Introduction: Preventing, Mitigating and Responding to Data Breaches
Today, it is almost impossible to open a newspaper without seeing an article about another data breach. Attackers of various motivations – from nation states and criminals to terrorists and hactivists – have targeted and successfully breached government entities, private individuals and companies in all sectors of the economy and around the globe. As then-FBI Director Robert Mueller observed in 2012: '[T]here are only two types of companies: those that have been hacked and those that will be. And even they are converging into one category: companies that have been hacked and will be hacked again.'
In recent years, this has become even more apparent. According to Kroll's 2019/2020 Global Fraud and Risk Report, nearly every industry ranked cyberthreats and data leaks as a top security risk facing their economic sector. And, underscoring the evolving nature of attacks facing business, according to FireEye Mandiant's M-Trends 2021 report, ransomware groups have evolved to pursue multifaceted extortion schemes that accounted for a large percentage of cyber intrusion activity in 2020.
As data breaches and ransomware events increase in frequency, boards of directors, management, employees, customers and regulators across the globe are increasing their expectations for companies to take information security and breach preparedness seriously. Preventing, preparing for and (inevitably) responding to breaches is no longer seen as an IT issue, but rather as a significant risk area that cuts across areas including legal and compliance, human resources, audit, vendor management, insurance and communications.
In the wake of a data breach, companies may need to conduct internal investigations; engage external specialists, including law firms, forensic investigators and public relations experts; implement crisis management plans; assess breach notification requirements, regulatory obligations (such as data protection authority and securities disclosure requirements), contractual issues, litigation exposure and compliance improvement efforts; and respond to requests, enquiries and actual or threatened enforcement or litigation from customers, government agencies, payment card brands, insurance companies, auditors and the media.
Understanding and preparing for each of these workstreams is fundamental to a successful cybersecurity investigation and incident response. To that end, this book – with chapters addressing key topics authored by leading authorities and informed by their broad experience in handling data incidents – is intended to provide companies and counsel with an overview of the key cyberthreats and legal, strategic, tactical and reputational considerations and risks that companies may need to assess in preparing for and responding to a data security incident, including how these considerations vary in certain jurisdictions around the world.
Fundamentally, as regulators and industry groups across the globe have recognised, effectively managing any company's exposure to cybersecurity threats and liabilities requires taking a risk-based approach.
As such, the guidance in this book is not intended to be one-size-fits-all. For example, as recognised throughout the book, regulatory obligations and risk mitigation strategies may vary based on sector, geographical location and the nature of a company's critical data assets. Therefore, to successfully prevent, mitigate and respond to a data breach, each company should assess and understand its risk profile; develop a system of overlapping data security controls and risk mitigation strategies tailored to its threat profile and critical assets; and prepare an incident response plan that is appropriate for the company's size, organisational structure, culture and risks.
To properly prevent and prepare for breaches and to otherwise assess and mitigate cyber risk, a company first needs to understand the nature of its cyber risk. This means not only understanding the organisation's threat profile (from both external and internal threats) but also having a firm grasp on what the critical data is and where it is stored. Armed with these key pieces of information, an organisation can allocate IT resources and personnel, tailor security controls and make informed strategic decisions to balance risk minimisation with operational needs.
Chapter 1 of this book, for example, provides an overview of the different types of threats and threat actors, ranging from nation-state actors to cybercriminals and company insiders. While the types of controls a company may need to implement may not vary, for example, as between nation state-associated actors and cybercriminals, it will be important for companies to understand the types of risks they face from both internal and external actors and their most vulnerable attack vectors so that they can control for each of these risk areas. Understanding when, for example, certain company actions might increase the likelihood of a nation-state actor being driven to attack may drive the company to enhance monitoring for a time around that activity.
