Life Cycle of a Data Breach
Connecticut Attorney General George Jepsen presents
As a part of CTC’s initiative to prepare Connecticut businesses for cyber threats, its members and affiliates met at Frontier Communications New Haven to discuss the Life Cycle of a Data Breach and state initiatives around security. This marks the second meeting of CTC’s Cybersecurity Seminar Series.
Members and friends of CTC arrived at Frontier Communications early June 3rd to enjoy a light breakfast and networking before the start of the program. The 70 attendees mingled with other concerned business owners and cybersecurity experts. Attorney General George Jepsen kicked off the program with a keynote address on state’s cybersecurity initiatives.
“Upon my appointment I did not expect data protection to be so important,” said AG Jepsen. “Now we are receiving breach reports at a startling rate and it is something at the forefront of my mind.”
Five months after being appointed Attorney General, and coming to terms with the reality of data protection, Jepsen started the Privacy Task Force – a group of attorneys charged with being proactive about cybersecurity. One such attorney appointed to the force is Michele Lucan, assistant attorney general. Lucan was in attendance as part of the expert cybersecurity panel and did her part to shed light on some of the specific tasks associated with the Privacy Task Force.
According to Lucan, there are a number of laws already in place to protect both individuals and businesses. From social security statues to HIPAA regulations, the state is doing its part to further educate its population on data protection. Lucan notes that one of the most important implications of data security is reporting a breach. There is a rotten stigma working against breached companies making them feel ashamed to admit their data was compromised. The Privacy Task Force is putting emphasis on the fact that any business can be targeted regardless of preparation. Despite the media’s reaction the attorney general’s office treats all cases with encouragement and sensitivity.
“You are a victim until the investigation shows proof of negligence.”
Panel member Steven J. Bonafonte, attorney at Pullman & Comley, followed Michele Lucan with a presentation on the Life Cycle of a Data Breach. In this presentation Bonafonte highlighted some of the most important steps in detection and response. They are as follows:
Reaction. The time gap between infiltration and detection is critical. The sooner a breach is caught and the quicker the hacker can be shut down, the
Investigation & Remediation. Immediately following a breach it is crucial that the attack be reported to all appropriate parties. This includes reporting to the state’s your clients call home. Each state’s protocol for reporting may be different so do your homework and be ready to submit a detailed report. You’ll also need to make sure your executive team is ready to take action; this includes preparing individuals on your IT, legal, and communications teams.
Insurance. This is your life raft. When your server has to be shut down, insurance will be your saving grace. Be aware that data protection insurance is young and there is not currently a uniform policy. “It’s the wild west of the data protection world; every policyis different.” So shop around.
Convening to 3rd parties. Make sure you have an investigative team already on the books. If you wait until you’ve been breached to hire an attorney, be prepared to pay a premium.
Having the relationship already established will save you time and money and give you peace of mind – in the event a breach you’ll know who to call.
Notification. Requirements vary from state to state. It is best to craft a letter by the protocol standards of the most aggressive state to appease all conditions in a single notification letter. Certain industries will be required to fulfill greater reporting standards.
PublicRelations. Be ready to take on the giant of public relations and have a plan set in place to go public in the event of a breach. Lack of a plan will result in higher media scrutiny.
ClientNotification. Your clients and business partners have the right to know their information was compromised. This can be communicated through mass emailing.
Respondto Inquiries. Be proactive, don’t let questions go unanswered for long.
Debriefingand Risk Mitigation. Post breach debriefing is crucial for all levels of your business.
Continue Business as Usual
After Bonafonte’s dissection of the data breach life cycle, Gary Cuozzo, owner at ISG Software Group LLC, was asked to highlight some of the biggest data breach mistakes companies make. This is what he said:
“One of the biggest mistakes I see is companies rushing to put their systems back online before due-diligence has been done. Don’t be too hasty, stay calm and don’t jump the gun. Wait to go back online until the issue has been resolved.”
Cuozzo also noted that having an appropriate backup is incredibly important and is something most business overlook.
“If you can retain your data by taking a snap shot around the time of breach detection, your investigation could be that much stronger. Information is crucial.”
When Cuozzo was asked what specific steps business should take in the event of a breach – here is what he said:
“First, take your system offline immediately. This can be challenging, and painful, but its logistically crucial. Second, treat your compromised system with complete distrust. If a hacker got in, and if you don’t make changes, they’ll infiltrate again. Tear it down and build fresh. Last, make sure you maintain the integrity of the breached data.”
At the close of the program attendees stuck around to continue the discussion with our cybersecurity experts. Many of the attendees were impressed by the content and level of adeptness and are looking forward to the third Cybersecurity seminar in September.
“I found the recent CTC Cybersecurity event in New Haven timely and informative. With the recent Connecticut regulatory changes associated with cyber intrusion, the panel discussion on back-up retention, data encryption, vulnerability testing and recovery planning provided credence to our current cyber security strategy along with some valuable insights for next steps at our company.” – Sheldon Paul, CFO, Proton OnSite