Breach Coach® 101

A Q&A with Chris DiIenno, Esq. of Lewis Brisbois

Breach Coach® (es) are first responders on the scene of a data loss event and companies are increasingly hiring these cyber security experts to help manage their incident response. We asked Chris DiIenno about his work in this area and his advice to companies facing a data breach.

Continue Reading

Data Governance: Managing and Safeguarding Important Information Assets

A Q&A with Tom Preece of Rational Enterprise

Many data breach events are at least partly the result of poor data governance: organizations that don’t maintain a data inventory or map. Without such oversight, the inevitable breach event can become all the more devastating. I spoke with Tom Preece of Rational Enterprise about what organizations can do to gain control over their data.

Continue Reading

Don’t Ring the (False) Alarm: When a Data Loss Event Isn’t a Breach

A Q&A with Darin Bielby and Jeremy Batterman of Navigant Consulting’s Information Security & Investigations Practice
During a recent Risk and Insurance Management Society (RIMS) panel discussion, Navigant Managing Director Darin Bielby asserted that 50 percent of the organization’s information security forensic investigations yield evidence that enables legal counsel to counsel companies that a data breach did not occur. These findings typically demand no further action or notification about the event, though some organizations proceed with additional precautionary measures. I talked with Bielby and his colleague Jeremy Batterman about the reality of data privacy events and what forensic investigators are seeing.

Continue Reading

Using Big Data to Protect Against Cyber Risk

A Q&A with Lance Forbes of LemonFish Technologies
Of all Big Data’s capabilities, the means to proactively detect cyber breach events is especially intriguing. I spoke with Lance Forbes, chief scientist of LemonFish Technologies to find out more about how analytics can be used to find lost data across the internet.

Continue Reading

Intrusion Detection Systems: What You Don’t Know Will Hurt You

A Q&A with Joseph Loomis of CyberSponse
The fact is, most companies that have suffered a breach failed to detect the intrusion as it was occurring, and only made aware after the damage was done. A Intrusion Detection System (IDS) with organized and correlated data can be an invaluable solution for incident response—but only if the system is installed and managed correctly. I spoke with Joseph Loomis of CyberSponse about some of the issues around IDS and how companies can use them more effectively.

Continue Reading

Digging Into the President’s Data Breach Notification Bill

Personal Data & Protection ActA Q&A with Dominic Paluzzi McDonald Hopkins
In late January 2015, the White House introduced the Personal Data Notification and Protection Act (PDNPA), a data breach notification bill, intended to improve national cybersecurity. I asked attorney and breach coach Dominic Paluzzi of McDonald Hopkins about how this bill differs from the existing laws and its potential implications for risk managers.

Continue Reading

Data Breach Public Relations: Getting Ahead of the Message

A Q&A with Melanie Thomas of INFORM
It’s just one of many pressing concerns during a cyber security event, but public relations and crisis communications are absolutely essential for sustaining customer loyalty and brand reputation long after the headlines fade. I spoke with Melanie Thomas of INFORM about how these services work and what companies can do right now to prepare for an emergency situation.

Continue Reading

SEC Enforcement for Cyber Risk and Data Breaches

A Q&A with Jacob Olcott
As Jacob Olcott, principal in cybersecurity at Good Harbor Security Risk Management, LLC points out, the SEC Guidance released in 2011 brings the issue of data security out of the IT realm and into corporate governance. But these rules for publicly traded companies are still relatively new and what they mean in terms of legal exposure is still largely untested. Olcott answered a few of my questions about the guidance and how companies can minimize their risks.

Can we have a layperson explanation of the SEC Guidance as it relates to data security?
The idea here, generally speaking, is that publicly traded companies are obligated to disclose material risks to investors. The securities laws have been in place for 80 years—what’s new is that in 2011, the SEC issued guidance for companies to apply that longstanding legal requirement to the cyber security context. We know that every company in the world today has been penetrated and huge volumes of information have been exfiltrated out of corporate networks, largely the loss of intellectual property and trade secrets. But what hasn’t happened yet, necessarily, is disclosure of these incidents and that’s important from an investor’s standpoint. This guidance sits alongside all of the other legal obligations to disclose events when they happen—whether it’s laws regarding the security of health information or financial information—but it also covers information for which there had been no existing legal requirement, such as business secrets and intellectual property.

What’s the financial exposure here for a company that ignores the SEC guidance?
The failure to disclose material information can lead to shareholder lawsuits—there’s decades and decades of history behind that. It can also lead to SEC enforcement acts, which are associated with fines. However, up until now there has never been an example of the SEC bringing an enforcement action against a company for notification around data loss so it’s still unknown. Still, I think the reality is that as companies become more aware of their legal obligations to defend their networks, shareholders will be demanding greater security from the companies they’re investing in.

What concern might a board or CEO have in complying with the guidance? And how can a business mitigate this exposure?
The bottom line here is that boards and CEOs should be very worried about this because it raises a question that most if not all companies cannot answer today: If we had a material event in our system, would we know it? There’s a growing realization in the C suite that we have got to get a better understanding about what our security posture is today, whether it’s because of the SEC guidance or the growing realization that bad guys are here and they’re coming after us. The first step is to think about what would constitute a “material event” to the business and that is very business-dependent so we would tell our clients to figure out what they do and work backwards from there—basically, to figure out what the crown jewels are. If a company has a significant amount of consumer information, for instance, then that’s what they need to be focusing on. If it’s a piece of critical infrastructure like the electrical grid, then keeping lights on and the control systems working is the most sensitive thing to protect.

