Every organization should proactively develop and regularly practice the reporting and response to suspected or known security incidents, including mitigation of the harmful effects of known security incidents with documented outcomes. Unfortunately, most well-known brands or previously breached companies and even supposed cybersecurity firms have no publicly published incident response notices.
Breach definition, remediation, and notification varies between federal regulations such as Health Insurance Portability and Accountability Act (HIPAA) and Gramm-Leach-Bliley Act (GLBA). Individual state regulated breach laws also vary and breach experts and legal counsel should be sought to determine your responsibility.
Incident Response Policy
Breach means the acquisition, access, use, or disclosure of personally identifiable information (PII) or sensitive company data such as email, employee information, confidential information, etc. which compromises the security or privacy of the PII or sensitive company data.
Unsecured PII means PII that is not rendered unusable, unreadable, or indecipherable to unauthorized individuals using a technology or methodology such as encryption. The definition of unsecured PII varies between different federal and regulations.
- Reporting and Response: Company will ensure that all incidents, threats, or violations that affect or may affect the privacy, confidentiality, integrity, or availability of PII and sensitive company data will be reported and responded to promptly.
- Security Incident Response Team (SIRT): Company shall have a SIRT charged with the responsibility of identifying, evaluating and responding to security incidents. The Privacy Security Officer shall oversee the activities of the SIRT.
- Employee Training: Company will record and ensure that all employees annually acknowledge company policies and receive training on data breach including how to identify and report security incidents.
- Breach Determination: SIRT will investigate all reported and suspected security breaches with referral to federal or state regulations to help with breach determination.
- Breach Notification: If the SIRT determines that a breach of unsecured PII has occurred, breach notification of affected individuals may be required.
- Date of Discovery: Usually a breach will be treated as discovered as of the first day the breach is known or by exercising reasonable diligence would have been known.
- Timeliness of Notification: Company will provide the required notifications without unreasonable delay after discovery of a breach.
- Content of Notification: A brief description in plain language of what happened (including date of known breach and discovery), type of unsecured PII involved, steps to protect individuals from potential harm, company investigation and mitigation, and contact procedures for individuals to ask questions.
- Written Notice: Written notification by first-class mail to the individual at the last known address of the individual or, via e-mail if the individual agrees to e-mail notice.
- Substitute Notice: A substitute notification including a contact phone number usually in the form of either a conspicuous posting on the company website home page, or conspicuous notice in major print or broadcast media in geographic areas where the individuals affected by the breach likely reside.
- Media Notification: In addition to notifying individuals of a known breach, a notification to the media may be required as well.
- Federal or State Notification: Company may need to report breaches of unsecured information to federal or state regulatory agencies.
- Third Party Service Provider Notification: Third Party Service Provider responsible for a breach of company PII or sensitive company data should be required to notify the company within a pre-determined reasonable timeframe defined in a Service Provider Agreement.
Incident Response Plan
A security incident at Matrixforce is a violation or imminent threat of computer security policies, acceptable use policies, or standard security practices.
Reports of computer incidents should include a description of the incident or event, using the appropriate taxonomy, and as much of the following information as possible; however, reporting should not be delayed for additional information:
- Contact information for both the impacted and reporting organizations (unless submitting an anonymous report)
- Details describing any vulnerabilities involved (i.e., Common Vulnerabilities and Exposures (CVE) identifiers)
- Date/Time including time zone of occurrence, detection, and identification
- Related indicators (e.g. hostnames, domain names, network traffic characteristics, registry keys, X.509 certificates, MD5 file signatures)
- Threat vectors, if known (unknown, attrition, web, e-mail, removable media, spoofing, improper use, other)
- Prioritization factors (i.e. functional impact, information impact, and recoverability)
- Source and Destination Internet Protocol (IP) address, port, and protocol
- Operating System(s) affected
- Mitigating factors (e.g. full disk encryption or two-factor authentication)
- Mitigation actions taken, if applicable
- System Function(s) (e.g. web server, domain controller, or workstation)
- Physical system location(s) (e.g. Tulsa, Oklahoma City)
- Sources, methods, or tools used to identify the incident (e.g. Intrusion Detection System or audit log analysis)
Notification of a computer security incident to supervisor or Security Officer is mandatory when the confidentiality, integrity, or availability of a regulated information system has been confirmed to be compromised.
It is imperative for reporting to adhere to the one-hour timeframe and provide all available information. Do not delay reporting in order to provide further details (i.e. root cause, vulnerabilities exploited, or mitigation actions taken) as this may result in high risk to the system or enterprise. If the cause of the incident is later identified, the threat vector may be updated in a follow-up report.
Bonus Tip: Media notices about cybersecurity incidents in your industry are regular opportunities for management to invoke an incident response drill where:
- Marketing specialists publish a notice showing your organization as a thought leader.
- Sales representatives call customers about the company article.
- Information technology personnel test mitigation.
- Remaining staff answer training questions about the topic.
Top 10 Data Breach Questions
Today, savvy business leaders understand cybersecurity can be used for competitive advantage and avoiding willful neglect:
- Who is responsible for a data breach? While cybercriminals are the cause, every individual is responsible for protecting data and securely performing their job duties. Neither your banker, accountant, insurance agent, lawyer, or IT consultant are responsible for replying to your e-mail or performing your online and financial transactions.
- What government protections are available for data breach? Most cybercrime originates outside the country by foreign governments and is beyond the jurisdiction and protection of local law enforcement and the FBI. There is no Geneva Convention for cyberattacks and the only regulations enacted to date are punitive damages for victims of data breach.
- How have you determined your legal obligation for data breach notification? Legal counsel with privacy law expertise affords the latest guidance in this ever-changing regulation landscape that impacts all organizations regardless of geography, size, or industry.
- What is your incident response communications plan? Rumors, confusion, and inaccurate information can damage reputation and brand. Once the incident is known, a communications team should have established procedures for delivering accurate and timely information in a clear, concise, and consistent manner.
- How will you know about a data breach? Without data and e-mail or other application auditing built-in with services like Office 365, most customers are unaware of data loss, risky behavior, or repeated failed logon.
- How are cybersecurity insurance claims determined? There are limits for coverage amounts that does nothing for reputation damage and breach notification is still required. Most business owners are shocked that lack of basic security practices are often justified reasons for denial of cybersecurity claims.
- Why is having vetted IT support important? While unqualified alternatives may be cheap, such willful neglect often voids cybersecurity insurance and provides no defense against government fines and criminal charges or civil lawsuits from your employees, vendors, and customers.
- What is your encryption strategy? Encryption is the only safe harbor for a data breach, meaning having devices and data encrypted during transmission and at rest does not require breach notification for theft or loss of data from a cybersecurity incident.
- When are you performing staff data breach training and risk/vulnerability exam? Typical timeframes are annually in July or October for management to sign a compliance form certifying that employees have acknowledged polices and passed data breach training along with a risk and vulnerability exam performed and executive summary posted publicly.
- How are you demonstrating your privacy commitment to customers? Make your competition react to your leadership and give customers peace of mind by displaying proof of privacy responsibility by publishing Microsoft Secure Score, regulation executive summaries, and adopted best practices like incident response.
Vetted IT Support
What the industry doesn't want you to know and how to avoid deceptive sales pitches.
Top 10 business defenses against ransomware and cybercrime.
Schedule 30 minutes to get a free action plan for incident response preparedness.