Asking Tough Questions to Prepare for a Breach: A webinar that explores cybersecurity risks offers plenty of advice

You don’t expect much humor in a data-breach webinar. But the one presented by Julian Ackert, a managing director at iDiscovery Solutions, Inc., and Drew Sorrell, a partner at Lowndes, Drosdick, Doster, Kantor & Reed, P.A. (and hosted by MCC), started with a smidgen. In the second slide, Ackert described himself as “a technologist, not a lawyer.” Sorrell countered that he is “a lawyer, not a computer magician.” These days, companies would probably prefer to hire magicians – if they could make the whole subject disappear.

The statistics Ackert and Sorrell introduced in the very next slide were a bracing slap in the face. The cost of a breach averaged $17.36 million in 2016 – up 66 percent from 2013. The three industries with the highest costs: financial services, utilities and energy, and technology – in that order. And the Federal Trade Commission (FTC) has brought 60 enforcement actions since 2000.

So much for the lighthearted stuff. The rest of the webinar, entitled Data Breach Response, was heavy on information and the kinds of tough questions companies need to ask themselves to prepare for what experts suggest is the “inevitable” breach.

Click Here to View the Webinar On-Demand

Sorrell reviewed some of the horror stories we’ve all read about: Sony, Target and Yahoo, to name a few. He also mentioned some you might have missed: Lab MD was one of them. It was a small company. That’s one of the reasons Sorrell chose to highlight it. You don’t have to be a big company to find yourself in trouble. Nor is the source of trouble always the result of criminal acts.

 

Here’s what happened at Lab MD. An employee using a peer-to-peer network inadvertently shared 1,718 pages of customer data over the web. It was neither malicious nor intentional. There was no proof of harm, and there was no proof that any of this data was actually accessed by a third party, much less used for nefarious purposes. Nevertheless, the company was the subject of an FTC action and is now out of business.

Before the presentation turned to prevention, Sorrell took on the subject that has become a staple of so many talks since January. What can we expect from the new administration? Will the FTC still be in charge of enforcement?

“The current thinking is that the Trump administration is probably going to continue in a general sense with permitting the FTC to go forward with its enforcement and privacy actions.” But Sorrell added a caveat. In January, President Trump issued an executive order stripping the privacy rights of non-U.S. citizens under the U.S. Privacy Act. Sorrell suggested that this could further complicate U.S. and EU relations as they navigate the new Privacy Shield (which was plenty complicated already). 

When Ackert began talking about preventing breaches, he started with a question: “What does it mean to be a cybersecure organization?” To answer, he turned to a study published by the Ponemon Institute in October 2016. Companies that do this right, he said, treat security as a “forethought” rather than an “afterthought.” They protect data proactively with technology and processes. They assess and audit third-party risk, and they don’t overlook threats within the company.

How should a company get started? The first thing is to be sure you have the right mix of resources. You’re going to need technical, legal and executive expertise, Ackert said. The need for C-level involvement is obvious, he said, because you need “budget and priorities” established and pushed down from the organization’s leadership.

Sorrell pointed out that involving lawyers early on may present an opportunity to shield some of the work under the attorney-client work-product privilege. And it can also help establish an advice-of-counsel defense, should trouble ever come knocking.

One of the most important components of a strong cybersecurity program, Ackert continued, is “periodic and ongoing” employee training. The key here, Sorrell added, is the need for consistency. If you have a good policy but rarely train employees after you’ve introduced your new plan, this can actually be used against your company, calling into question its level of commitment, he noted.

A particularly interesting topic that Sorrell dove into was contracts. Data breaches are being written into many these days, and it’s important to consider the implications, he said. Who bears responsibility for a breach of contract – your company or the client? If there’s a breach involving a client’s data, who controls the event, the company or the client? Sorrell warned that giving up control can be perilous. If one client’s data is breached, there may be other clients whose data has also been breached. And if the first client controls the event by contract, that could put the company in an awkward position in relation to the others. The same sorts of questions arise in contracts involving customers and vendors, the lawyer added. 

Ackert reviewed the need to have a detailed response plan in anticipation of a breach. His key point was that the plan needs to be updated and tested regularly. There are always new threats in the form of new attacks (like demands for ransomware) and new vulnerabilities (such as those introduced by the increasing number of devices now connected to the internet). A response plan needs to be current to be effective.

Near the end of the webinar, Sorrell waded into a tricky subject. “At what point do you engage law enforcement?” he asked. “Do you engage them immediately? Do you wait? Do you make decisions on the fly because you don’t have a plan?” He paused. Part of the “tabletop” exercises you conduct to test your company’s preparedness for a breach should involve how you handle various scenarios that could warrant police involvement, he said. And here you may wish to consult outside experts, he added, because the choices can be complicated and may affect your ability to respond effectively.

Ackert jumped in with his own thoughts on the subject. Mature cyber organizations, he said, typically “are ones that share information.” And that sometimes includes sharing with law enforcement. That can help, he continued, “because law enforcement knows what else is happening.” They may be able to provide information about the people behind the breach. 

As the session wound down, Ackert asked another question – one of the hardest to answer, he said. When you’re talking about cybersecurity, “how do you define success?” It’s an area that encourages little bragging, but there are ways to evaluate your company’s performance during a breach – or during an exercise preparing for one. Some of the questions he’d ask are: “How well did your response plan hold up? Were you able to follow it? Were there big holes?”

And finally: “How did your staff react? Was business continuity followed, or was there a complete shutdown of the organization?”

Status and Options
Published
Topics
Special Sections: 
Webinar
Web Topics: 
iDiscovery Solutions