Question

MGMT SS STATS, an umbrella body that facilitates and serves various Social Security Organizations/Departments within the Caribbean territories, stood poised to meet the needs of its stakeholders by launching an online database, located at www.SSDCI.gov. The database will provide members and the public with access to the full set of services that can (also) be initiated face to face; and it will provide managed, private, secure access to a repository of public and/or personal information.

For example, insured persons accumulate contributions. Records for these persons will include information on the insured persons ability to acquire various benefits once work is interrupted due to sickness, death, retirement, and maternity or employment injury. Or information on pensions such as invalidity, disability and survivors that stem from one of the above are.

Members of the umbrella body, who are required to sign-in, can submit request for services, review active request, or post comments/complaints on past or current request online directly into the database. Visitors to the database will be able to search for products and services, read other comments or complaints, and view advice provided by MGMT SS STATS.

As a new employee of MGMT SS STATS, your manager wants you to produce some reports, related to pension plans, in preparation for the public launch of the website.

Just days before the database is launched, an unprecedented event occurred.

Data representing the records of 150,000 contributors, from the various societies and departments that subscribe to MGMT SS STATS, have been stolen by persons (internal or external) unknown. Over 7 gigabytes of data were stolen. The department keeps details of its internet security practices and policies in a shared area on its AS400 server. It is believed that the data included IT related documentation with passwords saved in plain text.

Leading up to the data breach, a number of warning signs were ignored or not correctly handled.

Two months prior to the breach, a craftily worded email, which also contained malware related to Citadel – a password stealing bot - was sent to a Senior Benefits Processing Officer. On the surface, everything seemed to be in order - all the right names, words, protocols and return addresses etc. The officer read the mail and followed the link. Later that day, when others informed her that they also received the same email, she informed the IT department of a possible issue. The IT department did run a virus scan, but the antivirus software had not been updated since it was installed on the computer, and no problems were detected. Someone did point out that there was a small spelling error in the return email address, but no follow-up was done.

One month prior to the breach, MGMT SS STATS was confronted with a telephone bill from FLOW for over $160,000. An investigation showed that the PBX, which was managed in-house, had been breached and parties unknown had used it as an “telephone exchange” to make long distance calls. At the time there was no firewall for the PBX. A recommendation to purchase and install a new Cisco firewall, was made and was slowly making its way through the approval process.

Two weeks prior to the breach, the Senior Benefits Processing Office got an email notification that her account had been used on a new device - the Unix server hosting the PBX. The IT department was informed but could find no evidence of email activity on the PBX. There was a log entry that the user had signed into the PBX, but this (log) may not have been out of place since the PBX was known to keep copious logs on many activities and IT did not have a way to know if this was a real problem. No further follow-up was done.

The most recent breach, the exposer of over 150 K records, was uncovered by an investigation because, ironically, a board member received a phishing attack with information that only could have come from his MGMT SS STATS data. In view of the new breach, MGMT SS STATS realized that a comprehensive review of its security policies is needed.

Requirements:

Forum 1: Introduce yourself, identifying your Management Level and your Functional Area

For your FIRST discussion post state your management level and department you will represent.

For example: CIO (strategic) of the IT department (functional area).

IN THIS CASE, I CHOSE I.T MANAGER OF THE I.T DEPARTMENT

2. Discuss how social engineering can contribute to the security breaches.

From the I.T Department:

1. Suggest TWO ways that social engineering could have been used to breach the security of MGMT SS STATS.
2. Request information from TWO other departments (accounts department and operations department) that could assist in your investigation. Please specify both the TYPE, and specific CONTENTS of the report you are requesting (Unit 3 types of output)

Forum 3: Discuss how the management practices of internal departments of MGMT SS STATS contributed to the security breach

1. From the perspective of your department and management level, discuss the implications of management - policies, training, procedures, and culture etc. – that may or may not have contributed to the breach.
   1. Suggest ONE supporting and ONE detracting feature that could have improved or worsen the situation.
   2. Discuss ONE security consequence that could arise from VPN access to the company’s IT infrastructure.
   3. Critique TWO post made by group mates from other departments

Forum 4: Summarise and make Recommendations

1. Summarise the information shared thus far, and discuss TWO findings about your analysis from your management level that can affect the situation. Make TWO recommendations to prevent security breaches.

