A War and Smith attorney, information technology professional and privacy officer outlined a variety of best practices and tips for businesses dealing with data security and privacy issues.
The webinar, one in a series for Ward and Smith’s In-House Counsel Virtual Seminar, discussed how to prepare for a security breach, preserve evidence, and whether or not you should pay a ransom to retrieve vital information.
The session — Upside Down: LARP for Privacy and Data Security — used the company’s signature live-action role-playing (LARPing) technique to guide participants through data security updates illuminated by a hypothetical cyberattack.
The panel discussion included insights from Chris Hope, senior director of IT and security at One Source Communications, and Bridget Welborn, who leverages her experience as a data protection and technology attorney in her role as senior vice president of privacy and records management at First Citizens Bank .
To shed light on how business leaders should prepare for and respond to a cyber incident, session leaders guided participants through a hypothetical scenario involving an attack on a nearby logistics company with a national presence. In this situation, an unknown third party:
- Company’s official Facebook page hacked and posted every employee’s names, addresses, and abbreviated Social Security numbers
- Gained access to the CEO’s email account and sent official-looking spoof emails to all employees about the information posted on Facebook
“The first step I would recommend is to start before a potential incident ever occurs,” Welborn advised, “and that is planning.” This includes setting up an Incident Response Team (IRT) made up of key internal company stakeholders.
Figuring out who to call first in the event of an incident and getting the right people on the IRT is essential, explains Welborn. For internal stakeholders, Welborn suggested including the following:
- corporate lawyer
- Chief Technology Officer and/or IT Professional
- Human resource department
- external counsel
A few other topics to consider as an aspect of pre-planning include finding a forensics firm that specializes in data security. “A little advance planning goes a long way when situations like this arise,” Welborn noted.
Inclusion and preservation of evidence
“The most important thing to do on the IT side is make sure it doesn’t get any worse,” Hope says. This means ensuring that the threat actor no longer has any form of access. To achieve that goal, a company must change credentials for compromised accounts and consider shutting down systems, including servers or workstations.
Finding where access has been made so that the problem can be isolated and contained is key to making sure things don’t get worse. Hope went on to explain, “What we don’t want to do is remove or remove anything from systems because we could end up compromising the evidence available to the research team to analyze and understand exactly what happened.”
Once the evidence is gone, it can never be found again. There is only one option to save the data. It is also necessary to know who to call for examination and recovery. As with Welborn, Hope’s advice for business leaders is to be proactive and identify all parties that need to be involved before an incident occurs.
“It can be really painful to sort these things out right away,” Hope says, “so a little legwork helps make these incidents manageable.”
IRT roles and responsibilities
When putting together an IRT, it is essential to have decision makers at the table. Getting everyone together to talk about steps and decisions is a waste of time if someone has to call a timeout to find the right party to ask for permission.
“Time is really important when you find out that something happened,” Welborn noted. “It’s also good to have some idea of worst-case scenarios.”
Welborn pointed out that if a situation arises that requires a notification, a number of questions will arise, including:
- What type of notification should be sent?
- How are we going to reach our employees or customers?
- Is it appropriate to send a company-wide email if an internal email account has been hacked?
The next scene in this hypothetical cyber incident involves the IT executive who hires a forensics firm to gather as much information as possible. After the forensic report comes back, it confirms that the email came from the CEO’s account, that the Facebook post was posted 30 minutes later, and that both actions came from the same IP address.
Worse, the forensic report shows the bad actor:
- Gained access to the CEO’s credentials, giving them unrestricted access to all of the company’s systems
- Viewed and forwarded a specific email between the CEO and the HR Director containing sensitive employee information, including full Social Security numbers
- Completely deleted that email and the CEO’s credentials from the system
A common misconception about forensic reports relates to turnaround time. Instead of minutes or hours, these reports are typically returned in days or weeks. In most cases, there is simply a lot of information to browse through. However, forensic teams are set up to provide clients with consistent updates, sometimes several times a day in the early stages of an investigation.
“These updates won’t be a complete picture,” Hope explains, “but there will be enough information to start the decision-making process.”
Most reports contain information about who was involved, what happened and how it happened. What these reports should not contain is information about legal inferences.
Pending the forensic report, the IRT should begin preparing communications focused on what employees or customers need to tell. This can help prevent reputational damage and ensure that employees are as unconcerned as possible about what happened, Welborn noted.
Often, a forensic report will shed light on all the items that need to be addressed regarding an organization’s privacy practices. “This would be an opportunity, after passing the investigation and all possible answers needed, to look at your practices,” Welborn said.
To avoid another incident, companies should consider the following:
- Access Controls – Lock down information and data so employees can access only what they need to do their job
- Email Practices – Do not share sensitive data in email; send the user to a secure area instead
“It’s free to tailor people’s access to their actual job responsibilities and needs,” Hope says. “There’s no technology cost, it’s just a little bit of time and effort.” Taking it a step further, there are a few other measures businesses should consider:
- Encrypted Email – Relatively cheap and easy to implement
- Two-Factor Authentication – Especially essential for mission-critical information
In this hypothetical scenario involving a company of 200 people, using a two-factor authentication system would cost about $20,000 to $40,000 per year. “If you compare that to the cost of a cybersecurity incident, which averaged about $4.62 million in 2021, that $20,000 to $40,000 is pretty attractive at the time,” Hope added.
Ransom: to pay or not to pay?
Publishing truncated information is often just a starting point for many bad actors. In many cases, these cyber criminals come back later and threaten to publish all stolen data unless the company pays a ransom. Other times, the individual will offer a key to decrypt stolen information in exchange for compensation.
“The latest figures from North Carolina were released in 2019, showing there were 1,200 data loss incidents,” Hope said. The figures show incidents reported to the National Criminal Investigation Department; however, many companies do not report these incidents to the police.
About 50 percent of the companies will eventually pay the ransom. Of those 50 percent, only about 29 percent end up getting what they were promised. “This is a very poor return on investment for what typically represents hundreds of thousands of dollars in cash,” explains Hope.
Moreover, paying the ransom encourages the behavior and inspires bad actors to return to the pit. The number of repeat attacks is shockingly high, so even if a cyber insurance provider recommends paying, organizations should spend the money on prevention by implementing enhanced security measures, or for recovery, by providing affected individuals with credit monitoring services.