Breach Coach® 101

A Q&A with Chris DiIenno, Esq. of Lewis Brisbois

Breach Coach® (es) are first responders on the scene of a data loss event and companies are increasingly hiring these cyber security experts to help manage their incident response. We asked Chris DiIenno about his work in this area and his advice to companies facing a data breach.

Continue Reading

Don’t Ring the (False) Alarm: When a Data Loss Event Isn’t a Breach

A Q&A with Darin Bielby and Jeremy Batterman of Navigant Consulting’s Information Security & Investigations Practice
During a recent Risk and Insurance Management Society (RIMS) panel discussion, Navigant Managing Director Darin Bielby asserted that 50 percent of the organization’s information security forensic investigations yield evidence that enables legal counsel to counsel companies that a data breach did not occur. These findings typically demand no further action or notification about the event, though some organizations proceed with additional precautionary measures. I talked with Bielby and his colleague Jeremy Batterman about the reality of data privacy events and what forensic investigators are seeing.

Continue Reading

Data Breach Public Relations: Getting Ahead of the Message

A Q&A with Melanie Thomas of INFORM
It’s just one of many pressing concerns during a cyber security event, but public relations and crisis communications are absolutely essential for sustaining customer loyalty and brand reputation long after the headlines fade. I spoke with Melanie Thomas of INFORM about how these services work and what companies can do right now to prepare for an emergency situation.

Continue Reading

The Weakest Link: Black Swan Attacks

1finalswanblacksoloA Q&A with Joseph Loomis of CyberSponse
An ongoing challenge for any organization trying to enforce cyber security is the constant stream of new exploits, all of which rely on a lack of awareness about particular vulnerabilities. In the face of the recent seemingly “black swan” attack on JP Morgan, I asked Joseph Loomis, founder and CEO of CyberSponse, about security blind spots and their consequences

Continue Reading

Breach Forensics: Preparing for an Investigation

A Q&A with Steve Visser, Managing Director at Navigant Consulting
Many types of data security incidents can require a forensic investigation to uncover the depth of the breach and how it occurred, and this process is more efficient when an organization has anticipated what’s involved. I talked to Steve Visser—national leader of Navigant Consulting’s information security incident investigation and response practice—about what risk managers can do to prepare for a successful forensic investigation.

What proactive steps can a risk manager and IT personnel take to make a future forensics investigation go more smoothly and effectively?
There are four things I recommend:

  • Prepare a data map for the company.This is a high-level summary or list of all the data systems that exist within the organization and includes platforms, data format, system architecture, where data is stored (whether it’s insourced or outsourced), and a list of the relevant subject matter experts so you know who to go to when an incident occurs. We recommend clients look at this map on a quarterly basis and revise it accordingly.
  • Assess log retention and accessibility.These are records of access or data traffic for an organization or specific system. There are many different types of logs, and an investigator will need specific ones in the case of a security incident. Your organization is encouraged to be aware of what logs exists, where they are, how long they are retained for, and how to go about extracting them as evidence for an investigation.
  • Determine in advance any outside service providers or partners needed.These might include legal, forensics and notification services. Review contracts and negotiate terms in advance if possible, so that when an incident happens, you don’t lose time processing or vetting an agreement. In an ideal world we’d be contacted immediately so we can hit the ground running and give the organization a better chance of meeting any regulatory or legal deadlines imposed, such as notification. We welcome the chance to speak with organizations in advance to let them get to know us before an incident occurs and we have a contract we can send for review before our services are needed.
  • Engage in response planning.Become familiar with the types of security incidents occurring these days and determine what you need to do internally as well as with service providers to effectively respond to such incidents. Many incidents fall into the categories of lost or stolen device; malware; or insider theft. There should be a plan for each of these key categories.

What are the typical steps involved in a data breach forensic investigation?
For all investigations, there’s information gathering and collection, forensic analysis and then data analysis in some situations to determine the impacted individuals and how to proceed with reporting and notification. Depending on the category of incident the specific steps will change to a certain degree.

