866-726-4271 info@idexpertscorp.com

The Challenges of Managing Privacy Incident Response

1

The 2014 Verizon Data Breach Investigations Report cited 63,437 security incidents from only 50 organizations. That’s 1,268 incidents per organization per year.

WHITEPAPER

Malware invading third-party systems. The e-mail containing unencrypted data. Sensitive information accidentally exposed on an outward-facing site. Lost paper files. Personal data incidents such as these are a given, when one considers the anytime-anywhere availability and exponential growth of information—particularly regulated data. According to the U.S. Government Accountability Office, federal agencies reported a surge in “information security incidents involving PII”—from 10,481 incidents in 2009 to 25,566 in 2013. 1 The 2014 Verizon Data Breach Investigations Report cited 63,437 security incidents from only 50 organizations. 2 That’s 1,268 incidents per organization per year.

How an organization manages its response to these data incidents determines the level of risk to its business, brand, and customers. To be successful, companies must develop an incident response process that accounts for the evolving nature of threats, copes with limited resources, and complies with complex breach notification laws. They must exchange ad hoc, cumbersome, or otherwise ineffective incident response processes for a more strategic approach. At an organizational level, they must unite disparate security and privacy objectives. At a process level, they must create consistent, repeatable and scalable methods for managing incident response.

The Changing Face of the Data Security and Privacy EnvironmentOver the past 20 years, data—its nature and volume—has grown and evolved exponentially. Online transactions, social media, and electronic healthcare records were new or unheard of phenomena not so long ago. And according to Cisco, “global IP traffic has increased fivefold over the past five years, and will increase

threefold over the next five years.” 3 The high number of incidents, as noted in the Verizon report, should not come as a surprise.

The security environment has also changed. When data lived primarily in the data center, the IT department was the steward of the data, and the CISO was the guardian of the firewall, defender of the perimeter. Security focused on detection and protection, and

incident response was more of an afterthought than a planned activity. Then came distributed systems that linked locations, branch offices, business partners and the supply chain, followed by mobile computing that links the back office with every employee and customer all the time. Today, there is no perimeter. Business advantage follows where the data flows, leaving the CISO to safeguard data that can be in use or in transit anytime and, often, anywhere in the world.

1 http://www.gao.gov/products/GAO-14-487T 2 http://www.verizonenterprise.com/DBIR/2014/, p. 2. 3 http://www.cisco.com/c/en/us/solutions/collateral/service-provider/visual-networking-index-vni/VNIHyperconnectivityWP.html

2

4 See http://www.ncsl.org/research/telecommunications-and-information-technology/security-breach-notification-laws.aspx 5 See http://www.usatoday.com/story/news/politics/2014/10/20/secret-service-fbi-hack-cybersecurity/17615029/ 6 See http://www.symantec.com/about/news/release/article.jsp?prid=2013060501 7 See http://www.securityweek.com/cybersecurity-requires-proactive-approach-ernst-young 8 http://blogs.unisys.com/2014/06/25/sensitive-data-protection-3-reasons-for-the-vanishing-perimeter/

Privacy has had to grow up, as well, to meet the challenges of keeping massive volumes of sensitive data private. Simple notice-and-consent has given way to mandatory notification when confidential data is exposed. The government has attempted to keep pace with numerous privacy regulations. On the federal level are industry laws—notably breach notification laws—such as Gramm-Leach-Bliley Act (GLBA) for financial institutions and the HIPAA Final Rule for healthcare organizations. In addition, 47 states have their own version of a breach notification law—and their own definition of when an incident is a reportable breach. 4

Given the “fact-of-life” nature of incidents, security professionals are realizing the importance of incident response as a best practice. At the same time, privacy and compliance officers know that every incident involving regulated data must be assessed according to federal and state data breach notification laws—an overwhelming task given how many incidents there are. Now is the time for organizations to align these privacy and security objectives and invest in appropriate tools and processes so they can reduce incident response-related risk across the enterprise. As Joseph Demarest, assistant director of the FBI’s cyberdivision says, “You’re going to be hacked. Have a plan.” 5

The Many Phases of Incident Response: An AnalysisIncident response is a multi-phase process that includes incident discovery, containment, investigation (and documentation), assessment and notification. Incident assessment is a most critical phase because it determines if the incident is, in fact, a legal breach requiring notification to regulators, the affected individuals and, possibly, the media.

Too often, however, security sees incident assessment as a privacy

function. The complex nature of incidents encompasses more than regulatory know-how, though. It includes understanding the technical aspects of an incident—the nature and severity of an incident, the nature and sensitivity of the affected data, remediation steps, etc. Effective incident assessment bridges the gap between the technical and legal aspects, so privacy and security professionals can accurately determine if an incident is a breach that legally requires notification.

