Published in NH Bar News Supplement - NH Bar Solo and Small Law Firm Cybersecurity Guide - May 2021
Breach happens. It is an unavoidable fact of life. Every business will experience breach: it’s not a matter of if but when. Businesses certainly should prepare themselves by adopting safeguards to avoid breach, which often limit the impact of breach when it occurs. However, businesses also can and should prepare themselves with strategies to mitigate breach when it happens.
Certain Safeguards Limit the Impact of Breach
Incorporating cybersecurity safeguards now into operations is a critical technique to limit the impact of breach. All businesses should work with cybersecurity counsel and an outside technology professional to conduct a comprehensive information security risk assessment. One aspect of that process, of course, involves identifying cybersecurity risks in the business’ operations that may permit breach to occur, and then implementing measures to remediate those vulnerabilities. Another aspect of the assessment involves ensuring that the business has the right safeguards in place to limit the impact of breach when it occurs.
For example, ransomware poses the most significant threat to businesses right now. It is so prevalent and sophisticated that it is virtually impossible to avoid. Three measures are vital to limit the impact of a ransomware breach when it occurs: (i) advanced activity-based threat detection, beyond traditional anti-virus/anti-malware; (ii) failover redundancy or air-gapped backups; and (iii) robust access and activity logging.
Traditional anti-virus/anti-malware uses a blacklist to halt known malware when it activates. It does not protect against sophisticated ransomware. Hackers easily circumvent it by constantly creating new ransomware mutations. By contrast, more advanced protective software is available that detects the type of activity inherent to ransomware, and deactivates servers and computers before the ransomware encrypts the entire system or exports large amounts of data.
Once the ransomware is stopped, if a business has a redundant failover system, it can transition operations to that system, typically with only a few hours downtime. Alternatively, if a business has backups that are disconnected to its network and, thus, unaffected by the ransomware (called air-gapped), it can restore its network from those backups. That typically takes a few days. However, a business that lacks these protections may not be able to return to operations for weeks or longer, and ultimately may need to pay the ransom to obtain the decryption key.
Lastly, if a business has configured the log files on its firewalls, servers, and computers to collect robust amounts of data about access to and activity within the network, forensics experts can analyze that data to determine whether the hackers accessed or exported data and, if so, the extent of that activity. Without these robust logs, businesses often must assume that all of their information was compromised, resulting in a broad, expensive, and damaging notification to individuals affected by the breach and regulators.
Implementing these three measures before ransomware strikes often means the difference between a manageable business problem and a catastrophe.
Rapid and Planned Response Is Critical
Minutes matter when responding to breach. Halting an incursion at one computer, one user, or one server is dramatically better than a breach of an entire system. But, haste causes mistakes, particularly if the response is not directed and executed by experience professionals. A breach team consists of cybersecurity counsel, a forensics expert, the cyber liability insurance carrier, and the business leaders. Businesses should have a response teams identified, and a written incident response plan tested, before a breach occurs.
When breach occurs, the organization’s technology personnel often rush to fix the damage and restore the system as fast as possible, and may even have an interest in obscuring the cause of the breach. Doing that often results in the destruction, accidental or otherwise, of data vital to the response, such as log files and forensic evidence about the identities of the hackers, cause of the breach, and extent of the information accesses or stolen. While the organization’s IT personnel are integral to breach response, the technological restoration should be directed and, oftentimes, performed by an independent forensics expert.
Cybersecurity counsel also are a critical member of the response team. Breach frequently leads to regulatory investigation. Securing counsel to direct the response ensures that privilege protects the communications and work product of the team, including potentially damaging evidence about the cause of the breach and the measures implemented to remediate that situation. Additionally, counsel coordinates coverage with the carrier, notification of individuals affected by the breach, and the communications with regulators required by law.
Breach is not a crisis that business and IT leaders should try to manage themselves. It is more art than science. And, effective breach management is the best way to avoid liability with respect to the individuals affected by the breach and regulators.
Eliminate Liability to Affected Individuals
Businesses can limit or effectively eliminate liability to the individuals affected by breach. The first impulse of some businesses in a breach is to hide the situation out of fear of reputational harm or regulatory investigation. However, honesty (along with a measure of good corporate citizenship) is the best policy.
In times past, individuals were upset when they received notice of a breach of their personal information. But, society at largely has become inured to these events. Individuals are often more upset now if they discover that a breach occurred and the company did not inform them about it or delayed notification. In fact, while no organization wants a breach, businesses with healthy relationships with their customers, vendors, and other constituents can transform this problem into an opportunity to communicate effectively with those constituents, and establish or reaffirm their trust in the organization by providing appropriate protections for them.
Trust arises from being transparent with the individuals about the impact that the breach may have on them. Also, businesses that offer credit and identity monitoring and restoration services to them largely eliminate any claim for damages that they may have against the businesses. Moreover, if an organization has an appropriate cyber liability policy, the costs for such credit and identity monitoring and restoration, as well as the other costs of the breach response and notification, should be covered by that policy.
Beware of Regulatory Liability
While businesses can effectively eliminate liability to individuals, they cannot with respect to regulators. For example, state laws require businesses to notify each state Attorney General of a breach of information of residents of that state, even if the businesses are located elsewhere. Not surprisingly, Massachusetts, New York, and California aggressively follow up such notifications with regulatory investigations, issuing significant fines and penalties of hundreds of thousands of dollars, even against small and medium sized businesses.
While one method to limit regulatory liability is to provide appropriate notice, as well as credit and identity monitoring and restoration, to the individuals affected by the breach, regulators also base fines and penalties upon whether businesses implemented reasonable information security safeguards before the breach. In fact, the state laws in Massachusetts, New York, California, and elsewhere outline the measure that businesses must or should implement.
Many businesses are unaware that they must comply with these other states’ laws about information security safeguards just because they possess information about residents of those states. However, debating that point with regulators is ineffective. The better strategy is to take immediate steps after the breach to bring the business into compliance with the applicable state laws, and then negotiating a reasonable resolution with regulators.
Breach is an unavoidable event, but it need not be catastrophic. The costs of it can be limited by conducting a risk assessment with qualified professionals, implementing appropriate safeguards before a breach occurs, having the right team in place to deal with breach when it occurs, securing adequate cyber liability insurance, and being transparent with and providing appropriate protections for individuals affected by the breach. Just like any other business problem, breach is manageable with appropriate preparedness and planning.
Cam Shilling founded and chairs McLane Middleton’s Information Privacy and Security Practice Group. The group of four attorneys and one technology paralegal assist businesses and private clients to improve their information privacy and security compliance, and address any security incident or breach that may arise. Cam can be reached at (603) 628-1351 or [email protected].