In the case of malware, it’s a matter of finding the malware involved, often through a complex artifact analysis of the computer where it’s hiding. We’d then research the malware and determine its potential capabilities, and reverse-engineer and deposit it in a secure, self-contained “malware environment” so we can watch what it does next. Often, we also analyze logs to see if there are any indications of data ex-filtrations and if needed, perform data mining to figure out what PHI or PII might have been involved.

With lost and stolen devices, which could be anything from a laptop to a phone to a backup drive, we first need to know if that device has been recovered. That’s the minority of cases, but if it was recovered, there is a need to determine if the device was accessed or utilized during the unaccounted-for time period. To accomplish that, we perform a data egress analysis on the device to evaluate whether anything was accessed or potentially removed. If it’s not recovered, then steps need to be taken to determine what data was on the device, often through evaluation of a backup or proxy. Then we proceed to data mining and analysis to find out what PHI or PII is involved.

When it comes to employees engaging in unauthorized activity, we can determine who has access to what information and analyze logs to see which records were accessed by specific employees and perform a rules-based analysis to evaluate whether each access instance was appropriate. We might also conduct a peer group comparative analysis among employees with similar responsibilities to find out if access patterns are consistent. Less commonly, there are cases when we get the list of individuals whose data was compromised first and we use that to trace back to the employees who viewed and/or extracted the information through log data analysis.

There’s no one-size-fits-all approach but in all cases the work has to be done as quickly as possible.

Once a breach has occurred, how might a client or their Breach Coach engage your firm? What obstacles most often impact the outcome of an investigation?
Navigant is on what’s called a panel with most cyber risk insurers so if an organization has cyber risk insurance, one of the first things they should do is notify the insurer and they will be connected with Navigant. We also know most of the data breach coach attorneys that handle incidents in the US, so they might also retain us on behalf of their client.

One of the biggest obstacles to an investigation is to wait too long to bring in appropriate service providers. The second obstacle would be not providing access to the right information, either by not connecting us with the right people internally or not having the right retention protocols to ensure sufficient data for the forensic analyses. It’s definitely an advantage to retain counsel first granting your organization attorney-client privilege and then have the counsel retain us. An attorney will be able to help determine whether it’s necessary to report the incident as a breach—in some situations we have been able to perform a forensic analysis and conclude low probability of risk of harm. We come to this from a technical perspective where the attorneys come from a regulatory and legal perspective, and together we can help determine the implications of an incident.

Mr. Visser’s contact information is as follows:

Steve Visser
Managing Director | Disputes & Investigations
Navigant Consulting, Inc.
1331 17th St. Suite 808
Denver, CO 80202
Office: (303) 383-7305 | Mobile: (303) 888-5822

In summary…
Mr. Visser did a nice job of outlining some of the key issues pertaining to a data breach incident that may also involve cyber liability insurance coverage. Network security event logs are especially critical to any claims investigation so the insurer can understand “who, what, when, where and how” for proper claims adjustment. For example, the insurance carrier might want to confirm that the breach event occurred and/or was discovered during the insurance policy term. It can get complicated if the insured business has not retained this evidence. Or, maybe the forensic investigator discovers that a third- party vendor caused the loss. In that event, the insurer has a possible subrogation target to recoup their payout (see Junto on Cyber Liability and Subrogation with Kenneth Levin, Esq, partner at Nelson, Levine, de Luca & Hamilton, LLC.)

Using Data Security Policy Templates to Maximum Effect

A Q&A with Ronald Raether of Faruki Ireland and Cox P.L.L.
Having written privacy and security policies and procedures in place is critical for organizations in an era when data breaches are an inevitable reality, which is why data security-focused law firm Faruki Ireland & Cox has created policy templates for clients. These templates are now available in the eRisk Hub® and I spoke to attorney Ronald Raether about how they should be used.

Why is there a need for these templates?
For almost 10 years I have assisted clients in responding to data breaches. A significant part of that response is dealing with regulators investigating any such breach, and almost every regulator I encounter begins our discussion with questions about what policies and procedures my client had in place prior to the breach. These templates come from years of such experience and provide a foundation for any company to both assess their information practices and reduce them to writing.  If you have policies in place, your conversations with regulators, the press and others starts from a more positive position.   

Why did the firm focus on these specific policies when creating the templates?
We’ve emphasized these particular policies because these are the ones that typically matter the most to regulators, and they address specific regulations like HIPAA, GLB and PCI.