Answer 1

Forum 1: I. T Manager of the I. T department

Forum2:

SOCIAL ENGINEERING

Social engineering is the term used for a broad range of malicious activities accomplished through human interactions. It uses psychological manipulation to trick users into making security mistakes or giving away sensitive information.

Social engineering attacks happen in one or more steps. A perpetrator first investigates the intended victim to gather necessary background information, such as potential points of entry and weak security protocols, needed to proceed with the attack. Then, the attacker moves to gain the victim’s trust and provide stimuli for subsequent actions that break security practices, such as revealing sensitive information or granting access to critical resources.

SOCIAL ENGINEERING ATTACK TECHNIQUES

Social engineering attacks come in many different forms and can be performed anywhere where human interaction is involved. The following are the five most common forms of digital social engineering assaults.

Baiting

As its name implies, baiting attacks use a false promise to pique a victim’s greed or curiosity. They lure users into a trap that steals their personal information or inflicts their systems with malware.

The most reviled form of baiting uses physical media to disperse malware. For example, attackers leave the bait—typically malware-infected flash drives—in conspicuous areas where potential victims are certain to see them (e.g., bathrooms, elevators, the parking lot of a targeted company). The bait has an authentic look to it, such as a label presenting it as the company’s payroll list.

Victims pick up the bait out of curiosity and insert it into a work or home computer, resulting in automatic malware installation on the system.

Baiting scams don’t necessarily have to be carried out in the physical world. Online forms of baiting consist of enticing ads that lead to malicious sites or that encourage users to download a malware-infected application.

Scareware

Scareware involves victims being bombarded with false alarms and fictitious threats. Users are deceived to think their system is infected with malware, prompting them to install software that has no real benefit (other than for the perpetrator) or is malware itself. Scareware is also referred to as deception software, rogue scanner software and fraudware.

A common scareware example is the legitimate-looking popup banners appearing in your browser while surfing the web, displaying such text such as, “Your computer may be infected with harmful spyware programs.” It either offers to install the tool (often malware-infected) for you, or will direct you to a malicious site where your computer becomes infected.

Scareware is also distributed via spam email that doles out bogus warnings, or makes offers for users to buy worthless/harmful services.

Pretexting

Here an attacker obtains information through a series of cleverly crafted lies. The scam is often initiated by a perpetrator pretending to need sensitive information from a victim so as to perform a critical task.

The attacker usually starts by establishing trust with their victim by impersonating co-workers, police, bank and tax officials, or other persons who have right-to-know authority. The pretexter asks questions that are ostensibly required to confirm the victim’s identity, through which they gather important personal data.

All sorts of pertinent information and records is gathered using this scam, such as social security numbers, personal addresses and phone numbers, phone records, staff vacation dates, bank records and even security information related to a physical plant.

Phishing

As one of the most popular social engineering attack types, phishing scams are email and text message campaigns aimed at creating a sense of urgency, curiosity or fear in victims. It then prods them into revealing sensitive information, clicking on links to malicious websites, or opening attachments that contain malware.

An example is an email sent to users of an online service that alerts them of a policy violation requiring immediate action on their part, such as a required password change. It includes a link to an illegitimate website—nearly identical in appearance to its legitimate version—prompting the unsuspecting user to enter their current credentials and new password. Upon form submittal the information is sent to the attacker.

Given that identical, or near-identical, messages are sent to all users in phishing campaigns, detecting and blocking them are much easier for mail servers having access to threat sharing platforms.

Spear phishing

This is a more targeted version of the phishing scam whereby an attacker chooses specific individuals or enterprises. They then tailor their messages based on characteristics, job positions, and contacts belonging to their victims to make their attack less conspicuous. Spear phishing requires much more effort on behalf of the perpetrator and may take weeks and months to pull off. They’re much harder to detect and have better success rates if done skillfully.

A spear phishing scenario might involve an attacker who, in impersonating an organization’s IT consultant, sends an email to one or more employees. It’s worded and signed exactly as the consultant normally does, thereby deceiving recipients into thinking it’s an authentic message. The message prompts recipients to change their password and provides them with a link that redirects them to a malicious page where the attacker now captures their credentials.

