Data Breach Handling – the 5 key steps
New privacy legislation in 2018 saw a dramatic increase in the number of data breach notifications. The 2018 British Airways data breach had more than 380,000 customers’ payment card details stolen by hackers. This contributed to a long line of data breaches making the headlines in the UK, after some of their biggest brands like Superdrug, Carphone Warehouse, Currys, Dixons Travel and PC World were hacked earlier in the year. Read the blog to explore the 5 key steps to mitigating risk.
The scale of the British Airways’ breach isn’t huge compared to some of the mega-breaches we’ve seen over the past few years, however, losing 380,000 customers’ card details is a big deal for an organisation whose reputation is built on public trust; additionally for any company processing European Union citizen personal information, the General Data Protection Regulation (GDPR) makes each breach potentially more damaging than ever before. When GDPR was introduced in May 2018, few would have predicted the volume of breaches that would come to be admitted just a few months later.
In the UK alone since GDPR’s commencement in May 2018, the domestic privacy regulator has received more than 8,000 reports of personal information being lost or stolen. GDPR mandates that when an organisation suffers a breach of personal information of any number of European citizens, the office of the Information Commissioner (ICO) must be notified within 72 hours unless there is unlikely to be a risk to the rights and freedoms of the affected individuals.
Furthermore, UK citizens and residents are encouraged to complain to the ICO if they think their personal information has been misused or not secured to an appropriate level, which encourages companies to get on the front foot rather than having a complaint to the ICO raise the alarm.
Gemalto’s Breach Level Index (BLI) suggests there has been more than 13 billion stolen records since 2013 yet looking back at BLI’s 2018 First Half Report, it reported just under 3.5 billion records breached since the start of 2018, so that’s over a quarter of the declared breaches of all time in just six months.
It’s unlikely that the threat level has increased by more than 25% in the year, but the quality of the breach information we have has increased dramatically. This data shows that many breaches were not reported, either as a cover up or because the organisation didn’t know they were obliged to tell anyone about it (or were not required to notify anyone).
Now that GDPR has arrived, and mandatory data breach notifications are also required in Australia, more and more companies understand their obligations and would prefer to stay on the right side of the law than worry so much about the wrath of angry customers.
In fact, there is sufficient evidence to show that people have generally accepted that data breaches occur, and they critique the company on their response – i.e. was the notification timely and did the company do everything it could to minimise the harm the breach may cause?
How to manage a data breach response effectively
Since data breaches are somewhat inevitable and even with the best security controls in place, just one slip up could see your data going missing, one of the most important things companies can do is adequately prepare for managing the incident.
It pays to develop your incident response processes long before there are needed, and regularly review them to ensure they remain current and relevant. The worst time to be figuring out who does what and who has authority to act during a breach is just after it happens – since even the most experienced teams can find dealing with the chaos of incident response challenging.
Cyber Fire Drills – Practice Makes Perfect (Nearly)
The concept of running a cyber fire drill has been around for some time, whereby you practice a full-scale incident response, engaging all the appropriate teams, managers and external stakeholders to ensure everyone knows their role and the process is efficient and effective.
The most critical role of incident manager (IM) requires someone who can think clearly and concisely and doesn’t have any issues about making hard decisions. The IM needs authority to act in the best interests of the company, which means swift action to shut down a website or isolate a network is agreed to be the right response, even if it means the company loses revenue.
There must be a no blame policy for IM decision making, otherwise the company’s culture will see incident managers not make the best decisions, since they will make decisions that protect themselves from blow back.
The other thing that a cyber fire drill will highlight is whether the right team can be assembled to manage the crisis. In some cases, the team might comprise well-qualified staff, but if they are not able to drop everything and fulfil their role in collaboration with the IM, then your handing of the incident won’t be effective.
Subject matter experts (SME), such as system administrators, application designers, network engineers and data owners, all need to be engaged during the incident response process, so each nominated SME should already be familiar with your company’s incident response processes and know their level of delegated authority when engaged by the IM.
The 5 Steps of Data Breach Response
To reiterate what we said earlier in this post, organisations need a tried and tested incident response plan to ensure they respond as soon as possible and minimise the harm a breach can cause. The following five steps should help you respond in a way that minimises the damage and mitigates the risk of serious reputational damage.
Step 1: Call the Team
As soon as your security team spots the incident and raises the alarm, the IM should spring into action. This means they quickly assess the risks and potential scope and harm the attack might cause and the appropriate team members are assigned tasks.
Clear terms of engagement should be set out for each incident response team member, and expectations set as to what the IM needs from them in the first 30 minutes. This gives the team clear instructions with clear authority to carry out their tasks.
Step 2: Data Breach Containment
The very first responsibility of the team is to gauge the extent of the breach and stop it getting any worse – this step is known as containment in incident response parlance. It may be that the team install missing patches or lock specific user accounts to stop any further escalation. Depending on the nature of the breach, the IM might also need to contact external third-parties, since the data might have gone outside of your own network.
Step 3: Damage Assessment
Once you feel the breach has been contained, it’s time to fully assess what damage has been done and then set in motion the appropriate longer term responses to handle the fall out. Never underestimate the extent of a breach, especially if the data has gone outside of your organisation, since it’s not possible to guarantee you have found all copies of the data.
It’s better to start by asking yourself how the information might be misused by an attacker. If it might be useful to a criminal attempting identity theft, such as for signing up for a phone contract or getting false identification, such as a driver’s license, then it should be treated as severe and the police should be told (as well as the information commissioner).
Step 4: Notify your Regulator
You should not notify a breach without the facts. With GDPR, for example, organisations must notify within 72 hours, for a very good reason. The preceding three steps should all be undertaken within that 72-hour period, since the best way to minimise harm is to act quickly. It is then time to notify the information commissioner.
Ensure that you also notify everyone that needs to be told about the breach, including affected individuals. Other regulators may also need to be informed. In the financial services sector, for example, the APRA will need to be notified when a breach occurs. Maintaining a list of the appropriate contacts will help make sure no one is left out.
Step 5: Post Incident Review
A post incident review (PIR) is a wash up meeting where everyone involved in incident management and response explains what happened and calls out any problems with the people, processes and technology they encountered.
Even if you are running a cyber fire drill, the PIR Is the best way to see issues with your processes and get them fixed before a real incident occurs.