By Alan Heyman
A data breach is like an auto accident. When you have a serious automobile accident, you have to report the accident to the police. The police could make a determination as to who is at fault and citations and fines could be issued. Of course, you want to report the accident to your insurance carrier to protect yourself from litigation and you want to repair your vehicle. At some point, a determination is made as to who was at fault and who has the greatest liability; attorneys on both sides are always involved.
You will be asked for your current insurance card, your up-to-date license and registration. Your inspection sticker will be examined. You will have to show that all your records are up to date and in compliance with your state laws and regulations.
What happens when you have a cybersecurity data breach? Once you have recognized your enterprise has experienced a breach, under the notification laws in 47 states you have to notify state authorities; in most cases at least two agencies and in some cases three. If your enterprise conducts business in multiple states, perhaps even more. You will need to contact an attorney who specializes in the privacy area to guide you through the maze of requirements and defend your enterprise. You will have a specific time limit to accomplish the state regulatory notification requirements, as well as to notify all employees, clients or other affected parties. This is usually 60 days. Once you have notified the state or states you will probably notify your insurance carrier because of the potential ligation, losses and damages your enterprise could be subjected to.
The breach has happened and you have reported it so be prepared for a potential visit or audit by the regulators to ascertain responsibility and to determine if there have been any violations of state laws.
What compliance documents do you have in place? Privacy policies? Breach notification policies? Do you have a written information security program (WISP) in place and operating? Where do you keep your proof of employee training, or a comprehensive defensible breach plan, etc.?
In the case of your automobile, there is a long history of defensible ways to manage and limit enterprise or personal exposure: Insurance (liability/collision), proper maintenance, state inspection up to date, registration and license up to date, driving classes and more.
What are you doing in the cybersecurity arena to develop a defensible breach approach to manage and limit your potential exposure?
Reports are showing that the number of breaches effecting small enterprises are rising dramatically while the number of breaches affecting very large enterprises are dropping. Large enterprises have the manpower, expertise, money and resources to develop cyber policies and defensible breach procedures. Small enterprises do not. So the criminal hackers are going where entry is easiest and most profitable for them.
What you have done in regard to your enterprise systems and what you are doing concerning the incident could be looked at very carefully. The actions your enterprise takes because of a breach could be closely examined. Your enterprise needs to be prepared for this eventuality. Like disaster recovery plans that are becoming more popular for companies as a result of climate emergencies, defensible breach response and WISP plans are necessary for the reality of regulatory and/or litigation scrutiny.
Criminal hackers, when breaking into enterprise systems, will often leave proof they were in your computer system and show they have had or can have complete access to personal information as well as sensitive data/intellectual properties. In today”™s environment, your company could expect a federal or state regulatory agency visit and there could be a class-action suit or some type of litigation as a result, as has happened repeatedly in recent months.
Alan Heyman is CEO of the SMLR Group Inc. in Briarcliff Manor. He has more than 30 years in the data communication world, having started one of the first Internet-based electronic data interchange (EDI) companies in the late 1980s. He can be reached at aheyman@smlrgroup.com or by calling (914) 455-0600, ext. 101.
A good starting point for SMEs is the Online Trust Alliance Data Protection and Breach Readiness Guide – http://otalliance.org/news/releases/2013DataBreachGuide.html. They are currently working on an updated version for 2014.