SOCIAL ENGINEERING PREVENTION

Social engineers manipulate human feelings, such as curiosity or fear, to carry out schemes and draw victims into their traps. Therefore, be wary whenever you feel alarmed by an email, attracted to an offer displayed on a website, or when you come across stray digital media lying about. Being alert can help you protect yourself against most social engineering attacks taking place in the digital realm.

Moreover, the following tips can help improve your vigilance in relation to social engineering hacks.

• Don’t open emails and attachments from suspicious sources – If you don’t know the sender in question, you don’t need to answer an email. Even if you do know them and are suspicious about their message, cross-check and confirm the news from other sources, such as via telephone or directly from a service provider’s site. Remember that email addresses are spoofed all of the time; even an email purportedly coming from a trusted source may have actually been initiated by an attacker.
• Use multifactor authentication – One of the most valuable pieces of information attackers seek are user credentials. Using multifactor authentication helps ensure your account’s protection in the event of system compromise. Imperva Login Protect is an easy-to-deploy 2FA solution that can increase account security for your applications.
• Be wary of tempting offers – If an offer sounds too enticing, think twice before accepting it as fact. Googling the topic can help you quickly determine whether you’re dealing with a legitimate offer or a trap.
• Keep your antivirus/antimalware software updated – Make sure automatic updates are engaged, or make it a habit to download the latest signatures first thing each day. Periodically check to make sure that the updates have been applied, and scan your system for possible infections.

Forum:3

WHEN A DATA BREACH OCCURS, WHETHER BY NEGLIGENT or malicious acts of employees or third parties, the response must be comprehensive and prompt. The development of a data breach avoidance plan is recommended in order to minimize risk. Such a plan will identify data content and implement management policies and employee training programs, as well as create an incident response team and a 48-hour action plan. A data breach response plan more specifically addresses measures to take in the event of a breach, including the responsibilities of a data breach response team and all obligations that might arise as required by federal or state law, or otherwise. The costs to businesses that suffer a data breach are substantial and include expenses incurred for detection and notification, economic losses due to loss of customer trust, class action lawsuits, and penalties imposed by regulators. Notification to affected customers must comply with the rules of the states where they live and/or operate.

A data breach may arise under a variety of circumstances, such as:

• Employee or contractor negligence (e.g., lost laptops with unsecured sensitive data)
• Malicious insider behavior (e.g., disgruntled or dishonest employees who wrongfully take sensitive or confidential data for unauthorized purposes, or post such sensitive or confidential information to the Internet)
• External cybercriminal behavior, including organized crime rings seeking to profit from exploiting the breached data, or so-called hacktivists, who act for political reasons

Regardless of the cause of a data breach, the response must be prompt and effective.

This article discusses how organizations should both plan for and manage a data breach, including best practices for creating data breach avoidance and response plans, the benefits of such plans, and the importance of promptly notifying individuals affected by a data breach.

Benefits of Data Breach Avoidance and Response Plans

It is crucial to have data breach avoidance and response plans in place long before a breach actually occurs. Such plans may help a business minimize security vulnerabilities, thus making a breach less likely, and may also:

• Lower the cost of a data breach
• Reduce the risk of litigation
• Minimize regulatory scrutiny

Lowers the Cost of a Data Breach

The costs of a data breach are not trivial. In its 10th annual benchmark study, the 2015 Cost of Data Breach Study: United States, Ponemon Institute examined the impact of data breaches incurred by 62 U.S. companies in 16 industry sectors. According to the study, malicious or criminal attacks (rather than negligence or system glitches) continue to be the main cause of data breaches, with the average total cost of a breach increasing 11%, from $5.9 million in 2014 to $6.5 million in 2015. Lost business costs have also increased, from $3.32 million in 2014 to $3.72 million in 2015. Creating data breach avoidance and response plans, and updating or adjusting such plans when necessary, may help businesses to mitigate these costs or to avoid them altogether.