How would you recommend eRisk Hub members use the templates?
A mistake organizations make is taking a template or form and simply hanging their names on it without acknowledging their own specific needs. As a consequence you might end up with a policy that’s at odds with the organization’s regular activities. In fact, disregarding the policy or acting out against it can actually increase a company’s exposure. I tell clients, “don’t put anything in writing that doesn’t comport with your company’s culture and practices.”

Do you think every company needs every policy template in the Hub?
Most organizations will need all of these policies, but there are, of course, exceptions. For instance, if the company doesn’t allow its employees to use mobile devices to access the company network—rare, but still possible—then they won’t need the bring your own device policy.

How are these policies important when an event occurs?
As with any disaster response or emergency management plan where time is at a premium and disorder could reign, having a written plan is critical. Indeed, many companies make the mistake of believing that internal sources can respond. This often has disastrous consequences. Data breaches will be chaotic enough. Save yourself time, money and stress by defining your information management program, reducing that program to sound information policies and identifying expert outside resources during a period of calm. Establishing the policies and the discipline to enforce conduct so that it’s consistent with those policies can help investigators track down answers more easily when there’s a record of who was doing what and where. Secondly, it signals to the public—regulators, pundits and privacy advocates—that you’ve met the baseline requirements for security and privacy, which can help negate any early doubts if something should happen.

What are the limitations of policies, and what else do organizations need to have in place for legal protection?
Checking off the box of “having a policy” is of limited value if employees don’t understand how to implement it. Employees in any area of the business that will have contact with sensitive information need to be trained because compliance is a cost center. You also need to conduct regular audits to verify that these rules are used in practice. Having the policy is just the beginning.

In summary…
Mr. Raether has underscored the importance of employing policies that govern data security and privacy. We might also add that having a policy in place—one that is enforced—can mitigate one’s legal liability following a data breach event. Of course, security in and of itself is never one hundred percent effective. On the other hand, having nothing in place can show a lack of care and increase exposure following a breach incident.

Data Breach Liability from a Class Action Trial Lawyer’s Standpoint

A Q&A with Jay Edelson of Edelson LLC
With court attitudes around privacy issues constantly evolving, it can be a challenge to understand what constitutes a significant data breach case and the consequences liable organizations face. I asked counsel Jay Edelson about how he chooses his class action cases and how the current legal climate is treating them.

What are some traits or hallmarks that you look for when determining whether a data breach case might be ripe for a class action proceeding?
The first thing we look for is the degree of sensitivity of the information that was left unguarded. We are more likely to choose something that seems like a serious breach, like those involving health records or private information of children.  For a suit to be successful, it needs to connect with the judge and jury on an emotional level—in short, they must be convinced that the loss of information truly matters to people. The reason that this is such an important hurdle to clear comes from the fact that data breach litigation is an emerging issue of the law. Courts don’t have the extensive precedent to look to, as in other consumer cases. If we can’t sell the case on an emotional level then it will be significantly harder to get them to be receptive to our broader arguments. Next, we will look at why or how the breach occurred. If it was something we think was preventable—for example, misplaced laptops that didn’t have basic encryption, as opposed to, say, a sophisticated hack from Eastern Europe—then we are more likely to take it on. The key that many plaintiffs’ attorneys unfortunately sometimes aren’t attuned to is that simply because a breach occurred does not automatically mean that the company acted negligently. Hackers and thieves are increasingly more sophisticated and there are certain times that it would be unreasonable for a company to have done more to guard their consumer data. Most data breach cases tend to be large so the size of the class doesn’t tend to be a determining factor, though of course the larger number of people involved the easier it is to justify putting more resources to the case.

In the past, it seems many plaintiffs/victims were only offered a year of free credit monitoring, which, arguably, is of little value to them. What are some additional settlement remedies your team (or your peers) are now pursuing to compensate victims?
Prior to a few years ago, the law was fairly settled and the thinking was that the fact that your information was out there in and of itself wasn’t enough to harm you—you’d have to show something more to the court to demonstrate harm. But that’s changed recently with decisions such as Resnick v. Avmed from the United States Court of Appeals, Eleventh Circuit. In Avmed, the court recognized that if people are paying the defendant money and they have a reasonable expectation that part of that money will go towards protecting their information, they have been essentially “overpaid” for their goods or services if the company was not following through on its promises. Due to cases like this, we’re starting to see settlements move away from the “free credit monitoring” deals to monetary compensation.                      

