If a data breach can happen to Home Depot and Target, it can happen to us,” says Lee Bailey, Director of IT Security and Operations for ABC Fine Wine & Spirits, a mid-sized business in Florida with 140 locations and around 1,000 employees.
Four years ago, ABC’s CEO Charles Bailes III took the initiative to champion a more robust data security program at the company, starting with prevention efforts such as beefing up IT security, working on a data breach response plan and acquiring cyber insurance. To drive buy-in from the rest of the business, the CEO personally attended all six of the first major meetings to set up the incident response plan and teams.
“We’re focused on service excellence, and part of that is having a plan in place to mitigate damage to ourselves and our guests” in the event of a cyberattack or data breach, says Bailey.
A team of IT security and legal counsel helped to form the response plan moving forward, working with consultants at CyberScout (previously named IDT911) to craft robust, effective data breach prevention and response plans.
The response plans were developed to be more of a three-team sport. There is the executive team that was at the forefront of the effort, making sure that there was the right buy-in and resources available, says Bailey. Then, ABC developed a first-response team that looked at potential breaches and evaluated their efficacy and impact. If it were verified as a real breach, the incident response team would be deployed to triage. The incident response team would involve not only the IT team, but people responsible for public relations, legal and operations to ensure that everyone is on the same page about how to respond.
The first task was to evaluate where sensitive data is, how much there is, and who has access, and what resources and plans were currently in place to respond to a breach. After examining ABC’s pre-breach posture and determining what technology to put in place to protect data, the enterprise looked to develop a crisis management standard for during a breach, as well as a system for post-breach response, including reporting, guest management and documentation.
One vital element of having a breach-ready enterprise was getting all contracts and services decided, negotiated and in place prior to needing them, says Herb Whitehouse, In-House Legal Counsel and Director of Legal Services for ABC Fine Wine & Spirits.
“We don’t want to spend time negotiating contracts for resources during a breach,” says Whitehouse. A few experts are on-call, such as an attorney specializing in data breaches (and whose fees would be covered by a cyber insurance policy), a forensics firm and an external communications specialist who could help address the media and customers following an incident. If a call center is needed for post-breach customer service, ABC Fine Wine & Spirits already has a written agreement in place with CyberScout, so guests will be well taken care of throughout the process.
Whitehouse is also looking into adding another CyberScout service, which would provide data breach aid and customer service for ABC employees, so if an employee’s credit card is compromised elsewhere, they can rely on the employee benefit to provide information, assistance, peace of mind and education about good cyber hygiene, which could bring benefits in employee productivity and cybersecurity back to ABC.
Cyber insurance was also on the list of key contracts, and getting a policy actually helped direct ABC to other trusted experts and vendors in the cybersecurity arena, as many insurers have lists of preferred vendors.
“Organizations have been, maybe, over-relying on cyber insurance, and not everyone knows what’s in their cyber insurance policy,” says Eric Hodge, Director of Consulting at CyberScout. “It’s a little sad when you get to that point of someone calling about a breach, and they don’t know if the incident response component is covered or just the cost of notification or maybe some of the business or customer losses that they may see as a result… It’s important to remember that good practices go along with having that insurance. It’s almost like how you have to drive your car safely in addition to having auto insurance. The auto insurance isn’t going to keep you from getting in a wreck, and you don’t want to be in a wreck no matter if you’re insured or not. It’s your responsibility to be proactive here, in taking the measures and putting the right measures, technology and educational components into place so you can avoid falling back on those insurance policies.”
“A lesson learned here was: Just start,” says Bailey. “If you start, it will take you down a path.”
He adds that “Security is a nebulous term, and at the beginning of the process, you should pick a standard (such as the NIST Cyber Security Framework, or a more sector-specific guideline) that makes the most sense and measure your program and efforts against it.”
In addition, companies should ensure that policies and procedures are improved every year, Bailey says, and they should perform tabletop exercises and drills to gain insight into their crisis response. ABC is working to educate team members through phishing tests and compliance training, and Bailey and Whitehouse are always on the lookout, with help from their partners, for ways to make their tools and procedures better.
Where to Start on Your Data Breach Response Plan
There are two starting points on this journey: starting with something already in place, and starting with nothing, says Eric Hodge, Director of Consulting for CyberScout.
For both, however, he recommends beginning with walk-throughs and tabletop scenarios relevant to that industry and geography, with multiple stakeholders at the table. For example, in California, what if an earthquake disrupts your network access? Or in the healthcare industry, what if a breach is discovered in your patient data? Companies with a plan already in place may still have difficulty addressing these scenarios, depending on the level of training stakeholders have received and the depth of planning.
“What jumps out at me is the lack of treating this as a team-oriented emergency or process,” says Hodge. “Oftentimes, (enterprises) will put in a technical solution – they’ll patch a server or make a change to a firewall – and then consider it finished. They won’t involve the other components of the organization that have a hand in this as well, either from a process and policy perspective, from tone at the top perspective or even a strategic perspective. One of the biggest problems we find is the mindset that ‘Oh, that’s an IT issue; IT solved it; Problem over. No need for us to worry about it up here in legal or in leadership.’”
After evaluating the shortcomings, gaps and strengths of a company’s response, sit down with the most relevant stakeholder – whether that’s IT, security, the CFO, COO or even CEO – to discuss the results and come up with a plan to fix any issues.
According to Lisa Berry Tayman, Sr. Privacy and Information Governance Advisor for CyberScout, one essential stakeholder is the legal department. “There are a lot of legal questions that are going come up from the very get-go on a data breach situation,” she says. “(Enterprises) are going to need to make decisions about whether a legal hold needs to be instituted, whether they believe that litigation is reasonably anticipated; they need to think about attorney-client privilege with what they’re doing and what they’re talking about. Then there’s lots of laws that are now in place, and they may need legal help in deciding how they’re going to comply with those laws and regulations when it comes to breach notification.”
This can include discussing contractual obligations regarding breach response, such as building a forward-facing policy for employees and vendors to report data risks and breaches, so all parties know who to notify in the event of a breach.
Three major factors can drive continuous change to an enterprise’s data breach response planning and responsibilities, says Hodge:
Technical – attack types and tactics change constantly
Regulatory – compliance requirements at the state and national levels
Best Practices – new frameworks, recommendations, models and processes
“There are changes to state data breach notification rules every year,” says Tayman. “Response plans are no longer a nicety; they’re a necessity for all businesses.”