Reduces the Risk of Litigation

A number of state data breach statutes either explicitly allow for a private right of action or have been interpreted as such by the courts. See, e.g., In re Target Corp. Customer Data Sec. Breach Litig., 66 F. Supp. 3d 1154 (D. Minn. 2014). This creates the opportunity for class action lawsuits, which typically allege that a business failed to provide timely notice of a breach, as required by the relevant state laws. Such lawsuits may also allege a number of other claims, such as breach of fiduciary duty, negligence, breach of an express or implied contract, unjust enrichment, invasion of privacy, and unfair and deceptive business practices. For a more detailed discussion on state data breach statutes, seeState Statutory Laws Regarding Data Breaches. Having a robust data breach avoidance and response policy—including developing and maintaining adequate policies and procedures for safeguarding personal information, staying abreast of the current legal landscape, revising or updating data security policies and procedures as necessary, and promptly notifying individuals affected by a breach—can help minimize the occurrence and negative consequences of data breaches and thus the risk of litigation.

Minimizes Regulatory Scrutiny

The Federal Trade Commission (FTC) has brought a number of enforcement actions against companies in connection with data breaches—not only for failing to stop a breach, but for failing to put in place adequate measures to avoid breaches (even if no actual breach occurred). In 2014 alone, the FTC brought cases against Snapchat, Inc.; Fandango, LLC; and Credit Karma, Inc. (in connection with their mobile apps); GMR Transcription Services; GeneLink, Inc. and foru International Corp.; Wyndham Worldwide Corp. and three of its subsidiaries; and Verizon. The Third Circuit has upheld the FTC’s authority to regulate cybersecurity under the “unfairness” prong of Section 5 of the FTC Act, 15 U.S.C. § 45(a). See FTC v. Wyndham Worldwide Corp., 799 F.3d 236 (3d Cir. 2015).

Various other federal regulators have been active in the cybersecurity space as well, such as the Securities and Exchange Commission (SEC), the Financial Industry Regulatory Authority (FINRA), the U.S. Department of Health and Human Services Office for Civil Rights (OCR), the Food and Drug Administration (FDA), and the Federal Communications Commission (FCC). In addition, state attorneys general have the authority to enforce state statutes, and recently they have focused their attention on doing so. For example, state attorneys general have been active in breaches involving Target Corp.; Neiman Marcus Group LTD; Michaels Stores, Inc.; Home Depot, Inc.; JPMorgan Chase & Co.; TD Bank; and Zappos.com.

Given regulators’ increased focus on the cybersecurity practices of companies within their jurisdiction and the heightened risk of cyberattacks, it is crucial to have effective data breach avoidance and response plans that are regularly tested and updated to account for changes in the cybersecurity landscape. Such proactive measures may reflect favorably on businesses in the event of regulatory scrutiny, giving them valuable negotiating leverage with both state and federal regulators.

Creating a Data Breach Avoidance Plan

The chances are increasingly high that at least one data security incident will affect every organization at some point in time. In order to be prepared for the inevitable, a business should proactively develop both:

• A data breach avoidance plan
• A data breach response plan

A data breach avoidance plan can help a business minimize vulnerabilities and prevent circumstances that lead to data loss, significant regulatory fines, litigation expenses, and brand damage. As part of a comprehensive data breach avoidance plan, a business should:

• Create a data map
• Assess and document the laws, regulations, and industry standards that apply to each piece of data
• Categorize the data based on its sensitivity and the impact to the business in the event of a breach
• Implement appropriate data security safeguards
• Adhere to any data security representations in privacy policies or other consumer-facing statements
• Assess relationships with third-party vendors
• Consider purchasing cyber insurance

Each of these issues is discussed in further detail below.

Create a Data Map

The first step in creating an effective data breach avoidance plan is to create a data map of all the data collected by an organization. The data map should contain detailed information about each piece of data, including:

• The type of data
• From whom the data is collected (and why)
• How the data is collected and inputted
• How and where the data is stored
• Who can access the data, and how (and where those persons are located)
• The purposes for which the data is used
• Whether and how the data may be altered or manipulated, by whom, and for what purpose
• Whether and how the data may be transmitted
• How the data is secured
• How long the data is retained
• How the data is disposed of or destroyed
• Any backups to the data
• Logs or documentation pertaining to the data

Data maps are typically created by privacy or compliance professionals who are proficient with the use of Visio (or similar diagramming software), with input from lead stakeholders in an organization. They illustrate how information flows through the organization and are a critical starting point for ensuring compliance with applicable privacy laws and regulations.

Assess and Document Relevant Laws, Regulations, and Industry Standards

Once an organization has created a data map, it should next assess and document which laws, regulations, and industry standards apply to each piece of data. The organization should then put policies and procedures in place to ensure compliance with such laws, regulations, and standards.