What regulations do you call on to bring a case, and what is a typical negligence claim you’ve made?

We don’t look to regulations so much as the common law. We’re looking at the types of express or implied promises made to consumers.  In terms of negligence, our theories are pretty simple: We’re bringing cases when we believe that the defendant wasn’t following industry security standards.

Which security shortcomings of breached organizations drive you nuts?
I think that corporations are not really asking the right questions internally about where the data is stored and how it’s being protected. Sometimes they’ll hire an outside consultant and they think because they’re paying someone money, they’re being responsible. The problem is that the companies aren’t thinking through these issues in a truly robust way. They’re often not asking the basic questions: Who has access to our data? Where is it being stored? What do we do with the laptops that we take out of circulation?

What steps would you recommend to limit exposure in a class action lawsuit?
Well, as a plaintiff’s attorney, I’m not generally in the business of giving advice to the defendant. But the way to limit exposure is to have really terrific protections so that the data isn’t hacked or stolen or lost. Protect— don’t harm—your client.

Which courts are the most sympathetic to these issues? 
A few years ago I would say there were none. Few if any courts were receptive to privacy cases. But there’s been a huge shift in the landscape, partly due to the increased sensitivity of the public. Issues such as the government spying program have changed the view of the judiciary as well, and we are now seeing great decisions coming from all over the country—in Chicago, where I’m located; in California; in Florida. At this point, I’d say there’s not a location in the United States where I’d be hesitant to bring a case.

In summary…
We invited Mr. Edelson to speak at our Marina del Rey Cyber Liability conference (attended by majority of P&C insurers in the industry that offer cyber/privacy liability coverage) and he and his colleague were both very forthcoming and effective in educating the audience about the plaintiff’s (victim’s) perspective—something that often gets lost in the quantum of cyber risk. Hopefully, risk managers are paying attention to these emerging theories of liability from the front lines of class action litigation. As a final comment, I’ll add that Jay and his fellow panelist received some of the highest praise from the hundreds of attendees, which is especially remarkable when you consider that some of those same audience members could be his future adversaries.

See this session recording on the eRisk Hub.

Data Breach Preparation and Centralized Logging

A Q&A with Branden Williams, of Sysnet Global Solutions
Many insured organizations are not as prepared for cyber breach incidents as they could be. Without a centralized logging system known as SIEM in place, it can be exceedingly difficult and expensive to investigate and remedy a breach situation. I talked to Branden Williams, executive vice president of Sysnet Global Solutions about SIEM and its advantages.

Please explain in layperson terms what SIEM is.
SIEM stands for security information and event management. A SIEM tool collects security-related information from all of the devices in your infrastructure and manages it in a centralized place. This allows you to look at multiple logs at the same time and understand correlation, in context, so that if you have 20 or 30 devices that are all having a security issue, you could go back and see that yes, someone tried and failed to log in several times before they were successful. These patterns allow you to understand how and when these incidents occur. The technology, in its current iteration, has been around for a decade or so but in the last three years more people have adopted it beyond the compliance use case. However, many companies still use it as a catchall to make auditors go away—and we know that compliance measures are usually behind the eight ball as solutions to real world threats—and they are not using it in the most effective manner. Proper deployment of a SIEM is costly and so even companies that are using a SIEM correctly are often only using it in specific areas and not across their infrastructure.

How can SIEM help a company with decentralized operations and multiple business units?
It’s difficult to track threats that go through the network if you can’t centralize your logs and this becomes even more complicated in a large company with many operations.  Being able to maintain logs in a single place can help you track data across functions and identify issues early, including inefficiencies. Another major reason to use SIEM is to prepare for the case of a natural disaster or major outage—it’s much easier to access log information when it’s all in one place, even if your satellite location is offline.

