A Matter of Time – Responding Rapidly to a Cyber Incident

by Conor Looney | CEO | Oct 6, 2021 | eDiscovery

Data breach – these are two words that cause corporations to cringe and CEOs to panic. According to the Identity Theft Resource Center, the average cost of a corporate data breach is about US$8.5 million, with some events soaring past the $10 million mark, while the average cost of a breach is about $150 per record stolen.

Data is one of the hottest commodities on the black market. It should be understood that hackers are seeking any type of information, not just credit card information and personal data. Corporate secrets, legal data, even access to business operating systems are all valuable information in the criminal realm.

Cybersecurity has become the largest growing sector in the digital industry because security must continually be upgraded and changed to outsmart digital thieves. Businesses now must always remain prepared for a breach.

Businesses must also have a plan of action in place in the event of a breach. A quick cyber incident response, or CIR, is not only necessary but is required by law. How a company handles a breach is just as important, if not more important, than the breach itself.

Cyber Incident Response (CIR)

When there has been a breach of personal information, a business has 45 days to notify all affected people. This is the law, and there are only a few rare exceptions when the courts will allow an extension of this time frame. In most cases, the courts only provide about 15 more days to complete the task.

From the moment that the CIR occurs, the business must secure the rest of the data and begin reviewing the affected documents. Depending on the size of the company and the amount of data breached, this could be millions of documents that need to be reviewed in this short period.

Many people compare the review of documents to be similar to that of reviewing eDiscovery documents for a court case. While the process can be seen as similar, it is actually quite different.

When you are reviewing digital documents for a court case, specific words and patterns are being searched to find relevant information for a case. Millions of documents or data sources may need to be searched, and by using a keyword or phrase, the search method helps the attorneys reduce the amount of data that must be reviewed.

In the event of data theft, the records must be carefully searched to see what is missing from the information. You cannot use search technology for this type of research; you must review the data and determine what has been stolen.

In some cases, you can see a pattern form right away, such as the first 1,000 documents all had the social security number stolen, so it is easy to assume that this is what the data thieves were searching for when they hacked the system.

However, it is not always that simple. The latest technique to get past cybersecurity measures and to make the breach more profitable for the hackers is to steal random information. This makes the breach harder to spot, harder to trace, and much more complicated to fix.

To Make Matters More Complicated

If these issues were not complicated enough, businesses that operate internationally or sell products or services in California have additional laws that must be addressed in the event of a breach.

The General Data Protection Regulation (GDPR) enacted in the European Union in 2018 and the California Consumer Privacy Act (CCPA) that came into effect on January 1, 2020, gives more privacy protections to consumers. Additional information that is considered protected is included in these two laws, and this means that any breach can become more complex when trying to comply with these laws.

Many data breaches that may go unnoticed under regular circumstances may now be a violation of these two laws, and businesses must have a response in place if this occurs.

The 45 Day Deadline Still Applies

Even with the additional requirements placed on businesses by these laws, the 45-day notification requirement remains in place. This is why the response time of a data breach for any company must be immediate.

Many businesses turn to companies that specialize in reviewing digital documents for law firms to assist with the recovery process. These firms have an accuracy level that allows them to move through data quickly while compiling the necessary information for the client so that notifications can be sent.

The response to a breach can make or break a company. Without a proper response, businesses face many legal issues and loss of consumer confidence.

Creating A Rapid Response Team

All businesses should have a rapid response team or plan of action ready in the event of a breach. This is not reserved for just mega-corporations that process a lot of data. This also applies to small private companies, medical centers, doctors’ offices, and even restaurants. Any place that uses consumer information is a target for hackers.

Your business information can be obtained in many ways. They may take your information hostage through the use of ransomware. This corrupted software can pull the data and store it in the cloud where only the hackers can access the information. Depending on the intent of the hacker, the ransomware could continue to destroy the operating systems after stealing the information or just hold the info hostage until a “ransom” payment is made.

Hackers may get into business data through poor cybersecurity practices and access the servers directly. This makes it harder to find the hacker, but it causes a lot of trouble. These types of breaches may not be seen right away because the stolen information can simply be copied and the business owner still has full access to their data.

Accessed corporate data may come from phishing emails, downloads, or from having an open wi-fi system. There are countless ways that information can be stolen. Businesses must remain proactive at all times to protect the company data.

Having a rapid response team or plan will help businesses avoid more problems if a breach occurs. Action can be taken immediately, which can help restore consumer confidence and prevent legal actions against the company.

After The Breach

Once a breach occurs, it will be necessary to bring in forensic analysts to look over the data and determine how the breach occurred. In the past, businesses were devastated to have recovered from one breach only to have another occur a few months later because there was software planted in the system by the hackers that allowed them to trigger another breach with little effort.

Going through the data to see how the information was stolen and grasping a detailed look at what was stolen will allow the business to create new security standards for the company to prevent a breach in the future. It will also ensure that there is no foreign code in their systems that will allow further access to the data by the hackers.

Businesses must also take a very close look at the data stolen to see if any proprietary information has been stolen. Corporate espionage is not a myth, and there have been several data breaches that have occurred that were just a cover to steal corporate information. The personal data that was stolen never reached the black market.

Careful protection of business information is no longer something that can be overlooked as part of the cyber security system. Any data that is digitally stored must be protected.

The Law Concerning Data Breach Will Only Become Stricter

Over 85 percent of all business is now conducted digitally, from ordering and managing stock to signing contracts. All of this digital information must be protected at all times for the consumer as well as the business.

Since most business is now handled or managed digitally, it is safe to assume that identity and digital information laws are going to continue to get stricter. Laws like the California Consumer Privacy Act may spread to more US states or even become a federal standard. The laws adopted by the EU may spread to non-EU countries.

What can businesses do? The only options businesses have are to monitor cybersecurity continually and have a plan in place if a breach occurs.

If your business is the target of a data breach or ransomware attack, it will be important that you act quickly. If you do not have a plan in place, you are encouraged to use the following steps:

10 Steps To Put In Place After A Data Breach

  1. Take all necessary steps to stop the data flow out of your business. Disconnect from the Internet, call the cloud storage company to stop the breach if you store in the cloud, or shut down your servers. Anything that you can do to preserve the remaining data.
  2. Immediately notify the authorities that the breach has occurred. This is a crime, and the police must be notified. They will direct you to the right offices to handle this type of event.
  3. Notify your insurance company. Your insurance company should be made aware that there is a problem. Most businesses have protections for these cyber incidents.
  4. Contact a service provider that can process the data that has been stolen accurately and determine what information has been stolen. These professionals can move through a large number of documents very quickly with their document processing programs.
  5. Make all necessary notifications to consumers and other businesses that may have had their data stolen from your company. Make sure that the notification is clear on what was taken and when.
  6. Make sure you comply with the GDPR if you conduct business in the EU and the CCPA if you conduct business in the state of California.
  7. Follow through with your cybersecurity to make sure that there is no trace code left in your system so that additional information can be stolen.
  8. Change all cybersecurity protocols so that you can protect your data in a new way after the breach. It is safe to assume that the old measures being taken were not secure enough.
  9. Continue to update and monitor your data to protect it and your customers in the future.
  10. Train and retrain your employees about the ongoing business risk and how they can help prevent future cyber incidents.

Conor Looney is also an advisor to the Electronic Discovery Reference Model’s (EDRM) Global Advisory Council.
Connect with Conor Looney