Categorize the Data

After creating a data map, an organization should next create a Data Classification System that categorizes the data based on its sensitivity and the legal impact to the organization in the event of a breach. Examples of data classification include:

• Confidential or sensitive data (also referred to as restricted or regulatory data). High risk data that is protected by federal or state privacy laws or regulations or confidentiality agreements (e.g., PII, PHI, payment card information) generally receives the highest level of security controls.
• Internal or private data (e.g., contracts, proprietary information). Lower risk data that is not required to be protected by any laws, regulations, or binding agreements, but that an organization nonetheless wishes to protect, generally receives a reasonable level of security controls.
• Public data (e.g., press releases, marketing materials, job descriptions). Low risk data that is publicly available generally receives the lowest level of security controls.

Data classification will aid an organization in assigning the proper security controls to each category of data and will provide the skeletal framework, so to speak, for the rest of an effective data breach avoidance plan.

Implement Data Security Safeguards

Many organizations only focus on servers and databases when it comes to data security safeguards. However, much of the confidential and sensitive data that an organization maintains is in the form of paper and/or is stored in open areas that are densely populated with all levels of employees. It is therefore critical that a company establish an information security and privacy framework that involves the same degree of protection for both physical and electronic data.

This framework should be set forth in written policies and procedures. The organization should internally review and update such policies and procedures as necessary and retain a third-party consultant for periodic assessments. All changes should be thoroughly documented.

Data protection and management measures may include:

• Encryption of sensitive data and other security measures such as firewalls, network segmentation, and strict password requirements
• Monitoring systems (e.g., telephone and e-mail/Internet use monitoring, video surveillance systems)
• A Bring Your Own Device (BYOD) policy that addresses whether, and under what circumstances, employees may use their own devices (such as laptops, iPads, smartphones, or other mobile devices) for work purposes
• A records retention/destruction policy
• Employee training manuals and programs that specifically address data protection measures and identifying and reporting breaches, pursuant to the organization’s internal policies and procedures

Note that many state data breach notification laws contain exemptions for encryption, while others affirmatively require encryption in defined circumstances.

Adhere to Any Data Security Representations

Companies often make representations pertaining to data security in written privacy policies, terms of service, and other consumer-facing and/or end-user-oriented statements. If your client has made such a representation, it must ensure that all data is protected and handled in accordance with that representation. Failure to do so may lead to an enforcement action by the Federal Trade Commission (FTC) and/or regulatory scrutiny.

To ensure compliance, the client’s information security professionals should work closely with its privacy or compliance officers to regularly audit security-related representations (e.g., twice a year, or more frequently if new products or services are introduced). Your client should also take care to avoid using vague language and overstating the actual level of data security in its privacy policy or other consumer-facing statements.

Assess Relationships with Third-Party Vendors

An organization may be vicariously liable for data breaches affecting third-party vendors, contractors, and consultants who collect, store, use, or access the business’s data. It is therefore critical to assess your client’s existing relationships with third-party vendors, to conduct due diligence of potential vendors’ data security and privacy practices, and to include appropriate protections in any contractual agreement.

For existing third-party vendors, determine whether the relevant contracts address:

• Data protection requirements
• Notification requirements in the event of an actual or suspected breach
• Indemnity provisions or other exclusions or limitations of liability
• The right to access or audit the third-party’s security measures onsite (or, alternatively, whether the third party is required to conduct and submit an annual security assessment)

For future dealings with third-party vendors, your client should consider a rigorous due diligence program that includes a thorough review of the third party’s information security and privacy policies, practices, and procedures. Lax security and privacy practices may raise a red flag and persuade the client to choose a different vendor.

If your client decides to proceed with a particular vendor, you should ensure that essential and appropriate contractual terms (such as those listed above) are included in the agreement. The client may also wish to require the third party’s participation in an annual security awareness training program that it conducts (or one that is equivalent).

Consider Purchasing Cyber Insurance

A final important element of a data breach avoidance plan is the consideration of insurance. Your client should determine whether and to what extent its existing insurance policies cover data breaches or other cybersecurity incidents and consider purchasing cyber insurance (if not already owned). Note that cyber policies and premiums vary widely among insurers. If your client decides to purchase cyber insurance, it should be prepared to negotiate for coverage that adequately accounts for the cyber risks faced by the organization.