How can a SIEM help a forensic investigator in a data breach situation?
If a system is a complex one, an investigator could have a difficult time determining where an incident came from. If you have a functioning, wide-scale SIEM in place, an investigator can review the logs and see which machines are impacted. Narrowing down the investigation’s scope saves money, time and effort. For example, in a prominent breach we were involved in, it took about six weeks to figure out the cause due to the lack of logs. Ultimately, it turned out that one of the machines we originally dismissed was the original infiltration point that led to the larger breach. We could have shaved two weeks off of the investigation and saved the company about $50,000 dollars.

In summary…
Recently, an insurance executive whose company offers cyber liability coverage to healthcare entities told me his clients that suffer data breach events rack up immense claims costs for computer forensics, due to the lack of SIEM. And it’s a problem for sectors beyond healthcare. Investigations may take weeks as opposed to days. Because this type of proactive solution can ultimately help organizations better manage security threats while decreasing the future cost of a breach investigation, companies—especially those with decentralized IT operations—should give it thoughtful consideration.

Payment Cards and Data Breaches

A Q&A with Grayson Lenik
The retail industry is now the top target for cybercriminals, according to the 2013 Trustwave Global Security Report, and payment card data (PCI) is a critical area of concern. Yet many businesses, especially smaller retailers, are still unaware of basic PCI requirements. I asked Grayson Lenik, senior security consultant at Trustwave, for an overview of what small merchants need to know.

Can you give us a summary of the key PCI threats and requirements facing retailers today?
I wish I could say it was complicated, but it’s really not. The basics of the PCI requirements, such as installing a firewall to protect data and creating strong passwords, are still killing people, especially small merchants. Without a good firewall configuration, you’re leaving remote access wide open to the internet. As far as the passwords go, I don’t know if it’s that people are not in tune with the basics of security or whether they are not aware that they need to change the defaults, but either way, weak passwords combined with easy remote access are a recipe for disaster.

In the PCI arena, the biggest threat to everyone is organized crime—large crews who are dedicated to stealing cardholder data. There’s a sophisticated black market surrounding the sale of this information. If a hacker wants to find a specific credit card from a certain region he could easily find it. So we know the operations are out there and they are very well developed.

What areas are your clients struggling with most?
I really think the big piece is education. That’s the first priority. I handle these breaches all the time and I find out from the business owners that this is the first time they’ve heard of PCI compliance. They ask, ‘Why didn’t my merchant bank or anyone ever talk to me about this?’ That’s remarkable since the regulation has been on the books for 10 or 11 years. Aside from that, it’s the basics: storage of cardholder data, firewalls and two-factor authentication.

People worry that it’s going to be very expensive, but there are very simple ways to comply. There are whitepapers available geared toward smaller merchants, about purchasing and configuring a firewall for less than five hundred dollars. Trustwave specializes in managed security services and offers a preconfigured firewall complete with two-factor authentication, including digital certificates, which is ideal for a smaller business such as a restaurant or small retail store.

Thankfully, I think the mainstream media is starting to do a better job of covering the topic so people are becoming more aware that small merchants are also at risk.

Do you see any trends for key causes of a PCI breach?
I think that goes right back to the first question. We see a lot of everything but remote access and weak passwords are still the biggest causes of PCI breaches. The big trend we saw for 2012 was the rise in eCommerce attacks. It’s frightening to see how simple it is for hackers, even hackers with a low skill level, to exploit these sites. I would recommend anyone in the security profession or even anyone who develops websites to test their own security on their own websites. With even some minimal steps, you can prevent these attacks.

In summary…
PCI continues to be a thorn in the side for many clients, and for many of the reasons that Mr. Lenik mentions. Often, it is the simple mistakes and commonly known exploits that can trip up organizations—and some mistakenly believe they have no credit card liability exposure if they outsource credit card processing (this is not the case in the eyes of victims or their lawyers). I personally feel that PCI is a fairly complex, granular and ever-changing standard that can be costly for clients to comply with, year after year. To complicate matters, the class-action plaintiff lawyers look to PCI DSS as an industry “standard of care.” This can increase the liability for a company that suffered a breach and was found to be lacking in a PCI-required practice that might have contributed to the incident (even if they were otherwise 95% compliant). On the plus side, regarding PCI as a standard of care can be useful to businesses in retail and beyond.

No more posts.