Ron Raether, Jeff Knight and I attended the American Conference International's 8th Annual Cyber and Data Risk Insurance in Chicago (Ron spoke), a topic of constant banter and reference was the 2013 Target data breach resulting in the disclosure of credit card information from over 1,700 of its stores. The conference was attended by professionals in the insurance industry, data industry, legal field and technology sectors. As our law firm counsels clients on various aspects of data breaches, one of the benefits of our counsel is serving as a breach coach often in partnership with insurance providers. Indeed, many cyber policies cover such coaching as part of their policies. Breach coaching can be extremely valuable, especially to a company with no experience in data breach. You only get one chance to avoid many of the pitfalls in the chaos that follow a data breach. Here are some thoughts that come to mind in view of the recent breach.
1. Heed the warning!: Monitoring as part of a broad security in‑depth program. It wasn't like Target had not prepared. One of the most interesting aspects of the breach and response was the news that Target had actually done due diligence well in advance of the attack. One such commitment to improve security was the implementation of a $1.6 million warning system, called FireEye. Additionally, the company had a team in India monitoring the FireEye system around the clock. Indeed, when the hackers were working to find a way to extract the data from the Target system, the monitoring team saw the hackers and reported them to Target headquarters. But then Target did nothing. Had the company’s security team responded when it was supposed to, the theft of 40M credit card numbers and 70M addresses, and phone numbers could have been prevented.
Paying attention to the warning signs through an active monitoring program can go a long way to not only staving off a breach, but also in responding. First, when you have some information on current threats, you have a head start on the possible solution, be it a patch, protective posture to minimize further damage, or bringing in help with the expertise to neutralize the threat. Furthermore, having an active monitoring program as part of a broader policy approach gives you a better story to defend in court or with regulators. Lastly, monitoring is part of any good security-in-depth solution. In other words, implementing monitoring on top of solid perimeter defenses, role-based access controls, segmentation, antiviral and antimalware applications, and third party controls can go a long way to protection against attack but also mitigate any resulting harms.
2. Messaging, messaging, messaging, Part 1: What's the story? Following the breach, the following statement was issued by Target:
"Like any large company, each week at Target there are a vast number of technical events that take place and are logged. Through our investigation, we learned that after these criminals entered our network, a small amount of their activity was logged and surfaced to our team. That activity was evaluated and acted upon. Based on their interpretation and evaluation of that activity, the team determined that it did not warrant immediate follow up. With the benefit of hindsight, we are investigating whether, if different judgments had been made, the outcome may have been different."
One of the most important things post-breach messaging does, in addition to informing people of important facts, is conveying a tone to those who have had their information breached. It also conveys the same tone to potential litigants and regulators as they consider action against your company. Without rendering an opinion on the above quote, I would say it offers food for thought on how important messaging truly is.
3. Messaging, messaging, messaging, Part 2: A data breach does not necessarily mean a compliance failure. Building on the quote above, Target's president and CEO stated before Congress, "Target was certified as meeting the standard for the payment card industry (PCI) in September 2013. Nonetheless, we suffered a data breach. As a result, we are conducting an end-to-end review of our people, processes and technology to understand our opportunities to improve….including the revamping of our information security structure…"
I think this is an interesting yet conflicting statement. There is an important principle to be learned here, which, in my opinion the president was trying to establish. First, you can be certified to a standard and still have a breach. This is very true. Compliance standards, such as the PCI Data Security Standards (DSS) and other are mere objectives to be achieved based on best practices and are far from guarantees against a breach. However, secondly, and most interesting, is the manner in which the message is delivered suggests the company believes the standard is not valuable because they still had a breach. As noted above, it appears had they followed some of the standards that were certainly in place to achieve PCI certification, the breach may very well have not happened. Indeed, if Target headquarters had responded to the warnings from the India monitoring center, the safeguards would have worked.
This was indeed a company's failure to comply with its own policies. However, we should not be conditioned to think that every breach is the result of such a failure. The bad guys are getting craftier and craftier with more powerful equipment to reach further and further. Diligence is critical. But attacks, like "Zero Day" attacks, have no warning and no advanced safeguards developed to beat them. Thus, the breach may still happen, but a good compliance program may isolate the breach and thwart or limit the harm intended. Such an outcome may indeed be the best possible outcome.
4. Messaging, messaging, messaging, Part 3: Timely. Accurately. With credibility. Another best practice is to communicate quickly, but accurately. If you do not have all the information, tell people that. And, implement changes only when you know all the facts have been gathered and the changes will fill an identified gap. In other words, don't change things or say you are going to change things merely because a demand is being made. If you have to change the story later, your credibility is weakened. There is an immediate rush, often following news of a breach, "to get something out there." This can be one of the worst things to do. There is a reason many states have time limits in which to provide a response. Such time gives a company the ability to withstand the initial surge, properly assess a problem, develop a solution, implement the solution and communicate. And this is to say nothing of those situations in which you have a law enforcement hold in place as authorities work with you to possibly identity and protect against a larger threat, to include pursuing the bad guys.
5. Messaging, messaging, messaging, Part 4: "Regulators!" (Mount Up). Lastly, and possibly most importantly, you need to communicate with the applicable regulators when you have enough information and the situation warrants. A noticeable event is one in which, based on the facts and the relevant jurisdictions, your company has to provide written notice to consumers, media, even law enforcement and government agencies. If your company does indeed have a noticeable event, the time to advise regulators is not when you are advising everyone else. Rather, backward planning from your notice deadline, build in time to speak with regulators in advance. Doing so can improve your communications process, as many regulators may help with the messaging. Furthermore, regulators don't like (we hear) to hear about breaches from consumers first. It catches them flat footed and causes them embarrassment and their own fire drill. Lastly, always better to have a united front when communicating with the media and consumers. This may not always be possible, and you may not stave off a harsh regulatory action, but you give yourself the best possible opportunity for a manageable outcome.