Creating a Data Breach Response Plan

In addition to a data breach avoidance plan, an organization should also create a data breach response plan that thoroughly details how the organization will respond to a data breach and the requisite timelines. For many businesses, having a data breach response plan is part of business continuity planning, disaster recovery planning, and/or risk management.

The response plan should be prepared by the internal and external stakeholders who will be involved in the ultimate response efforts according to the organization’s RACI chart (i.e., who is Responsible, Accountable, Consulting, or Informed), including executives and managers of departments that will play a key role in response efforts. The response plan should also be reviewed by one or more members of the board of directors.

Broadly speaking, the data breach response plan should include the categories of data that the business has a duty to protect, the roles and responsibilities of the data breach response team, an internal and external communication plan, the detailed steps required by applicable state and federal laws that require notification, and other obligations that would apply in the case of a breach.

To create a comprehensive data breach response plan, a business should:

• Assemble a data breach response team
• Outline the steps that each team member should take in the event of a breach
• Consider which roles might be considered key witnesses in any litigation or regulatory proceeding
• Compile a list of outside vendors that may need to be consulted in the event of a breach
• Test the response plan on a regular basis and make adjustments as necessary
• Assess and document, post-breach, the effectiveness of the response plan and any mitigation efforts

Each of these issues is discussed in further detail below.

Assemble a Response Team

The business should assemble a data breach response team tasked with ensuring an efficient and effective response in accordance with the plan. The data breach response plan should clearly define the roles and responsibilities of each team member. The data breach response team should include the following individuals:

• An incident lead
• IT representatives
• Legal and privacy representatives
• Public relations representatives
• HR representatives
• Customer service representatives

Incident lead. The incident lead should have extensive familiarity with the organization’s network and system security, such as the chief information security officer, and should be tasked with the following responsibilities:

• Managing and coordinating the overall response/mitigation efforts
• Acting as an intermediary between business executives and other team members, keeping all parties apprised of the progress of incident-declaration and mitigation efforts and any important issues or setbacks
• Identifying key tasks and managing timelines and documentation of all response/mitigation efforts
• Outlining the budget and the resources required to respond to a given data breach
• Conducting a post-breach review of response/mitigation efforts to determine whether the response was effective and efficient and to determine what, if any, adjustments should be made to the organization’s data security policies and procedures

IT representatives. The IT representatives should identify the root causes of the breach and secure the system, including securing machines, taking infected machines offline, and preserving evidence. These individuals may also work with a forensics firm to identify the compromised data and delete any data-compromising tools.

Legal and privacy representatives. The legal and privacy representatives should assist in directing the data breach response and notification efforts and help minimize the risk of litigation and penalties. These individuals should be tasked with the following responsibilities:

• Determining how and when to notify the affected individuals, the media, law enforcement and government agencies, and other necessary parties
• Coordinating with outside counsel
• Serving as a resource for data breach notification requirements and other legal obligations under applicable federal and state laws
• Identifying what aspects of the response/mitigation efforts should be protected by the attorney-client privilege (e.g., documents and telephone conferences)

Public relations representatives. The public relations representatives should be tasked with the following responsibilities:

• Identifying the sequence of steps for communicating news of the data breach (and being prepared to triage any premature information leaks regarding the breach)
• Serving as the central coordinator for all communication efforts to ensure accuracy and consistency (e.g., by establishing and/or overseeing a website or consumer hotline)
• Tracking media coverage and devising a strategy to respond to any negative press

HR representatives. The HR representatives should direct employees to forward questions received from the public regarding the data breach to the company’s public relations or communications department.

Customer service representatives. The customer service representatives should staff a data breach hotline or respond to website inquiries from customers and/or employees.

Outline Steps That Each Team Member Should Take Following a Breach

The business should outline steps for the relevant team members to take following the report of a suspected data breach, including the following critical actions:

• Taking all necessary steps to immediately secure the data and contain damages
• Identifying the scope and extent of the breach
• Executing a security incident declaration
• Determining what laws or regulations are applicable
• Notifying all necessary internal and external parties within the time periods prescribed by the relevant state data breach notification laws

Determine Which Roles Might Be Considered Key Witnesses

The business should determine which roles would likely be considered key witnesses in any state or federal regulatory proceedings or litigation. The individuals who occupy these roles will need to be appropriately prepared to speak on the company’s behalf and know the protocol for responding to questions.

