We invited Michael Titens, of Thompson & Knight LLP, to submit the following article. Michael addressed our group at our 24th mid-year meeting in Dallas, Texas. If you have any questions regarding this article or would like to speak with Michael, please let us introduce you to him.
“If only someone had told me that this could happen to me!”
That is the sentiment we hear in our clients’ voices when they call to ask for help responding to a data breach, ransomware attack, or other cyber incident. Our client might not yet know the extent of the damage, what will be required to fix it, or the impact on their relationships with customers, employees and business partners. They just know they need help.
In our cyber security practice, we receive many of these calls. Each call is different, but common elements emerge. Below are 6 lessons we have learned and some advice people wish they had heard sooner.
- Data Inventory (do you know what you have?) and & Data Hygiene (do you need it?)
After a cyber incident, one of the first questions we ask is “What data did you have?” The type and scope of affected data will drive decisions about remediation, customer notification, contractual obligations, and other matters.
However, the only clients who can efficiently answer this question after an attack are the clients who understood their data before the attack. We often talk to clients who are relatively unconcerned about a potential hack because they don’t believe they have the two categories of data that trigger most legal requirements – personally identifiable information (PII) and health information. But they have more sensitive data than they thought. PII (including social security numbers, drivers license information, bank account information, and even medical information, among other things) are in employee files, credit applications, and in documents received from third parties.
- Data Inventory. Breach preparation begins with a data inventory and mapping to better understand the data you have and where you keep it – Is it in a central server or is it segregated from other servers (or better yet, kept off-line)? Who has access to which data, and can they access the data remotely? What about other proprietary data, trade secrets, and e-mail communications?
- Data Hygiene and Evaluation. The next step is data hygiene and evaluating whether you need all of the data you have. In one recent attack, a company faced notification obligations to thousands of people it had not done business with in years. Nevertheless, historical account information was still stored on servers connected to the Internet, and so within reach of the hackers. Had that historic information been stored offline, or even deleted, the burden and expense could have been greatly reduced.
- Consider Encryption. Also, you should consider encrypting both data stored on your system and data sent from your system. End-to-end encryption serves multiple purposes. It protects the privacy of the data itself; it can create an exception to notification obligations that would otherwise apply following a breach; and it also may be a requirement of data security obligations you have undertaken in a contract or an insurance policy. In some cases, end-to-end data encryption may be statutorily required.
- Practical Protection against Ransomware – Resilient backups
Businesses, health care providers, and government agencies face ransomware attacks on an ever-increasing basis. In a typical ransomware attack, the attackers encrypt your data and offer to provide the decryption key in exchange for a ransom payment. Many businesses can’t operate without that data and have no choice but to pay the ransom and hope that the decryption key works.
On the other hand, businesses who have recent backups of their data may not need to pay the ransom at all. They can restore the backed-up data (often on a new computer system) and carry on business with minimal interruption.
- Not all backups are equally resilient. One client found to its dismay that all file modifications were automatically backed up to their archive, which meant that when their main system’s files were infected, the infected files were then synced to the back-up system as well, overwriting their archived files.
- Maintaining an offline backup, or a backup that provides the ability to restore earlier versions, can be vital to recovering from a ransomware attack.
- Law Enforcement – They may be your friend, but don’t expect the authorities to solve your problem
Both the FBI and the Secret Service have extensive resources to investigate cyber incidents and track down the culprits. Reporting an incident to law enforcement is often one of the first steps taken by a cyber-attack victim. Reporting incidents can assist law enforcement to identify patterns and warn other potential victims.
However, law enforcement’s primary goal – to find and prosecute the hackers – is not necessarily the same as your goals of finding out what happened, how it happened, and how to restore your systems. There are many instances when notifying law enforcement will not be as high a priority as conducting your own forensic assessment, managing internal and external communications, and assessing your own legal obligations.
- Cyber Insurance – Seems expensive until you need it
A couple of years ago, a retailer called and told me about their breach. Point of sale devices had been compromised and credit card data stolen. This retailer would be launching a computer forensics investigation and then facing legal compliance and customer notifications costs, all running into the hundreds of thousands of dollars. When I asked about cyber insurance, the retailer explained that while they had considered purchasing a cyber policy, it seemed too expensive at the time. In their case, nearly all of the remediation expenses were precisely the types of expenses that a cyber policy would have covered, all for a premium far less than their out-of-pocket losses.
This retailer’s experience and others like it have led me to conclude that nearly every business should have cyber insurance coverage.
Policies differ in various respects (including the sub-limits that might apply to certain types of losses), but cyber underwriting has improved and policies are becoming more competitive. Perhaps you will never need the coverage, but more and more businesses are finding themselves on the wrong end of cyber incidents and paying a high price to deal with the fallout.
- Legal Compliance – Notification laws that apply to you may not have been written for you
Nearly every state has a breach notification law and each state’s law is different. These laws can require a breached business to provide notice to affected individuals, state attorneys general, and credit reporting agencies – sometimes in as little as 15 days.
Many federal regulatory agencies also have notice requirements applicable to certain industries, including banking and communications. In addition, under HIPAA and corresponding state laws, health care providers and their business associates face strict regulation which is aggressively enforced. Multi-million-dollar fines have been levied for loss of covered data or loss of devices (such as a laptop) that contain covered data.
Unfortunately, determining which of these laws and regulations apply to you and what these laws require following a breach is not straightforward.
For example, to determine whether a state law requires notice to an affected individual, you may need to determine:
- where that individual’s state of residence, whether you “do business” in that state,
- whether the hackers acquired the data or merely had access to it,
- whether the affected data was owned by you or was being held by you on behalf of another party (and if so, who),
- whether the data was encrypted, and
- whether disclosure of the data would be likely to result in harm to the affected individuals, among other things.
Each of these questions can be difficult to answer when only limited information is known about the incident, and it can take weeks for a forensics team to be able to provide the information you need. Plan on operating under uncertainty.
- Plan ahead – Who ya gonna call?
What can you do now, before an incident occurs? In addition to the suggestions mentioned above, some basic preventive measures include:
- keeping your operating system, software, and antivirus programs updated and patched,
- using strong passwords and dual authentication (including on mobile devices), and
- training employees to recognize and report security threats.
Sometimes, though, even the best policies and procedures will not prevent a breach. An effective response depends on having an up-to-date incident response plan. When the breach occurs, you will need to gather the team quickly, and the plan should contain phone numbers for key internal and external resources, including your outside forensics, legal, public relations and insurance contacts. With proper planning and the right team, you will be in the best position to manage whatever event may occur.