As a privacy and IT attorney, I fielded numerous calls at the beginning of the pandemic asking for advice on how to support a remote workforce. The biggest concern was whether security would be sufficient for remote operations. Perhaps this heightened sensitivity has paid off. So far in 2020, security breaches – the unauthorized exposure of private information to an untrusted environment – are down. The nonprofit Identity Theft Resource Center (ITRC) reported a 33% decrease in the number of breaches during the first half of 2020. Still, ITRC has tracked over 11,000 security breaches since 2005, resulting in exposure of approximately 1.6 billion records. Their experts predict that the slowdown is only temporary, as cybercriminals become more sophisticated and focus on new ways to do damage. Phishing schemes, for instance, trick users into opening emails that appear legitimate, which may install malware on their devices or expose their login credentials and other private information. Data can be used to steal identities. For example, unemployment insurance fraud has surged during the pandemic. In Illinois over 200,000 fraudulent claims have been filed just since March.
A quick Google Search of “Crazy Security Breaches” will show you the diversity of breaches. A software error resulted in the Danish government accidentally exposing the personal identification number of a million Danish citizens over a period of five years.
In August, an employee at Tesla notified management that the employee had been offered $500,000 to install malware on its systems.
The employee notified Tesla and cooperated with the FBI to result in an arrest. Accidental breaches happen too. For instance, Microsoft misconfigured its own Azure product and accidentally exposed data in its customer support database. A third-party security researcher noticed it and informed Microsoft on New Year’s Eve 2019.
So, it’s logical to assume that most companies that deal with data will have to deal with a security breach at some point. We have six steps to guide you through this stressful occurrence.
1. Get a handle on your data.
It’s important to know where your data is, how it’s vulnerable to security breaches, and how you can monitor your data for issues. Most of us understand that a nefarious third-party actor that gains access to an electronic system is breaching your security. Phishing schemes, for example, start from outside your company and trick users into disclosing information. When you look at your data, though, it’s important to consider whether you are protecting it appropriately. The infamous Veterans Affair security breach from 2006 began when an employee took home a laptop and an external hard drive that included information on 26 million people. His home was burglarized, and the laptop and hard drive were stolen. While the specific facts have been the subject of media attention and government investigations, the employee claimed he was authorized to access social security numbers from home. Knowing where your data is and how it’s supposed to be treated can help you recognize problems early on.
2. Stop the data breach fast.
Whether you’re prepared or not for a security breach, your top priority should be to stop the breach as soon as possible without destroying or damaging evidence. In an ideal world, you’ve planned for this. You’ve identified an incident response team and you’re ready to address the breach. If you’ve done this already, congratulations! Stick to your plan and methodically execute on it. If your breach is caused by internal actors, eliminate access immediately. If a third-party is accessing your systems through log-in credentials, change them immediately. Secure your networks, and take them off-line if you have to. And, if you are in over your head, get external help. Respected IT security consultants and forensic analysts can be available in a moment’s notice.
3. Investigate the breach.
When you are reasonably sure the immediate threat to the data has been squelched, it is time to figure out what happened. You will need a team of resources to do this effectively. Certainly, information technology and InfoSec experts are critical members of this team. But depending on the type of data exposed and the circumstances of the breach, consider involving people with experience in communications, human resources, legal, and operations. Depending on the risk to your organization, high level management should be informed and participate as appropriate. You may need law enforcement assistance. Your investigation should be conducted swiftly, but not haphazardly. Keep in mind if sensitive information like credit card numbers, social security numbers, health information, account information, and similar identifiable information has been breached, you may have to report the breach. These obligations typically are time-bound and are triggered at the date of discovery of the breach. You will want to know what happened when you notify the relevant parties.
4. Determine your legal obligations.
While you investigate the breach, you will want to learn what
your legal obligations are. All fifty states have laws that require organizations to notify individuals of certain types of security breaches. Some of these laws apply to entities doing business in the relevant state, and some of these laws apply to entities that possess personal information about the state’s residents. You may also need to notify regulators and, in some cases, the media. Federal laws regulating the health and banking industries also require notification in certain circumstances. Some of the laws require entities to notify state consumer protection agencies like the Attorneys General or consumer reporting agencies, like the three major credit bureaus. Depending on the size and scope of the breach, you may need to set up a call center for individuals to ask questions. All of these requirements have deadlines, so it is important not to procrastinate on this step. The industry you are in, the type of information that was breached, and the size of the breach will dictate your reporting obligations.
5. Help individuals protect themselves.
Once you understand whose data and what data has been affected, you can help individuals protect themselves. Some security breaches put individuals at risk for identity theft. You should consider whether to offer credit monitoring services (which may or may not be required by law). You can direct individuals to IdentityTheft.gov, the Federal Trade Commission’s website for reducing the risk of identity theft. Other security breaches are less risky to individuals, and sometimes it is enough to inform individuals of what happened to put them on notice in case problems arise later.
6. Fix the problem.
Your organization will learn lessons on what went wrong. Maybe you need additional safeguards about what kind of information can be stored on mobile or external devices. Maybe you need a third-party vendor who can wipe your computers of identifiable data when you are decommissioning them. Maybe your organization needs additional training on what constitutes personal information. Unfortunately, security breaches can be expensive and painful, but their damage can be minimized through proper planning and a proper response.
by Heidi Yernberg
heidi@jayaramlaw.com