Compile a List of Outside Vendors

The business should compile a list of outside vendors or entities that the organization may need to immediately engage in the event of a breach. Such vendors or entities may include:

• Computer forensics experts
• Outside counsel
• Call center services
• Fraud or credit monitoring services
• Credit restoration services
• Law enforcement and government agencies

Your client should carefully consider whether to provide fraud or credit monitoring services to victims of a data breach. However, such actions may potentially weigh in favor of standing in a class action lawsuit. See Remijas v. Neiman Marcus Grp., LLC, 794 F.3d 688 (7th Cir. 2015). Note also that some states (e.g., Connecticut and California) require companies to provide free credit monitoring services to data breach victims in specific circumstances.

Test the Response Plan Regularly

The business should test the response plan on a regular and frequent basis (e.g., tabletop exercises or drills with key stakeholders on at least an annual, if not quarterly, basis) and make adjustments as necessary.

Assess and Document the Effectiveness of the Plan Post-Breach

The business should assess and document the effectiveness of the response plan and any mitigation efforts post-breach and determine what, if any, changes should be made to the response plan to be better prepared for future breaches.

Ensure the Data Breach Avoidance and Response Plans Remain Current

Avoiding and responding to a data breach does not end with the creation of data breach avoidance and response plans. Rather, businesses must continuously ensure that the plans remain current by evaluating and updating IT security processes, employee security awareness, and representatives on the data breach response team. Businesses should also monitor and stay abreast of any changes in state and federal laws related to data breach notification requirements or other legal obligations.

Managing a Data Breach

After a data breach, it is imperative for a business to act quickly and decisively to regain security of the data, preserve evidence, and protect its reputation with customers. As an initial step, where a business has designated a response team, that team should be notified immediately, and the response plan activated. In particular, it is critical (whether the business has a formal response plan or not) to:

• Notify the representatives on the data breach response team (where applicable)
• Immediately secure the data and systems to stop the breach
• Identify the scope of the breach, the compromised data, and the affected individuals
• Determine which state and/or federal laws apply to the handling of the data breach and notification of the affected individuals
• Notify the affected individuals
• Manage communications as to the data breach and the steps taken to investigate and respond to the breach

Notifying the Affected Individuals

The United States does not have a uniform data breach notification law. Therefore, in the event of a data breach, businesses must rely on an amalgamation of state-by-state requirements, and in some instances, federal industry-specific requirements. Mishandling notifications can lead to severe consequences such as fines, reputational damage that leads to the loss of customer loyalty and potential revenue, and regulatory scrutiny and/or enforcement actions.

A total of 47 states, plus the District of Columbia, Guam, Puerto Rico, and the U.S. Virgin Islands, have statutes governing data breach notification requirements (Alabama, New Mexico, and South Dakota do not). While data breach notification statutes vary by state, most states generally require a business to send a letter to each data breach victim in the state where the victim resides.

A useful way to streamline the notification process is to draft a general breach notification that covers the requirements common to most state’s laws. The letter can then be tailored to follow the individual notification rules of each particular state to which it is sent, as well as to include the relevant requirements under applicable federal laws, such as the Gramm-Leach-Bliley Act (GLBA) and Health Insurance Portability and Accountability Act of 1996 (HIPAA).

Forum:4

It is becoming common place to hear of big security breaches. Consumers wonder how this keeps happening. It would seem like every company should be taking their data security very seriously. After all, a data breach typically costs millions of dollars and tarnishes the company’s reputation.

This theory was certainly questioned when the nation’s largest banker, JP Morgan Chase, lost the names, addresses and personal information of 76 million of its customers. Breaches like this erode the public trust and cause consumers to back away from doing business online altogether.

So how can you stop this from happening to your company? Is anyone really safe nowadays? Below, we discuss six solidly proven ways to prevent cyber security breaches from occurring at your company.

