The best strategy for data collectors to prepare a breach response plan may be to look at what others did right and wrong in response to a cyber incident. After reviewing a number of responses to large-scale data breaches, it has become clear that some responses are better than others. It is also clear that all large-scale breaches and the responses have a number of moving parts. Therefore, in order to analyze all these moving parts to prepare for an incident, the best method for data collectors may be to break their strategy into the following three phases:
- Pre-Breach Preparations should include discussing breach scenarios in the abstract. This timeframe should be dedicated to identifying an internal and external response team and create a general roadmap for a response.
- Post-Discovery Preparations should include refining the roadmap to address the specific breach facing an entity. By this point, a data collector will have more information on the incident and should be able to prepare for the announcement of the incident.
- Post-Announcement Response should include re-working any portion of the response plan that is not going as intended and responding according to the roadmap created in the earlier phases.
While it is still early in Equifax Inc.’s response, Equifax’s recent breach provides the perfect backdrop to take a closer look at these three phases for preparing for and engaging in a successful breach response. Admittedly, we are just learning the full scope of Equifax Inc.’s massive data breach which was announced on September 8, 2017. While different numbers have been discussed, it appears about 143 million people may be impacted. Suffice it to say, this was a huge data breach. The FTC’s website provides the following facts [1]:
The breach lasted from mid-May through July. The hackers accessed people’s names, Social Security numbers, birth dates, addresses and, in some instances, driver’s license numbers. They also stole credit card numbers for about 209,000 people and dispute documents with personal identifying information for about 182,000 people. And they grabbed personal information of people in the UK and Canada too.
The analysis of this latest breach can be expected to go down the well-worn path of other large-scale breaches [2]seen at Target, Home Depot or Yahoo. And, over the coming months, we can expect to see more information concerning Equifax’s breach. For example, Sens. Orrin Hatch, R-Utah, and Ron Wyden, D-Oregon [3], respectively the chairman and ranking member of the Senate Committee on Finance, sent Equifax detailed questions about the breach seeking “a detailed timeline of the breach, information about the company’s efforts to identify the number of consumers affected, the breadth of information compromised and the steps Equifax has taken to identify and limit potential consumer harm.” This information, and being able to analyze this information, will be key for any data collector to review their own breach response plans.
Pre-Breach Preparations Allow A Stress-Free Review Of Safeguards And The Response Game Plan
During the Pre-Breach Preparations, a data collector will have the opportunity to confirm that it has taken all steps necessary to safeguard information and have a roadmap in place if there is an incident. Once an incident occurs, it may be too late to thoroughly review the roadmap and the general structure must be created in order to fill in the details as the breach unfolds.
First, Equifax’s breach, involving a credit reporting agency, is different than a prior breaches which took place at retailers, financial institutions or medical care providers. That is, Equifax is often called on to provide credit monitoring to individuals that may be caught up in a cyber incident at a retailer, financial institution or medical care provider. For example, the Illinois Personal Information Protection Act states that any breach notification shall include “the toll-free numbers and addresses for consumer reporting agencies.” See, 815 ILCS 530/10 [4] Therefore, notification letters prepared in accordance with Illinois law would most-likely direct Illinois residents to Equifax. Equifax and the other credit reporting agencies build their entire business on keeping information safe. At present, there is no information concerning what Pre-Breach Preparations Equifax had in place but there will undoubtedly be a substantial amount of information disclosed over the coming months.
Post-Discovery Preparations Allow A Response To Address The Specific Facts Of The Incident
Post-Discovery Preparations allow a data collector to address the specific information it has learned from its initial investigation into its response roadmap. That is, the roadmap can now be revised and supplemented because the investigation will show if this is a case of ransomware, a data breach or some other cyber attack. The data collector can also determine whether it will notify any individuals and if so, what law governs that notification. The decision to contact law enforcement should be made during this phase as well. This phase may be the last time the data collector has full control over the incident.
News reports indicate Equifax discovered the breach on July 29, 2017 [5]. Therefore, Equifax had more than a month, post breach, to formulate a response to this particular breach before it was announced to the public. However, there is still little information concerning Equifax’s Post-Discovery Preparations at this time.
Post-Announcement Response Allows An Entity To Address Issues That May Have Been Missed In The Other Breach Response Phases
Hopefully, the response plan will only need to be slightly tweaked by the time a data collector reaches the Post-Announcement Response.
Equifax’s breach response at this point includes offering one free year of its credit monitoring service and providing information via its website created just for this breach [6]. However, over the last week, Equifax has faced a backlash including the following complaints related to its response:
- News reports indicate that a number of people are struggling to determine if their information was included in Equifax’s breach using a website provided by Equifax. After making a number of attempts to use the website, many commentators found the website “hopelessly broken.” By September 8, 2017, Equifax had to issue a statement claiming to have fix problems with its website [7].
- Equifax’s offer to provide free credit monitoring for a year is being called into question as not providing sufficient time to properly monitor one’s credit and as a marketing ploy to get subscribers after the first year has expired. Leaving some commentators to say “so, yes, your worst suspicions are now confirmed. Equifax may actually make money on this breach.”
- Equifax had to issue a statement to address growing concerns that the terms of service that consumers must accept before enrolling in the free credit monitoring service required them to waive their rights to sue Equifax for a breach. Equifax’s statement attempted to clarify its position that nothing in the terms of service would apply to this breach.
- More than 20 proposed class-action lawsuits have been filed around the country in less than a week since the breach was announced.
- Shares of Equifax closed down 8.2% on September 11, 2017 after falling more that 13% on September 8, 2017.
- SEC filings show that three Equifax executives sold nearly $2 million in shares in the company days after the cyberattack was discovered. Equifax had to issue another statement after its announcement indicating that while the three executives sold a “small percentage” of their shares August 1 and August 2, 2017, they “had no knowledge that an intrusion had occurred at the time they sold their shares.”
Unfortunately, Equifax’s various supplemental announcements after the initial announcement have placed Equifax’s response under further scrutiny. Equifax is now being called on to respond to a variety of issues since its announcement of this breach. The Equifax breach makes it clear that the Post-Announcement Response phase can be the most stressful phase and will require a solid roadmap formulated in the earlier breach response phases.
As we learn about the Equifax breach (or any other data breach) it will be key for data collectors to look at all the information related to the breach response to determine if their own brief response roadmap is sufficient. Analyzing the various phases of a response and how those phases are connected will be necessary to continuously improve their own response plans.