In addition to understanding a company's threat profile, it is perhaps even more critical for a company to identify its key data assets, often referred to as its 'crown jewels', and knowing where those data assets reside. As the US Federal Trade Commission (FTC) advised in its 2016 Protecting Personal Information: A Guide for Business, 'effective data security starts with assessing what information you have[,] identifying who has access to it . . . [and] how [it] moves into, through, and out of your business', because this information is 'essential to assessing security vulnerabilities'. Crown jewels can include commercial proprietary information, intellectual property or trade secrets (belonging to the company or its enterprise customers); sensitive personal, health or financial information (belonging to the company's employees or customers); classified or other controlled information (e.g., export-controlled information); or other internal documents (e.g., email files). 'Tak[ing] stock' of how a business maintains sensitive information, as the FTC suggests, includes understanding who sends sensitive information to the business, how the business receives that information, what kind of information is collected at each entry point, and where the information collected at each entry point is kept.
Understanding a company's threat profile and identifying its critical data assets often go hand in hand. For example, if a company processes payment card data as a core component of its business, cyber criminals may be one of its biggest cyberthreats. Or, if a company is a government contractor, it may be targeted by nation states seeking government information. But sometimes the picture is less clear. For example, a hospital's most valuable data to an external party may be health insurance information, social security numbers and other information that enables identity theft. But ensuring the availability, integrity and security of other data or systems – such as patient allergy information or the continued functionality of life-saving medical devices – may be just as critical.
While described in the context of cyber due diligence, the guidance provided in Chapter 7 for preparing for a diligence and scoping of potential risk areas can be helpful for a company conducting its own internal risk assessment as well.
Once a company identifies the nature and location of its most sensitive assets, it should then design and implement a system of controls appropriate to protecting those assets. For example, in June 2015, the FTC issued a guidance document as part of its Start with Security initiative, which focused on encouraging small and medium-sized businesses to embrace 'security-by-design' principles. In the guidance document, Start with Security: A Guide for Business, the FTC drew what it considered to be lessons learned from its 54 data security enforcement actions.
Based on a review of these cases, the FTC advised companies to incorporate a series of 10 lessons learned:
- develop an appropriate, proactive cybersecurity plan;
- control access to data sensibly;
- require secure passwords and authentication;
- store sensitive information securely and protect it during transmission, including through the use of strong cryptography for data in transit and at rest;
- segment networks and monitor egress and ingress through tools such as firewalls and intrusion detection and prevention tools;
- secure remote access to networks;
- apply sound security practices (e.g., secure coding, security testing and vulnerability assessments) when developing new products;
- keep a watchful eye on service providers (e.g., diligence, contractual requirements and performance oversight) to ensure they implement reasonable security measures;
- keep security current and address any vulnerabilities; and
- secure paper, physical media and devices.
Many of these recommendations may sound obvious. However, time and again, failings in fundamental security practices, similar to many of those identified by the FTC, often are the apparent cause or a substantial contributing factor to a significant breach.
Forensics, security and consulting firms agree. In its 2018 X-Force Threat Intelligence Index annual report, IBM said that human error, such as misconfigured cloud servers, unsecured cloud databases and improperly secured backups, were responsible for 43 per cent of publicly disclosed misconfiguration incidents in 2018, up from only 17 per cent in 2017. Meanwhile, Verizon's 2018 annual 'Payment Security Report' found a decrease in the percentage of companies fully compliant with the Payment Card Industry Data Security Standards (PCI-DSS) during interim assessments – the first time Verizon has seen a decrease in the percentage of compliant companies since 2012. Verizon further noted that 'no organization affected by payment card data breaches was found to be in full compliance with the PCI[-]DSS during a subsequent Verizon PCI forensic investigator . . . inquiry'.
Prepare, plan, practise and manage a coordinated response
Once a company is armed with an understanding of its risk profile and crown jewels, and has endeavoured to implement controls (appropriate in light of the risks) to prevent, detect and quickly mitigate an attack, the company should be in a position that successful, significant attacks on its data assets are unlikely. Nevertheless, companies cannot and should not rest on their laurels, or be comforted by the strength of their security scheme alone. New vulnerabilities and attack methods are being identified and exploited daily. A common maxim in the security community is that the attackers only have to 'get it right' once – find one vulnerability on one system to exploit – while security personnel need to 'get it right' every time to definitively prevent a breach from occurring. Another maxim is that the most secure system is the least usable – one that is locked in an impenetrable safe and disconnected from the internet.
