Takeaway
Before a data breach occurs, businesses should have in place:
- Operations and forensics plans
- Communications strategy; and
- If disclosure not mandated, think twice before going public
Data Breach Laws
With some important exceptions, there is no federal law which requires that data breaches be publicly disclosed.
Breaches involving health information are covered by a separate federal notification law, the Health Insurance Portability and Accountability Act of 1996 (HIPAA). [1] Particularly in cases involving health information, strict compliance with the law is necessary. In addition, federal securities laws require public companies to disclose “material” cyberrisks and intrusions to investors.
Forty-seven states, the District of Columbia, Guam, Puerto Rico and the Virgin Islands have laws which require private businesses, governmental and educational entities to notify individuals of security breaches of information involving PII. [2]
The FTC’s Guide
However, the Federal Trade Commission’s (FTC) recent guidance, “Data Breach Response: A Guide for Businesses” (video and blog) [3] outlines steps companies may take to safeguard their systems during a breach, including securing physical areas related to the incident, preventing additional data loss, and removing illicitly placed information from the web.
The Guide also includes a model notification letter to send when personally identifiable information (PII) is compromised, including government agencies’ and credit bureaus’ contact information.
The FTC divides response actions into three categories.
Secure Business Operations:
- Assemble forensic and legal experts response team.
- Secure physical areas related to breach; change access codes.
- Take servers, other affected equipment offline.
- Remove improperly posted information from web.
- Investigate what occurred; preserve evidence.
Fix Vulnerabilities:
- Check network segmentation; work with forensic experts.
- Establish communications plan.
Notify Appropriate Parties:
- Determine legal requirements for notification.
- Notify law enforcement.
- Notify affected businesses, individuals.
A Tech Firm Perspective
- Plan only for incidents of concern to your business. Ask, what is OUR threat landscape, why would hackers and criminals want to attack us? The possible answers may lead to the reasons for data breach attempts.
- Plan incident response, then practice it and keep it up to date.
- Strive to respond in minutes, not hours.
- Restore service first, perform root cause forensics later.
- Don’t over-communicate. Statements to customers, market should be concise, factual. Don’t speculate as to cause of breach or when service will be restored, unless timeframe is known. [4]
Should All Cyberattacks Be Disclosed?
Cyberattacks harm businesses directly through theft and injury to reputation, and more broadly, erode confidence in the security of e-commerce.
Apart from mandated disclosure situations (PII, health and SEC “material” information cases) [5], should companies be required to routinely disclose cyberattacks?
Considerations favoring federally required disclosure are generally policy oriented:
- In 2015, losses or thefts of more than 500,000,000 million identities reported.
- Underreporting cyberattacks impairs assessment of threat magnitude, increases reliance on anecdotal information to determine effective cyberthreat defenses.
- Multiple, inconsistent state data breach reporting laws inadequate to protect consumers, burdensome for companies.
- Keeping attacks secret may increase the danger for others.
- Requiring reporting of cyberattacks, and sharing details about hackers’ tactics and techniques could strengthen cyberdefenses for all. It would create greater transparency, allowing businesses, policy makers and consumers to make more informed decisions about how to manage cyberrisk. It would enable decision makers in companies and government to assess risk as well as progress.
- SEC clarified in 2011 that “material” cyberrisks and intrusions must be disclosed to investors. But SEC didn’t offer formal guidance on what is “material.” Such vagueness means most public companies file generic statements about cyberrisk and many still don’t disclose intrusions at all.
- Cybersecurity Act of 2015 created framework for voluntary sharing of cyberthreat information. But law does not compel companies to disclose incidents or technical details about breaches. There is liability protection against suits resulting from efforts by companies to monitor their own networks and share threat information. But there is no liability protection for companies sued as a result of a breach. [6]
Considerations against routine disclosure focus on individual company impact:
- Facts surrounding breach often uncertain, intrusion may be unfolding. Consequences of incomplete or erroneous disclosure may be worse than no disclosure.
- One size doesn’t fit all. The type, sensitivity of a business should be a factor in every decision to disclose.
- Disclosure increases likelihood of class action litigation against company.
- In some cases, not reporting an attack can be good strategy. Security experts may be able to better understand or disarm cyberattack by taking time to observe infiltrators’ activities. This approach cannot work if organizations are forced to pre-emptively publicize an attack, or if the policing effort that follows involves too many parties.
- Amount of work that would result from a system of routine mandatory reporting of data breaches may divert resources from security toward compliance.
- Federal government itself is often unable to properly act on cyberthreat information that is shared among its own offices. Agencies are often unwilling to share information with private entities. Some intelligence agencies also retain vulnerabilities for their own use rather than report them to the appropriate party for patching.
- Required reporting inconsistent with spirit of Cybersecurity Act. While law is intended to limit liabilities of organizations that cooperate, mandatory information sharing would force cooperation by extending liability to all.
U.S. should promote use of strong encryption and reform counterproductive laws like the Computer Fraud and Abuse Act that chill security research. Requiring organizations to share information with hack-prone federal agencies will add to current contradictory policies. [7]
- See “Summary of the HIPAA Privacy Rule”, last revised 05/03, U.S. Department of Health and Human Services,
https://www.hhs.gov/hipaa/for-professionals/privacy/laws-regulations/ - “Security Breach Notification Laws”, Jan. 4, 2016, National Conference of State Legislatures,
http://www.ncsl.org/research/telecommunications-and-information-technology/security-breach-notification-laws.aspx - Data Breach Response: A Guide for Business, U.S. Federal Trade Commission, Oct. 25, 2016,
https://www.ftc.gov/tips-advice/business-center/guidance/data-breach-response-guide-business - B. Brown, “5 Best Practices in Data Breach Incident Response”, Veracode.com, Aug. 26, 2014,
https://www.veracode.com/blog/2014/08/5-best-practices-in-data-breach-incident-response - In addition to disclosing data breaches in cases involving PII or health information, or for public companies when the cyber risk or breach is likely to be “material” to investors under federal securities laws.
- “Should Companies Be Required to Share Information About Cyberattacks”, Wall Street Journal, May 22, 2016,
http://www.wsj.com/articles/should-companies-be-required-to-share-information-about-cyberattacks-1463968801 - Id.