An inaccurate assessment leads to improper notification, creating significant problems for an organization and its customers. If an organization fails or waits too long to notify, it could garner negative media attention, be sued or fined, suffer brand damage, and subject customers to financial, reputational, or even health risks. On the other hand, over-notification causes customers undue anxiety and can also damage a company’s reputation and brand.

The Challenges of Incident Response ManagementOrganizations must operate in an increasingly complex privacy and security environment. When developing a coordinated, consistent incident response process, they must take into account the changing nature of threats, the complexity of breach notification laws and the scarcity of human and financial resources.

Challenge 1: Incident DetectionThreats to regulated data, both electronic and paper, are wide ranging, and many organizations lack the ability to detect and mitigate these threats in a timely manner. Instead of taking a holistic view, privacy and security teams tend to focus their efforts on certain aspects. Information security, for example, may overlook the human factor when it comes to safeguarding sensitive data.

But according to the Ponemon Institute’s 2013 Cost of Data Breach Study: Global Analysis, 6 sponsored by Symantec, “human errors and system problems caused two-thirds of data breaches in 2012.” Ernst & Young’s Get Ahead of Cybercrime: EY’s Global Information Security Survey 2014, 7 found similar results: 38 percent of respondents said employee carelessness or lack of awareness was the primary threat “that increased risk exposure.”

Such carelessness is dangerous in a world where data is no longer contained within a security perimeter. Scott Johnson, who leads Unisys’s Stealth security solution and product strategy, cites three reasons for the so-called “vanishing perimeter.” 8

1. The exploding volume of easily accessible data. Johnson cites an IDC estimate, that in 2015 “there will be approximately 2 exabytes of enterprise level unstructured data available…. One exabyte of storage could contain 50,000 years’ worth of DVD-quality video!”

2. The number of “access types,” including the 7 billion mobile

What Is Regulated Data?Regulated data is confidential or sensitive information that is protected under federal and state law—namely data breach notification laws. Protected health information (PHI) and personally identifiable information (PII) are examples of regulated data. The unauthorized exposure or acquisition of this data opens the way for regulatory fines and penalties, and class-action lawsuits.

3

9 http://www.mmmlaw.com/media-room/publications/articles/high-priority-a-federal-data-breach-notification-law#sthash.MrawaDpS.dpuf 10 http://www.natlawreview.com/article/analysis-white-house-data-breach-notification-bill. 11 http://www.hhs.gov/ocr/privacy/hipaa/administrative/breachnotificationrule/ 12 https://www2.fireeye.com/ismg-incident-response-survey.html, p. 17 13 http://www.lancope.com/company-overview/press-releases/ponemon-survey-2014. 14 http://www.ey.com/Publication/vwLUAssets/EY-global-information-security-survey-2014/$FILE/EY-global-information-security-survey-2014.pdf, p. 25 15 http://www.idtheftcenter.org/ITRC-Surveys-Studies/2014databreaches.html 16 http://www.scmagazine.com/organizations-continue-to-lack-incident-response-proficiency-study-finds/article/336229/ 17 http://www.securityweek.com/cybersecurity-requires-proactive-approach-ernst-young 18 http://www.securityweek.com/security-incident-response-teams-getting-short-end-budget-stick

devices. Cloud computing, too, alters the way data must be secured.

3. The “increased sophistication of the attackers and the attack types. From Hactivists to organized crime rings, the bad guys are smart, focused and are using the latest techniques to capture sensitive data.”

Challenge 2: Complex Data Breach Notification RegulationsThe tangled web of federal and state privacy regulations gets more tangled all the time, especially HIPAA, GLBA, and the 47 state data breach notification laws. These laws vary and can even conflict. What may be “only” an incident in one state could be a reportable data breach in another. As one law firm put it, “…there is a pressing need to simplify data breach laws. The current patchwork of state laws presents an economic and technical challenge for businesses and consumers, and a headache for compliance counsel.”9 In fact, President Obama proposed the Personal Data Notification & Protection Act, which would establish nationwide rules for data breach notification and preempt the state laws. 10

Each of these jurisdictions, conflicting or not, requires a separate incident assessment—a difficult challenge for organizations with incidents spanning multiple jurisdictions. For example, a financial services company in New York may have an incident potentially exposing sensitive client data. The company would have to perform a separate incident assessment for every state in which the affected clients live, in addition to GLBA or other federal regulations.

