This document discusses how to properly respond to data breaches. It emphasizes the importance of having a formal, written incident response plan in place due to how time-sensitive breaches are and how organizations can behave unpredictably in a crisis. The plan should include roles and processes for identification, escalation, assessment, containment, investigation, and managing liability. It also recommends retaining IT forensics and legal experts in advance. Practicing the plan through fire drills can help identify flaws and improve response skills. When notifying individuals of a breach, organizations should explain what happened, containment steps, and provide contact information for support.
3. Responding to Data Breaches
March 25, 2015
Better breach response
• The Rules of Professional Conduct
• The basis for good breach response
• Incident response planning
• Notification, harm mitigation and risk
management
4. Responding to Data Breaches
March 25, 2015
Rules of Professional Conduct
• Rule 3.2-2 – shall be honest and candid (breach
reporting duty?)
• Rule 3.3-1 – shall hold in strict confidence
• Rule 3.5-2 – shall care of a client's property as a
careful and prudent owner would…
5. Responding to Data Breaches
March 25, 2015
Why have a formal, written plan?
• Breaches are best managed as crises
• This means
• Time is of the essence
• Organizational behaviour can be problematic
• Also
• Formal incident response plans are required by
recognized data security standards
6. Responding to Data Breaches
March 25, 2015
The basis for good breach response
• Good records management
• Records classified in accordance with sensitivity
• Records with personal information tagged
• Strong logging of system activity
• Security intelligence and periodical vulnerability
assessments
• Strong vendor contracts (notification, cooperation,
control of breach response)
7. Responding to Data Breaches
March 25, 2015
What's in a plan?
• Identification – what is an "incident"
• Escalation – reporting duties and accountabilities
• Role and process definition (typically featuring a
multi-disciplinary "breach response team")
• Assess – gather facts and triage
• Contain – immediate
• Investigate – five Ws
• Manage – liability, public affairs
8. Responding to Data Breaches
March 25, 2015
What's in a plan?
• Don't forget!
• Communication norms
• Recordkeeping
• Confidentiality
9. Responding to Data Breaches
March 25, 2015
Identification and escalation
• Internal reporting supports identification
• Make clear that individuals are not to self-assess
10. Responding to Data Breaches
March 25, 2015
Identification and escalation
• Other means of identification
• Internal security analysis (network and system
analysis is becoming the norm)
• External reports (police, customers, credit card
companies and others)
11. Responding to Data Breaches
March 25, 2015
The incident response team
• Privacy office
• Information security / corporate security
• Legal
• Risk management
• Communications
• Management from affected business (or human
resources if employees are affected)
12. Responding to Data Breaches
March 25, 2015
Experts to retain in advance
• Why?
• Objectivity can wither in a crises
• Bench strength may be required
• Who?
• IT forensics
• Crises communications
• Legal counsel
13. Responding to Data Breaches
March 25, 2015
Role of legal counsel
• Control strategic direction
• Identify legal risks and potential liabilities
• Input into advocacy
• Affected persons
• The media and public
• Regulators
• Litigation management
14. Responding to Data Breaches
March 25, 2015
Practice, test, update
• Annual update
• Plans should, in general, be scenario-neutral
• Update based on external and internal analysis
• From new contact information to new procedure
• Tests / fire drills
• Identify flaws in detection capability
• Develop tactical IT skills required for correction
• Discover data gaps and other problems
• Garner decision-making confidence
• Can be an intervention that supports change
15. Responding to Data Breaches
March 25, 2015
Notification and remediation
• Outside the health sector, only under Alberta
legislation currently (S-4 will amend PIPEDA)
• But foreign laws will often apply (and notifying half
of an affected population does not work)
• Notification may be required by a common law
duty if harm is reasonably foreseeable
• Notification may be desirable b/c people will find
out and you can't tolerate the justification process
16. Responding to Data Breaches
March 25, 2015
Notification and remediation
• What happened (with identification of personal
information elements)
• What you've done to contain it
• Contact information
• Consider
• An apology
• Telling people where to get help
• Making a protective offer
Ian Dick is my partner and my source of guidance on complex litigation. I'll let you read his bio but what you won't see on there is experience in the mop up after major crises including Walkerton and the tainted blood scandal.
With no slight to Ian I'll say that I know the reason you're all here is to see Karen Gordon of Squeaky Wheel Communications. Karen and I cut our teeth together on a 65000 person data breach in 2006. It's very important when your in crises to have legal and communications work in tandem. We had that and I can say very confidently from that file and subsequent files that Karen is an amazing crises communicator.
Not making a general pitch on taking care of data security….
Our pitch is more specific
It's about the need to plan ahead for the inevitable
To create a written, reasonably robust incident response policy
Who's got one?
Spend 30 minutes – making the pitch and explaining how
-one of three components here but is the key message
Ian
(Explain and frame presentation as supportive of Rule compliance.)
You need a breach response plan because you will be in crises
-Important decisions…
-…about significant harms…
-…under great time pressure (as soon as reasonably possible, 30 from discovery under Obama legislation)
If you do not plan in advance you will be slow
-poor identification and escalation
-responsibility and authority won't be clear or will be dispersed
-resources won't be clear
Protect against bad behavior
-groupthink - bone person accountable will promote best decision-making
-self protection - theme/messages
"when they come asking, you will answer"
"we will not tolerate self-protecting behavior"
-PCI-DSS --- 12.10
-ISO 27002 – requirement 16
Ian
-Not starting from scratch!
-Look at ISO – 27002:2013 requirement 16
-Look at PCI-DSS – 12.10
-Calibrate to your culture. Tolerance. Err towards bureaucratic for this type of policy.
…
-core elements on this slide
-policy to facilitate identification and escalation
-role and process definition
-who is responsible for what
-at each stage of the process
-what resources are available and can be drawn upon
Also address critical communication and recordkeeping issues
Questions to answer via policy
-How will people be contacted on a 24/7 basis?
-What's the back up plan? (Anticipate network failure)
-What will and will not be communicated over-email?
-What will and will not be said to others over e-mail?
-Who keeps a record of decisions and their rationale? In what form?
These things also go in policy -Commitment to training and communication
-Commitment to periodic review and updating
Ian
-note that this one is narrow
-excludes "significant threats" and "near misses"
Ian
-Recognition that these are complex problems that require (for due diligence) expert input
-This is a typical team
-Do you have a significantly different composition at your organization?
-Appropriate for team or individual on team to have broad decision making authority, at least to make the type of decisions that can be readily anticipated
-shut down an affected service
-retain outside assistance
-authorize communications to public
-authorize communication to authorities
-make remedial offers
Consensus? One person assigned?
Ian
Two kinds of legal advisors
Strategic advisor – explained on this slide
Expert advisor – sounding board, notification opinions
Note that your incident response policy may affect whether you can claim privilege over communications
If the breach response process is framed as a process if getting information to counsel so counsel can advise then communications in support of that process are likely to be privileged
May be more difficult when the lawyer is merely part of the team, but if you establish by policy that lawyer's only role is to provide legal advice you should be okay
-annual update is the best practice
-if you drill into specific risks, update the risks based on an annual risk assessment
…
-fire drills may be appropriate