When Responding to a Data Breach, Cooperation Is Nine-Tenths of the Law
In recent years, several high-profile breaches involving customer data have led to long and costly litigations. These events demonstrated that data protection is more than just a cybersecurity concern.
When responding to a data breach, legal teams have to work closely with the chief information security officer (CISO) to ensure that security policies, regulatory compliance and response plans are adequate to effectively protect sensitive data. Together, these departments can develop a sound incident response strategy that protects both the organization’s data and its legal interests in the event of a breach.
Potential Legal Repercussions
In addition to the obvious operational and financial repercussions, a data breach can result in class-action lawsuits from customers, federal and state government actions, and even international ramifications. For instance, the cost of the infamous Target breach of 2013 reached nearly $300 million after the company settled with 47 state governments.
Corporate data repositories continually grow and can be on-premises or in the cloud, which adds significant legal complexities, especially when crossing international boundaries or jurisdictions. The CISO must consider these risks with regard to data integrity.
Additionally, the CISO must work with legal counsel to negotiate with government agencies investigating a breach. Breach investigations often involve personnel policies, security policies, corporate governance, cyber liability insurance, breach scenarios, negative publicity and government inquiries. Failure to diligently address all of the above when responding to a breach can result in costlier litigation and reputational damage.
When responding to a data breach, privilege maintenance is crucial. Knowing the differences between a possible incident, an actual incident and a confirmed breach will determine the appropriate response. This requires working with attorneys to help design a response plan that determines who speaks to whom, when and about what. Remember that once a breach is confirmed, litigation will be filed immediately. This represents a high risk factor to consider when formulating a response plan.
For example, it is not enough for a CISO to simply say the organization is in compliance with best practices and regulatory requirements. The government will look at how well-prepared the organization is to detect and appropriately respond to an intrusion. Are the attacks registered? Is the data encrypted? It is critical for the government to treat the breached organization as a victim of the attack to determine whether it had adequate security programs in place.
The Battle in the Boardroom
The CISO must communicate the business benefits of a comprehensive and well-rehearsed incident response plan to the board. Many board members are unwilling to invest time and money without understanding the return on investment (ROI). A risk-based assessment program adequately explained to executives, along with the corporate attorney’s support, can help generate security awareness among board directors.
CISOs can demonstrate the importance of risk management by comparing the security investment with the potential for significant financial exposure should they neglect data protection. Security leaders can also remind business executives of their fiduciary responsibilities and accountability should a breach occur. For example, the Target breach exposed the company’s board to ramifications that led to the departure of its CEO and shareholder demands to drop other board members.
Collaboration Is Crucial When Responding to a Data Breach
The CISO and legal department must work as a team right from the start to develop an incident response plan. From a risk approach, the added focus on risk assessment and management are vital to protecting the organization in the event of a breach.
The planning should take into account the organization’s total protection in areas such as:
- Data protection;
- Litigation; and
- Public relations.
One of the most important steps is to know where your data repositories are and protect them. When a breach occurs and a crisis erupts, management and mitigation are critical. This can only be achieved by engaging all departments within the business to contain the leak, communicating with customers and implementing the proper procedures to limit any reputational and legal damage.
Rehearsals of the plan should include the legal, IT and security teams to ensure all are working together. They must reach the common goal to mitigate the breach as quickly as possible and establish lines of communication early on. In the event that an incident results in litigation, the corporate attorney must be involved at the onset, along with close cooperation from other teams, to minimize the risk. If evidence needs to be collected for an internal investigation, close cooperation with the corporate attorney can help organizations avoid costly delays.
Breaches affect the entire organization, so an effective response to a cyber incident requires interdepartmental cooperation. Support from the C-suite and board are vital — otherwise, the CISO is fighting a losing battle. Involving the legal department in security can help CISOs gain the executive support they need to adequately protect the organization from legal and reputational risks.