Each state and federal jurisdiction may also have its own notification requirements. For instance, the HIPAA Breach Notification Rule requires notification to the Secretary of Health and Human Services within 60 days if a breach affects 500 or more people. 11 Whatever assessment or notification requirements there are, the burden of proof always rests with the organization, not the regulators. This is a concern for many. In a 2013 incident response survey by FireEye, 25 percent of organizations named regulatory compliance as their highest priority. 12

Challenge 3: Lack of Financial and Human ResourcesIncident response and related activities are not high on the budget priority list. In another Ponemon report, Cyber Security Incident Response: Are we as prepared as we think? , 13 half of the IT and IT security professionals surveyed said that less than 10 percent

of their security budgets go to incident response. In addition, most respondents said budgets for incident response have not increased in the past two years. And according to the Ernst & Young report,14 only 33 percent of organizations surveyed plan to increase spending on their incident response capabilities this year as they did the previous year. This, even though the Identity Theft Resource Center notes a 25.9 percent increase in data beaches over the same time period as the previous year. 15

A shortage of qualified staff also hinders an organization’s ability to launch an effective response strategy. The Cyber Security Incident Response Report 16 found that many members of a computer security incident response team (CSIRT) are qualified to do the job; however, less than half of respondents said that those team members participate in ongoing, specialized training. In addition, 45 percent said their CSIRT has no full-time employees. Similarly, more than half those surveyed for the Ernst & Young report said their organizations are “challenged by a lack of skilled resources.” 17

On a related note, the Cyber Security Incident Response report cited a lack of communication between security and senior executives as another problem—80 percent of respondents said they don’t often discuss potential cyber-attacks with executive management, and a mere 14 percent said their executive management participates in the incident response process. 18

So, What’s An Organization To Do?Regulated data lives in a threat-filled world. Given the frequency of personal data incidents, the risks of an improper response and the challenges of creating and managing a proper response process, organizations need to act smart. They need to manage

“To stay ahead of today’s advanced threats, incident response teams need tools and techniques that give them greater speed, accuracy and insight.”

– From FireEye’s “The Need for Speed: 2013 Incident Response Survey,” p. 2

4

Learn more online

www.IDExpertsCorp.comAll Things HITECH All Things DaBreach

@IDExperts

ID Experts delivers complete data breach care. The company’s solutions in data breach prevention, analysis and response are endorsed by the American Hospital Association, meet regulatory compliance and achieve the most positive outcomes for its customers. ID Experts is a leading advocate for privacy as a contributor to legislation, a corporate and active member in both the IAPP and HIMSS, a corporate member of HCCA and chairs the ANSI Identity Management Standards Panel PHI Project.

Best Privacy Technology

their response to incidents in a way that conserves scarce financial and human resources while protecting brand, customers and business—and, of course, complies with a patchwork of breach notification regulations.

Effective incident response requires a collaborative approach, a breaking down of the departmental silos. “Too many organizations still fall short in mastering the foundational components of cybersecurity,” says Paul van Kessel, global risk leader at Ernst & Young.“ In addition to a lack of focus at the top of the organization and a lack of well-defined procedures and practices, too many of the organizations we surveyed reveal they do not have a security operations center. This is a major cause for concern.” 19

In addition to organizational alignment, privacy and security professionals must create consistent, scalable and repeatable processes for managing incident response. Consistency ensures best practices are made “operational,” especially compliant incident assessment. The process should be repeatable, yet flexible, and scalable as the nature and volume of incidents change.

Many types of software tools exist to help organizations manage their incident response process. Some include ineffective homegrown solutions or generic workflows offered by GRC or compliance platforms. However, there is also an emerging class of software that is purpose-built for managing incident response, such as ID Experts RADAR®.

When deciding on a software tool, privacy and security professionals should consider how it helps them meet the above challenges. It should improve efficiency to reduce costs and save time, while proving compliance with the latest laws and regulations. It should include comprehensive reporting and analysis capabilities to identify root causes and trends to reduce future breach risks.

Lastly, because the occasional security or privacy incident will unfortunately be an actual data breach, the incident management process must include a plan for implementing notifications and identity protection to comply with legal obligations and address the potential harms to the affected population. Just as having the right software is crucial to effective management of incidents, having a breach services partner such as ID Experts is just as crucial in order to ensure breach response actions that address the overall financial and reputational risks that accompany a public data breach.

“The findings of our research [in the Cyber Security Incident Response report] suggest that companies are not always making the right investments in incident response. As a result, they may not be as prepared as they should be to respond to security incidents. One recommendation is for organizations to elevate the importance of incident response and make it a critical component of their overall business strategy.“

– Dr. Larry Ponemon,

Chairman and Founder of the Ponemon Institute

19 http://www.securityweek.com/cybersecurity-requires-proactive-approach-ernst-young© Copyright 2014 ID Experts and CISO Executive Network. All Rights Reserved. 0615