Data security is like chess. A million strategies exist, and the best players are those that practice, plan, and react calmly. When you play chess against a strong opponent, you can expect that at least once your king is going to be placed in check. This does not mean you have lost the game, but it does mean that unless you act quickly, your king will be captured. Good chess players plan for WHEN the king is in check, and not IF the king is checked. Likewise, FIC has preached for years that companies should plan for WHEN a breach happens, not IF a breach happens. Last month, the United States Department of Justice echoed the chorus.
On April 29, 2015, the U.S. Department of Justice (“DOJ”) released fifteen pages of guidelines ("the Guidelines") outlining best practices for victims, and potential victims, of data breaches. The document, entitled “Best Practices for Victim Response and Reporting of Cyber Incidents,” serves as a good start for any organization looking to prepare for, and prevent, a cyber-incident. But a good chess player knows that some strategies are richer than others, and likewise companies should go beyond the DOJ's basic recommendation of planning and reacting. Instead, companies should strive to instill a culture of privacy protection that begins inside the boardroom and incorporates planning, advice of legal counsel, and constant diligence in testing and improving all preventative and responsive measures. Companies should view the Guidelines as the basis for their data security measures. The Guidelines will get you started on the right path: Plan Thoroughly, and Respond Swiftly.
1. PLAN THOROUGHLY
Prior preparation prevents poor performance. This is true both in business and data security. Poor planning can be disastrous in the context of a cyber incident. A cyber incident is not the time to be formulating emergency procedures; instead this is the time to act upon a carefully devised plan that is focused on containing the intrusion, mitigating the harm, and preserving vital information that will help assess the nature and scope of the damage and the potential source of the threat. The DOJ not only recommends that companies formulate a response plan, but it also recommends that organizations identify their “crown jewels” – the data, assets, and services that require the most protection – and make those jewels the center of the plan. Like any good chess player, you want to keep your eyes on the whole board, but at the very least, the DOJ advises that you identify your king and make sure he is fully protected.
The DOJ also advises companies to acquire the technology, counsel, and policies needed to prevent and detect cyber incidents. For example, the DOJ recommends that companies acquire intrusion detection capabilities, data loss prevention technologies, devices for traffic filtering or scrubbing, and computer servers configured to conduct the logging necessary to identify a network security incident and to perform routine back-ups of important information. Also, the DOJ advises that although technology can prevent some incidents, proper training and organizational policies can prevent others. Companies should adopt policies and protocols within personnel and human resources policies, such as employee training and cyber security education. These measures can help employees minimize the risk of cyber incidents. Like chess, this advice is about looking at the entire board and realizing that each piece can help protect your king. Also, because cyber incidents often raise unique legal questions, companies should hire experienced attorneys that can ensure that an organization will receive accurate advice from counsel that is comfortable addressing the multi-layered issues stemming from a data breach. You cannot have a Chess Grandmaster on call during a tournament, but you can always have your attorney at the top of your speed-dial.
Finally, the DOJ recommends that companies build relationships to share information and build support in the event of a cyber incident. First, organizations should establish a point of contact with law enforcement prior to an incident as a means to facilitate the use of law enforcement when a data security incident occurs. Establishing a point of contact can expedite the response to a cyber incident and help establish a trusted relationship that “cultivates bi-directional information sharing that is beneficial to both potential victim organizations and to law enforcement.” Second, organizations can benefit from building relationships with information sharing organizations. The Guidelines note that Information Sharing and Analysis Centers (ISACs) and Information Sharing Analysis Organizations (ISAOs) exist to analyze cyber threat information shared between and among businesses and government – providing access to information about new or commonly exploited vulnerabilities. Building and maintaining these relationships can assist an organization prioritize its security measures.
2. RESPOND SWIFTLY
When your king is in check, you cannot hesitate. You have one move to save your king or the match is over. Likewise, responding to a cyber incident is incredibly time-sensitive. This is where planning, training, and preparation come into play. The DOJ recommends a four-step process for responding to a breach. First, organizations should make an initial assessment of the nature and scope of the incident, which includes the origin of the intrusion, presence of any malware, and the identity of other victim organizations. Second, the DOJ recommends that an organization employ measures to minimize continuing damage. This can include rerouting network traffic, blocking a denial of service attack, or isolating all or part of a compromised network.
After making an initial assessment and minimizing harm, step three requires companies to document and record everything they know about the incident. The DOJ advises that organizations record and collect all evidence and information related to the unauthorized access, which may involve imaging the affected computer and retaining all logs and records of the data underlying the incident. Finally, step four advises companies to notify its employees, management, law enforcement (including the Department of Homeland Security), and any potential victims during the immediate aftermath of an incident.
What should companies NOT do? The Guidelines cover that also. In particular, the Guidelines discourage companies from “hacking back” (attempting to penetrate or damage an attacker’s systems). This advice is particularly useful because penetrating another system, even one believed to be involved in maliciously attacking a network, could expose individuals or businesses to criminal and civil liabilities. The Guidelines also discourage companies from using a compromised system to communicate about an incident or to discuss its response to the incident as this could further compromise the response plan.
So what’s missing? How can you become a cyber security Kasparov? The key is three habits that all the greats adopt: immerse yourself in the culture, practice, and play with the best.
First, the Department of Justice frames its guidelines to focus primarily on just preventing a cyber incident. Instead, the focus should be on establishing a culture of privacy protection. Because hackers and security threats have grown more sophisticated with each passing year, companies should look to data security as an essential component of the business. This means that data security should start in the boardroom and spread to every sector and employee. Board members should not merely delegate others with the task of creating a privacy protection plan and then never hear of it again. Instead board members should be in the room and engage in the discussion. As the DOJ suggests, this culture of privacy protection should be engrained in employee training and education. Numerous data incidents can be prevented simply by educating employees from the top down on the do’s and don'ts of handling data.
Second, the DOJ emphasizes planning and preparation, but is silent on testing. Planning for a cyber incident is just half of the battle. The second half should be focused on testing, critiquing, and perfecting that plan. You can know all the rules and moves in chess, but you will be outmatched by your opponent if you have not practiced. Companies developing incident response plans can employ exercises to test those plans in simulations and exercises to determine if employees are ready for WHEN an incident occurs.
Finally, the DOJ’s recommendation that companies should contact law enforcement immediately following a cyber incident should be followed in conjunction with the advice of experienced counsel. Attorneys are the chess-masters in this game, and offer invaluable expertise in handling a cyber incident. Forty-seven states have enacted data breach notification laws, and the duties following any given breach vary. Any decision to provide notice should only be taken after a company has consulted counsel and carefully assessed its notification requirements under existing state data breach notification laws. Cooperation with law enforcement during and after a breach is essential. But companies should engage with experienced counsel to determine what duties exist, and how the company can comply completely with the appropriate laws.
Although not perfect, the DOJ’s Guidelines are an encouraging start. They emphasize preparation and a swift response. But companies should go the extra mile: make privacy protection a core tenet of the business, practice your plans while striving for improvement, and always seek the advice of counsel. These three steps on top of the DOJ's Guidelines will help you avoid checkmate.