Yes, You Bungled that Breach Response. What Were You Thinking?

The RSA Conference 2021 Virtual Experience is happening May 17-20 and Symantec, as a division of Broadcom, will be providing a summary of some of the leading stories from the conference to help you stay informed.

You just got breached.

A trove of coveted customer and company data is now in attackers’ hands. Furious customers are flooding your phone bank, hoping to learn whether their personal information is now up for sale on the Dark Web. Your brand’s once-stellar reputation is now getting trashed 24/7 as the media report the embarrassing state of affairs.

Now for the bad news.

You’re going to get sued. But not every judgment needs to end up scraping your coffers clean. In fact, breach litigators speaking at the RSA Conference 2021 said there are steps that organizations should – and shouldn’t – take before and after a data breach. Make the wrong decision and you can easily make a bad situation even worse.

“There are a lot of things that companies do to make their problems worse, which are avoidable with a little bit of thought and planning,” said John Hauser, a Principal with Ernst & Young and a former Special Agent in the Cyber Division of the FBI   

Treat Communications with Care

“Remember when you're using Slack or texts or any other app, you're not writing in invisible ink,” said Marie Mortimer, a partner with Hunton Andrews Kurth who specializes in commercial litigation. “Most plaintiff's attorneys are casting a very wide net when it comes to discovery. So they're going to ask for the dreaded ‘all information.’ We're not just talking about formal reports or considered communications. We're talking about communications that happen in the heat of the moment of an incident.”

In general, these off channel forms of communication can turn into real gold for someone trying to reconstruct a scenario, particularly if they seek to make a case that the company was already aware of a security vulnerability or didn't respond adequately or quickly enough. And don’t think about getting cute. Those documents will get produced during discovery.  

“While it's hard to adopt that mindset in the moment,” she said, “you need to start disciplining yourself now so that when you get to litigation that email you fired off in the heat of the moment doesn't come back to haunt you in a deposition where suddenly you find yourself center stage being deposed and asked questions about an email that you never intended to have significance that it later takes on.”

That extends to heat-of-the-moment, gallows humor, which is very common in security circles. The quickest way to find yourself in front of a lawyer is by firing off one of those texts or Slack channels talking about your security being akin to Swiss cheese or anything that refers to the security posture of the company in a way that's negative or could be perceived as negative.

“Anything that refers to the threat as recurring or anticipated – maybe even five words that end up having a consequence that you never intended to attach to them,” she said. “So before you hit ‘send’ on that message, think to yourself, how would I feel if that was blown up into giant font and posted in the middle of Times Square.”

Fellow panelist Brian Levine, a managing director at Ernst & Young and a former cyber crime prosecutor at the U.S. Justice Department, added that sometimes it's not the specific words someone uses, but the toxic tone.

“People just can be nervous in these situations and some of the nervousness or whatever other emotions are involved will just come out in their texts and their emails,” he said. “I've seen numerous instances where a case was going nowhere. It was going to be dismissed…and then for whatever reason, emails come out and civil litigation ends up doing a 180 and now everything is bad. So, it does matter.”

Keeping Stakeholders Informed

After a data breach discovery, who needs to get notified and in what order of priority? There's no single, uniform answer. In fact, there are competing tensions at play. While you want to communicate in a timely fashion with all stakeholders – impacted business partners, consumers, regulators – the clock starts running right from the moment you become aware of a breach.

“There are litigation consequences to whether or not you delayed notification,” said Mortimer. So, on the one hand, you're under pressure to deliver a message in a timely way, but the competing or counterbalance pressures, you want to be accurate in those communications. Because sometimes you overstate or understate the incident if you're working on limited information.”

Ultimately, she said, it’s a balancing act.

“Don’t delay too long before responding but try to get some information to make sure you feel relatively certain,” she said. “And then in the communication be transparent about the fact that the facts are continuing to evolve. So, leave yourself some room if different facts develop, but timeliness, accuracy, and transparency are key rules when communicating with your stakeholders.”

That means considering all the possible reporting obligations – not the least of whom include a veritable alphabet soup of possible regulators. “And you need to make sure you're considering all of that,” according to Mortimer. “A lot of this comes down to communication and appropriate escalation, which should be built into your incident response plan to make sure the appropriate internal stakeholders are involved early on and that the lines of communication are open. So those are some of the things that I think about right away when trying to consider how do I make sure that a bad situation doesn't get worse and get away from me.”

Incident Response

In the wake of a data breach, an incident response team will publish a narrative describing how the attack happened, the security flaws responsible for the breach and what the organization needs to be doing to prevent similar attacks.

Unfortunately, the reports are not always carefully written, according to Levine. In fact, he said, they may only be preliminary drafts based on initial impressions and so, not completely accurate.

“They may tend to suggest blame, for the incident, which is really unhelpful. They may identify a bunch of things that the company should have done but didn't do. And they may go beyond where they need to go,” he said. “As a result, the plaintiffs in a data breach suit are almost always going to request a copy of any incident response reports in discovery, and that can be a problem.”

One suggestion offered by Mortimer was to adopt a `Dragnet’ approach to the report, knowing that it will inevitably become part of any data breach litigation.

“Just the facts, Ma'am,” she said. “It doesn't have things like extraneous assessments. It doesn't have what the (legal) counsel asked you to do. It doesn't have recommendations that aren't core to the actual underlying facts of the breach.”

Get to Know Law Enforcement

Developing relationships with law enforcement in advance of a breach can be super-helpful, noted Hauser. “We always recommend developing a relationship with your local cyber agents. So, you go on the FBI's website. Find the field office nearest to you or to your clients and have conversations in advance. Get to meet a cyber agent, such that you have their personal information or their card with you at all times.”

At the very least, they can prove to be great sources of information to help you respond to breaches.

“What we found is if you have no relationship in advance and if you have a ransomware attack and then you reach out, you may hear nothing in the timeframe that you would need to for it to be helpful,” Levine said. “Whereas if you have a personal relationship in this example, you can reach out right away.”