Incident Response, Government Regulations, Breach

Three ways to simplify the data breach notification process

DHS moved to formally launch a Cyber Safety Review Board that would investigate the cause of major hacks against civilian federal agencies and offer recommendations to the Department of Homeland Security and White House. “SolarWinds letters” by sfoskett is licensed under CC BY-NC-SA 2.0

Data breaches are not going anywhere. Proactive strategies are absolutely necessary, yet are a hefty investment in time and money. Thankfully, there are three easy steps security teams can take to prepare for the inevitable and stay accountable to the organization’s top stakeholders.

The SolarWinds and Microsoft Exchange server breaches were big news in the spring of last year, but were quickly forgotten as additional major breaches hit the news. The Identity Theft Resource Center reported that there had been more data breaches by the third quarter of 2021 than in all of 2020. Despite the persistence of breaches, little has changed on the proactive front, and reactive responses remain scattered.

There’s a reason that responses to data breaches are historically dismal. Too often organizations focus on identifying where the breach started, but by the time they discover the issue, it’s old. According to IBM Security’s Cost of a Data Breach Report, breaches are generally discovered up to 329 days after they happened.

Organizations also find it challenging to comply with the many state and local regulatory requirements following a data breach. We are now seeing a well-intentioned shift towards protecting citizens and keeping open lines of communication. However, security team also face confusing and contradictory regulations about which entity an organization should notify and how quickly they must do so.

For example, companies have a 45-day deadline in Arkansas, but only three days in Delaware or Indiana. So if a company operates across many states or globally, they’re looking at deploying a number of notification messages across a vast timeline – as few as 72 hours to as many as 45 days – about an event that happened nearly a year earlier. In some cases, companies must notify a combination of media, employees, partners, clients, and even the attorney general. Often, there are additional terms and conditions. And if a company fails on any of these confusing fronts, they get fined.  

So even with the best intentions, it’s clear that companies find the patchwork of regulations difficult to negotiate. To avoid penalties, most companies notify everyone, everywhere all at once as soon as they learn about the breach. Unfortunately, that’s when they have the least amount of information. This impulsive reaction makes the general public feel more impacted by the breach than they actually are. Here are three steps companies can take to better manage a breach:

  • Get the facts.

Every company should understand its mandate towards cyber accountability, which the industry defines as the ability of an organization to track every system and every data flow in and out of its systems as it pertains to personal information. Thus, the company should identify the data’s origin and destination, its assigned manager and custodian, and any third parties involved. Only by knowing its data ecosystem in this comprehensive manner can a company protect it appropriately, according to state, federal, and international regulations.

  • Change the way the security team talks to stakeholders.

Security teams are responsible for educating the key decision makers, including the  C-suite and board. Talk to them in practical business terms and avoid the jargon that we tend to love in cybersecurity. For example, instead of talking about data breach notification under the Health Insurance Portability and Accountability Act (HIPAA) or under state regulations in operating regions, just say, “This is the type of data we are collecting to conduct our business. This is how we protect it. And these are the implications if we don't protect it the right way.” It’s that simple.

I’ve created a model called the 5 Pillars of Security framework that’s based on five common denominators: people security, physical security, data security, infrastructure security (networks, cloud, applications, third parties, fourth parties, business associates), and crisis management. Companies can easily apply this framework to demystify the complex landscape that enterprises must understand. Outline it in plain English and business terms that CEOs and board members can follow.

  • Build relationships with law enforcement before breaches happen.

Most organizations resist talking to law enforcement before there’s a problem, but in my experience, it's much better to build the relationship beforehand so that law enforcement can actually help when a breach happens, as opposed to trying to create a relationship in crisis mode. Once a company defaults into repair mode, there’s usually little or no bandwidth for tracking down and engaging the appropriate law enforcement division and staff members. It’s best to prepare.

Every time a large organization experiences a major breach, there’s pressure on the government to produce a federal framework that would make compliance easier to manage. For now, it remains difficult. However, the tips outlined here are a good start. Remember: CEOs deal with risk every day. Cyber has become just another risk that must get translated into a business language they can understand and act on.

Mathieu Gorge, founder and CEO, VigiTrust

You can skip this ad in 5 seconds