Because neither perfection nor total non-usability are desirable or appropriate, companies should ensure that they are prepared to respond to an incident if necessary. Companies can use this book to help them in those efforts and to guide their response efforts should they ever face a significant security incident. Whether it be identifying the internal team and external resources who should be at the table during an incident response, planning a realistic table-top exercise that will reasonably cover the types of issues a company may face in an incident response, identifying relevant regulators and law enforcement with whom companies should establish relationships before an incident occurs, planning for various workstreams, or assessing options for insurance cover, this book is intended to provide a legal framework, supplemented by practical and tactical guidance, to support these efforts.
1 Benjamin A Powell is a partner at Wilmer Cutler Pickering Hale and Dorr LLP.
2 Kroll, 'Global Fraud & Risk Report: 10th Annual Edition – 2019/2020, www.kroll.com/en/insights/publications/global-fraud-and-risk-report-2019.
3 FireEye Mandiant Services, Special Report, 'M-Trends 2021, https://content.fireeye.com/m-trends/rpt-m-trends-2021.
4 See, e.g., Appendix B to 12 CFR Part 30, Section III.C (requiring national banks and federal savings associations in the United Sates to design information security schemes to 'control the identified risks, commensurate with the sensitivity of the information as well as the complexity and scope' of the entity's activities); 45 CFR Section 164.306 (requiring 'covered entities' and 'business associates' under the Health Insurance Portability and Accountability Act, as amended, to utilise security measures to protect electronic protected health information, based upon, in part, '[t]he probability and criticality of potential risks to electronic protected health information'); Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation), Section 2, Art. 32 ('Taking into account the . . . risk of varying likelihood and severity for the rights and freedoms of natural persons, the controller and processor shall implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk . . .'); Group of 7 Cyber (G7) Cyber Experts Group, 'G7 Fundamental Elements of Cybersecurity for the Financial Sector', https://www.ecb.europa.eu/paym/pol/shared/pdf/G7_Fundamental_Elements_Oct_2016.pdf (noting that financial institutions should '[e]stablish and maintain a cybersecurity strategy and framework tailored to specific cyber risks . . .').
5 US Federal Trade Commission [FTC], 'Protecting Personal Information: A Guide for Business' 2, October 2016, www.ftc.gov/system/files/documents/plain-language/pdf-0136_proteting-personal-information.pdf. While this and other FTC data security guidance is directed at the protection of US consumer personal information – in view of the FTC's jurisdictional authority (see Chapter 11) – its guidance is nonetheless helpful in identifying foundational security practices for the protection of sensitive information more broadly.
6 id., at 3 to 5.
7 FTC, 'Start with Security: A Guide for Business', June 2015, www.ftc.gov/system/files/documents/plain-language/pdf0205-startwithsecurity.pdf.
8 As at the end of 2018, the FTC has brought 65 cases against companies based on allegations of unfair or deceptive practices involving inadequate protection of consumers' personal data. FTC, 'Privacy & Data Security: Update 2018', www.ftc.gov/system/files/documents/reports/privacy-data-security-update-2018/2018-privacy-data-security-report-508.pdf.
9 In 2017, the FTC published a series of blog posts titled 'Stick with Security' as a 'deeper dive' follow-up to the Start with Security guidance. The blog series includes a separate in-depth blog post on each of the 10 'lessons learned'. FTC, 'Stick with Security: A Business Blog Series' (2017), www.ftc.gov/tips-advice/business-center/guidance/stick-security-business-blog-series.
10 IBM Security, 'X-Force Threat Intelligence Index' (2019), https://xforceintelligenceindex.mybluemix.net/?cm_mc_uid=22606977992415547523155&cm_mc_sid_50200000=30533621554752315552&cm_mc_sid_52640000=63000101554752315557.
11 Verizon, '2018 Payment Security Report', https://enterprise.verizon.com/resources/reports/2018_payment_security_report_en_xg.pdf.