridge Drive, Suite 200 Wayne, PA 19087-5569 (tel) 610.251.5050 (fax) 610.651.5930 Harrisburg Penn National Insurance Plaza 2 North Second Street, 7th Floor Harrisburg, PA 17101-1619 (tel) 717.257.7500 (fax) 717.238.4622 New York 245 Park Avenue, 24th Floor New York, NY 10167 (tel) 212.672.1995 (fax) 212.372.8798 Newark One Riverfront Plaza Newark, NJ 07102 (tel) 973.286.6700 (fax) 973.286.6800 Philadelphia Centre Square West 1500 Market Street, 38th Floor Philadelphia, PA 19102-2186 (tel) 215.972.7777 (fax) 215.972.7725 Pittsburgh One PPG Place 30th Floor Pittsburgh, PA 15222 (tel) 412.209.2500 (fax) 412.209.2570 Princeton 650 College Road East, Suite 4000 Princeton, NJ 08540-6603 (tel) 609.452.3100 (fax) 609.452.3122 Washington 1919 Pennsylvania Avenue, N.W. Suite 550 Washington, DC 20006-3434 (tel) 202.333.8800 (fax) 202.337.6065 Wilmington 1201 North Market Street Suite 2300 P.O. Box 1266 Wilmington, DE 19899 (tel) 302.421.6800 (fax) 302.421.6813