Whenever I listen to the SANS Institute’s daily podcast on cybersecurity, I am always impressed by the ingenuity and persistence of cyber criminals. The popular conception of a hacker as some kid in a hoodie is misguided. These are well-organized international criminal gangs, which boast some of the most sophisticated and talented hackers on the planet. Their crimes will only continue to increase in scale and frequency, since the probability of punishment is minuscule whereas the rewards are potentially enormous. Every organization must use the most robust defenses available, but they must also be ready for the inevitable breach.
The costs of a breach are many and varied: a fall in stock price, damage to the organization’s reputation, and hours and days taken by employees away from their normal jobs are just some of the potential consequences. One of the most expensive items on the list will be the legal liability, either from regulators or from customers turned plaintiffs. Despite the risk, organizations may be using the wrong strategies to avoid the costs.
Prepare for regulators’ questions
Cybersecurity professionals are taught the D + five Rs response protocol: Detect, Respond, Report, Recover, Remediate, and Review. This method of incident response is excellent for limiting potential damage and getting systems back online as soon as possible, but is of limited interest to regulators and plaintiffs. They do not really care about the results of an expensive forensic analysis. They want to know what you did before the breach and what your policies and procedures are to prevent one.
In the US, health care providers get breached with depressing regularity. Their regulator, the Office for Civil Rights (OCR) of the US Department of Health and Human Services, always and may look into smaller breaches depending on the circumstances. It is not interested in how the hackers got into your system, but looks at specific areas.
Eight things regulators will ask to see
A 2016 Data Security Incident Response Report by BakerHostetler revealed that the following items were frequently asked for by regulators.
- Documentation of the incident response, investigation, mitigation, notification of individuals, substitute notice, and media notice provided.
- Copies of policies and procedures governing privacy and security.
- Evidence of education and awareness training programs.
- Sanctions policy and evidence of disciplinary action taken.
- Several years of risk analysis conducted before the incident.
- Risk mitigation plans developed from the risk analyses.
- Vendor and business partner contracts.
- Evidence of corrective action taken.
In short, regulators want evidence that the organization was doing something to understand and mitigate its risk.
It is not only the OCR that is more interested in preventive policies and procedures. One of the financial industry watchdogs is FINRA (Financial Industry Regulatory Authority). It requires all the organizations it regulates to create and maintain a system with written policies and procedures to manage their cybersecurity. FINRA is enforcing SEC Regulation S-P with fines of up to $150,000. And it is not alone. The SEC is also enforcing its own regulation. It requires all the broker dealers and investment advisors that it regulates to have a “complete set of … policies and procedures addressing administrative, technical and physical safeguards reasonably designed to protect customer records and information.”
Understand federal and state statutes
State laws are also beginning to require written policies and procedures. The governor of Delaware recently signed into law a cybersecurity breach notification statute, with one of its provisions being typical of many state statutes. Organizations that have their own procedures and practices are considered in compliance with the statute, but Delaware goes a step further: All firms must “implement and maintain reasonable procedures and practices to prevent” a breach.
The New York Department of Financial Services (NYDFS) cybersecurity regulations, recently imitated by Colorado and Vermont, also require that “each Covered Entity shall implement and maintain a written policy or policies, approved by a Senior Officer or the Covered Entity’s board of directors.”
Be aware of plaintiffs’ legal claims for negligence
Regulators are only part of the legal risk, as any data breach is bound to attract plaintiffs. Some of these lawsuits are based on laws, but almost 40% are based on the common-law action of negligence. The principal element of a negligence cause of action is a failure to maintain the standard of care that would ordinarily have been exercised by a company in the community in possession of the same knowledge and skill.
that your organization is exercising this level of care is by maintaining a robust information security management system (ISMS).
Some risks will materialize and some will not. Then there are some risks, such as a cybersecurity breach, that are inevitable. When the breach does occur, there will be guaranteed legal consequences from US federal and state regulators, US plaintiffs, and, if the organization is subject to the jurisdiction, EU General Data Protection Regulation (GDPR) regulators.
Mitigate legal risks with a robust ISMS
To avoid or minimize these risks, an ISMS is no longer something that is nice to have. It is essential for any business to survive. There are no systems as well known as ISO 27001.
ISO 27001 is the international information security management standard that many organizations use as the framework for their ISMSs because it covers all areas.
Certification to ISO 27001 is now growing at 91% year-on-year in the US.
With information security breaches now the norm, security teams are compelled to take measures to reduce the risk of a damaging breach. ISO 27001 presents an effective way of reducing such risks. Learn more about ISO 27001 >>