1. Limit access to your most valuable data.

In the old days, every employee had access to all the files on their computer. These days, companies are learning the hard way, to limit access to their more critical data. After all, there’s no reason for a mailroom employee to view customer financial information. When you limit who is allowed to view certain documents, you narrow the pool of employees who might accidentally click on a harmful link. As corporations move into the future, expect to see all records partitioned off so that only those who specifically need access will have it. This is one of those common-sense solutions that companies probably should have been doing all along.

2. Third-party vendors must comply.

Every company does business with a wide array of third-party vendors. It’s more important than ever to know who these people are. Companies can even open themselves up to lawsuits by allowing strangers to enter their premises. What if the guy who delivers office supplies just got out of prison? It’s something to think about. In addition, be sure to limit the types of documents these vendors can view.

Though precautions like this can be a hassle for the IT department, the alternative could be a multi-million-dollar data breach. For those companies that are allowed to view your important data, demand transparency. Make sure they are complying with privacy laws; don’t just assume. Ask for background checks for third-party vendors who must enter your company on a regular basis. CEO’s need to get tougher on security if they really want to instigate change.

3. Conduct employee security awareness training.

According to recent surveys, employees are the weakest link in the data security chain. In spite of training, employees open suspicious emails every day that have the potential to download viruses. One mistake that employers make is thinking that one training class about cybersecurity is enough. If you’re serious about safeguarding your important data, schedule regular classes each quarter or even monthly.

Believe it or not, employees have been known to leave those classes, return to their desks and open suspicious emails without even thinking twice. Marketing studies show that most people need to hear the same message at least seven times before it begins to change their behavior.

4. Update software regularly.

Professionals recommend keeping all application software and operating systems updated regularly. Install patches whenever available. Your network is vulnerable when programs aren’t patched and updated regularly. Microsoft now has a product called Baseline Security Analyzer that can regularly check to ensure all programs are patched and up to date. This is a fairly easy and cost-effective way to strengthen your network and stop attacks before they happen.

5. Develop a cyber breach response plan.

What would you do if you went to work tomorrow and learned that a data breach had occurred? Surprisingly few companies have a sound breach response plan in place. It either hasn’t occurred to them that they may need one someday soon, or they feel they can handle the response as necessary. There’s a significant fallacy in this thinking. In the past, large companies that had cybercriminals break in and steal records were slow to make this public. They were also reluctant to share the truth about how much data and what type of data was stolen.

The government’s OPM break-in was handled very poorly. It was months after the breach before FEMA made a public announcement. When they did announce that a data breach had occurred, they downplayed how serious it was, issuing incorrect information about exactly how many records had been compromised. It was several years before the true nature of the breach was exposed.

For consumers, this is unacceptable. People feel they have a right to know exactly when the breach occurred and what was lost. Though it took several years to learn this, government employees were finally told the truth: over 21 million records were stolen. Most of them contained names, addresses, social security numbers, and fingerprints.

Developing a comprehensive breach preparedness plan enables both the employees and the employer to understand the potential damages that could occur. An employer should be very transparent concerning the scope of the breach; employees want to know the truth. A good response plan can limit lost productivity and prevent negative publicity. Employees feel angry when they find out that the company they work for had a data breach six months ago and told no one told them about it.

Your response plan should begin with an evaluation of exactly what was lost and when. Find out who is responsible whenever possible. By taking swift, decisive action, you can limit damages and restore public and employee trust.

6. Difficult to decipher passwords

In the past, businesses rarely got involved with how often employees had to change their passwords. Recent cyber breaches have changed all that. When security experts come to your company to educate your employees, one thing they will stress is the need to regularly change all passwords. Most of the public has discovered the importance of making passwords difficult to decipher. Even on our home computers, we’ve learned to use upper case letters, numbers and special characters when formulating passwords. Make it as difficult as possible for thieves to break in and steal your stuff.

Reassure your customers.

Online shopping now represents over $80 billion in sales for American businesses. People seem to love to shop online. It’s so easy and convenient. The future looked bright for online sales until data breaches at stores like eBay and Amazon occurred. Recent surveys of consumers across America show that 56% have cut back on their internet purchases due to fear of their personal info being stolen. This equates to lost sales in the millions of dollars.

This has now become such a prevalent problem that companies create marketing campaigns to reassure shoppers that it’s safe to shop online again. But, it can take years to restore the public’s trust once it’s lost. If customers see that your company is doing its best to prevent cyber theft, they may feel better about buying from you.

​​