Time to Dust Off That Breach Disclosure Plan
When the topic of data breaches gets raised, executives usually point to the extensive planning the company did years ago, supposing the presumptions and conditions that existed back when the plan was laid out are still valid today. But as the risks change, our planning should change. It's important that we continuously re-evaluate our planning based on the most current understanding of the risks involved.
As we should probably realize by now, not all tasks are created equal -- especially when it comes to making mistakes. For most of the things we do -- from brushing our teeth to typing an email -- making a mistake is usually relatively innocuous. Sure, we might have to clean a bit of the toothpaste off the sink or retype a word or two, but the world doesn't blow up. It's just a bit of extra hassle to recover.
By contrast, there are some tasks where the opposite is true: Even a small mistake can have major consequences. Neurosurgeons, air traffic controllers and bomb squad technicians are folks that spring to mind when you think of people who need to make really certain that they don't mess up. It's a fact: Some situations are less forgiving than others.
As humans, we understand this intuitively and react accordingly. Installing a new light fixture in your home? If so, you're probably pretty careful to make sure the electrical circuit is turned off (because you'll get electrocuted if it isn't) and you're probably careful to insulate the wires thoroughly (because the house could burn down if you don't). The situation merits caution, so you exercise it.
We innately match the level of caution to the risk. But what happens when we misunderstand the risks involved? What if we mistakenly perceive a risk to be much lower than what it truly is in reality? When we do this, we can put ourselves or our businesses in jeopardy. As professionals, it is our job to understand the current risk environment and understand when it changes. When the risk goes up, it is our job to make sure that we react.
That is, unfortunately, something many of us are not doing today -- at least not with respect to data breaches. You see, when it comes to data breaches, the stakes are going up and up while planning (at least for many of us) stays the same.
The Rising Stakes of Breaches
Here's what I mean.
If you've been in the security business for a while, you probably remember a time when California was the only state that had a breach disclosure law. Until SB-1386 hit the books, most companies didn't have any reason to let people know when they lost your data. Since they weren't explicitly obligated or required to tell anybody about it, they usually didn't (hence the reason California made notification a law in the first place).
Over time, as more states jumped on the bandwagon, industry responded by undertaking breach disclosure planning en masse. We all went out, did our planning, and put it behind us. Now, when the topic of data breaches gets raised, executives usually tend to assume that they've done the planning, bought the proverbial T-shirt, and have the situation well in hand. They'll point to the extensive Breach Disclosure Policy and Procedure manual on the shelf and rest assured in the blissful knowledge that they've got it all covered.
Except really they don't. Why not? Because the risk/care threshold we were talking about has broken down: Breaches in the past were a big deal, but they're an even bigger deal now. And in most of our cases, nobody's gone back and made modifications based on how things have changed since the planning was originally done.
To illustrate what I mean by this, take the example of a breach scenario that involves credit-card data. Did you know that if you suffer a breach involving cardholder data that you are automatically considered a level one merchant for the purposes of compliance validation and reporting from that point forward? It's true.
So an entity that was a level 3 or level 4 merchant -- say a university, hospital, or small retailer -- could start out the year having to fill out only a (let's face it, pretty cursory) self-assessment form about their PCI compliance and end up the year having to report just the same way Walmart does -- by paying an auditor to come out. And the audit is a pretty big deal: Not only is it not cheap, but it's also really hard to pass. So an organization caught in this situation will incur a pretty big bill to be able to pass a PCI audit in the first place, and then they'll have to pay again every year thereafter. Net result of the breach: a huge cash outlay.
The situation is similar for a healthcare provider who suffers a breach that involves protected health information. You've probably heard that breach disclosure requirements were updated as part of HITECH, but did you know that individual states are starting to levy fines against healthcare providers as well for not reporting in a timely manner? It's true -- as an example, Lucile Packard Children's Hospital was charged a quarter million dollars by the California Department of Public Health because they did not report a stolen computer that contained records of 532 people until after the timeline established in California state law. Net result: also a huge cash outlay.
Planning Not Keeping Pace
So clearly the costs and risks to our businesses associated with breaches are on the rise. So why does our planning remain unchanged?
If the folks at Lucile Packard were going to sit down today and map out a breach response process, do you think they'd craft one that involves waiting longer than the California legally defined maximum timeline to report? I don't think they would. The quarter-million dollar fine makes a difference to how they're likely to plan. And what about companies that store credit cards? Do you suppose that the increased costs associated with auditing at the tier-one level enter into their breach planning equations? They should, but they probably don't in most cases.
The point is, it's important that we continuously re-evaluate our planning based on the most current understanding of the risks involved. As the risks change, our planning should change. We should be continuously scrutinizing our planning to ensure appropriateness with the actual risks in the field. And when a situation such as the case with breach disclosure right now arises, where underlying context, assumptions, and parameters are changing very quickly? It's imperative that we go back and question the decisions we've made when circumstances were different.
If it's been a few years since you've looked over your breach processes, maybe it's time to go back and do some additional planning based on changes made since then. And maybe while you're at it, you might want to consider reviewing the controls that you do/don't have in place in light of the new financial impact associated with the breach disclosure process -- maybe the cost/benefit has changed in light of the new financial obligations you'll incur since you first did your initial planning efforts.
Ed Moyle is a manager with CTG's information security solutions practice, providing strategy, consulting and solutions to clients worldwide, as well as a founding partner of Security Curve. His extensive background in computer security includes experience in forensics, application penetration testing, information security audit and secure solutions development.