It’s very important for companies to have a corporate-wide cyber risk committee. If you ask the average IT security guy what “material cyber risks or events” mean they will just look at you dumbfounded—it’s not a term of art in the IT world. This is a good example of why general counsel or even more senior folks like the CEO who understand the business implications have to be more involved in managing cyber risk. It’s also very important for officers and directors to work with the security staff and do tabletop exercises in planning incident response ahead of time because the last thing you want is to be in the middle of a crisis and just thinking about it for the first time.

Can a violation of this SEC guidance lead to a possible directors and officers (D&O) lawsuit?
Yes, officers and directors have a longstanding legal responsibility to disclose material information to investors and I don’t think there’s any question that if they’re not closely examining cyber risk they could be very vulnerable in a potential suit. However, it hasn’t happened yet.

In conclusion …
This is a complex topic. In summary, it’s difficult to define “material risk.” After all, some companies face multiple malicious attacks/attempts on a daily basis that they may consider a nuisance but routine—and it would have to be an actual breach to be deemed “material.” For another company, the close calls could pose a material risk. And what if it’s only a minor breach, like a lost laptop? To report material risk publicly the clients will need to involve counsel skilled in security and privacy matters and thoughtful about balancing the needs of outside investors with the company’s interests while not releasing too much information about their own loss control measures to the outside world. To build on Mr. Olcott’s insightful comments, it will be interesting to see if the SEC follows up here with significant penalties for willful violators of the guideline’s intent AND whether plaintiff lawyers leverage the SEC noncompliance argument in their data breach class action lawsuit complaints.

Public Relations in Face of a Data Breach: Risk and Preparation

A Q&A with Robert McEwen of McEwen & McMahon
Among the multitude of risks posed by data insecurity is a company’s reputation. In the past, ineffective communications about a data breach often has led to greater financial loss for victimized companies, such as when customers speak publicly about their negative experiences and damage brand equity), or when victims feel their concerns are not being taken seriously and seek recourse through legal action. So how can organizations prepare to communicate effectively in case sensitive information ever is compromised? We spoke with Robert McEwen of McEwen & McMahon to find out.

Why should clients care about PR as it relates to data breach/privacy violations?
Data breaches can erode trust in a company and damage its reputation. What wise business leaders have come to understand is that reputation has quantitative value. It is just as tangible as inventory, receivables, real estate or any other asset on the corporate balance sheet. Year-over-year analyses of Fortune magazine’s annual ranking of “Most Admired Companies” illustrate the indisputable cause-and-effect relationship between reputation and market capitalization. Moving up or down a single notch in a company’s industry sector rankings on average translates into a gain or loss of more than $100 million in shareholder value. It’s only common sense to take every precaution to protect and defend such a precious asset by investing in strategic communications counsel.

How can clients prepare to better manage their brand and mitigate future liability following a data breach event?
Data breaches are an unfortunate fact of life in a digital society. They are as ubiquitous as fires. The question is not whether they will happen, but when. Never, therefore, has the old adage “an ounce of prevention’s worth a pound of cure” held more true than when managing network security. It is far more economical to monitor, identify and deal with potential security issues in advance than to ignore them until some triggering event thrusts an issue before the klieg lights of the media. That’s when a company finds itself in the docket of the court of public opinion, where the jury most often presumes guilt, not innocence, and the trial is almost always a costly one. Such messes often can be avoided if only business leaders would make relatively small investments in crisis preparedness plans and rehearse them regularly.

Every manager with data breach response authority ought to have the crisis management plan filed and posted as an icon on his or her desktop. The plan should include specific scenarios for a variety of different occurrences—whether caused by a stolen laptop, a technology glitch, or a malicious hacker. Such pre-planning enables companies to deal with the situation more effectively than scrambling frenetically at the last minute.

In my experience, most stakeholders understand that data breaches are inevitable to an extent and they will be relatively forgiving if a company handles such an incident efficiently and straightforwardly. If, however, they perceive anything less than full transparency, then stakeholders can be ruthlessly unforgiving. That’s where the rubber meets the road and companies can suffer a significant bottom-line impact.

How much can PR services cost for a large/medium/small business?
The best way of estimating the cost of preparing for or responding to a data breach is to use the PR Cost Calculator that McEwen McMahon and NetDiligence developed for the eRisk Hub.

Generally speaking, the kinds of variables that impact PR costs mostly have to do with the size and scope of the breach, and the company’s degree of readiness to deal with it. How many stakeholder audiences are affected and how large are they? How sensitive is the information that’s been compromised? (Credit card data? Social security numbers? Private health information?) Does the company have internal PR capability? Is there a crisis communications plan? How up-to-date is the plan? Have employees rehearsed it?

Depending on the answers to these questions, PR costs can range from tens of thousands to hundreds of thousands of dollars. But far more important than the immediate cost of retaining outside PR counsel is the potential cost to a company’s reputation. Millions of dollars in brand equity that has taken decades to build can be wiped out instantaneously if a company’s response to a data breach is — or is perceived to be — inadequate.

In conclusion …
What most impressed me about Robert McEwen when I met him a year or so ago, was that he was talking about the value of PR. He recalled the Tylenol case (of 1982), and how that was a classic example of excellent media management and customer communication, while the BP oil spill in the Gulf showcased the opposite. Bob felt there are strong similarities to properly handling a massive data breach event. I think he is spot-on, especially if you look at some of the largest publicly reported data breach incidents and how they were handled in the public forum. There is a strong argument for having a professional PR team in place to significantly help mitigate the risk exposures facing many businesses when the inevitable data breach or leak occurs

No more posts.