CISO's Guide to Breach NotificationRecent Incidents Up the Ante on Responding to a Hack
"It's not enough to know the architecture of the breach system," says Michael Aisenberg, principal, defense & homeland security at MITRE Corp, a not-for-profit organization that manages federally-funded research and development centers. "Leaders have to understand the different jurisdiction of where they do business, where their customers are and which breach law applies to which customers and subjects."
Evolution of Breach NotificationIn just the past several weeks, organizations such as Google, Sony Corp and Citibank have been involved in high-profile data breaches involving millions of customer accounts. These incidents have spurred the proposal of a new U.S. federal breach notification law, which if passed would standardize the existing 46 state data breach notification laws into one overarching federal act.
"The significant difference in state laws is the variance in the definition of 'what is a breach?'" Aisenberg says.
In some cases within the various laws there is a 'test of harm' to determine whether a breach has occurred. For instance, if there is a policy that electronic storage devices need to be logged in and out by users, in some states failure to follow these policies could be considered leading to a breach. Whereas, in others if the data is never compromised or accessed and no real harm has occurred, this violation of policy is not defined as a breach.
Also in the U.S., within the healthcare sector, organizations that comply with the Health Information Technology for Economic and Clinical Health Act are exempt from the proposed federal legislation, as healthcare organizations are already required to provide notification following a breach of unsecured protected health information.
"To avoid confusion, security leaders operating a multi-state, national or global customer base should follow the most restrictive data breach standard and make that their one standard to follow," says Philip Alexander, the Wells Fargo Bank Information Security Officer who wrote the 2007 book "Data Breach Disclosure Laws - a State by State Perspective."
Globally, the European Union, Canada and Australia have passed acts legislating mandatory data breach disclosure, while countries like Japan have instituted voluntary guidelines. Again, these laws vary. "The data protection laws in Europe are much more aggressive in defining who owns personally identifiable information," Alexander says. They follow a more severe assessment of when a breach occurs and place a harsher burden on custodial entities to assure that good care is taken of the data and appropriate remedies are provided in the event the breach requires notification.
"Part of Europe's aggressive policy is because duties of custodial responsibility reside in their privacy framework, and unlike our state laws, they have a rational assessment of actual loss and, or resulting harm," Aisenberg says.
The CISO's BurdenIn light of these laws that require organizations to notify individuals when a breach of security leads to the disclosure of personal information, leaders such as Chris Wilkinson, a senior manager in the security and privacy group at Crowe Horwath's LLP, an IT risk and public accounting firm, find their roles layered with new responsibilities in specific areas of data loss prevention, information privacy, encryption, forensics analysis and the whole investigation process involving a data breach.
"It has added responsibilities to my position in analyzing and understanding breach identification and what the breach notification responsibilities and processes are," he says.
For instance, the security leader must now develop and implement an effective breach notification plan in review of applicable law that generally establishes an organization's procedures for responding to a breach. An acceptable plan includes the following elements:
- An investigation of the incident - what happened?
- What was the breach?
- What caused it?
- What is affected?
- What are the steps to respond and communicate about the incident?
As breach notification procedures are refined, new laws spell out the steps more clearly, leaders say.
"The way data breach legislation is impacting the role of security leaders is by adding more clarity around the actual requirement and spelling the minimum standards needed to avoid notification," says Mac McMillan, CEO of CynergisTek, a provider of IT security solutions for healthcare organizations and Chair of the Healthcare Information and Management Systems Society (HIMSS) Privacy and Security Steering Committee.
For the first time, many of these notification rules now classify what's required with respect to encryption, risk assessments, privacy, data loss prevention, as well as specific guidelines and references to The National Institute of Standards and Technology best practices that call out the methodologies or technologies that are approved and acceptable to do these tasks. These breach notification laws are "helping leaders like me get more involved in the process of defining what my requirements, physical asset inventory are, where sensitive information is, and what as a practitioner I need to use encryption or data loss prevention for," McMillan says.
The challenge for CISOs is to accurately find and map data, as well as to determine which elements create sensitive combinations and how the data moves within the organization. "Without this knowledge and coordination, it will be hard to create an effective security program that will protect both the data and the organization," says Mike Russo, chief information security officer for the state of Florida.
Russo routinely meets with different state agencies to ensure they all work closely to recognize protected personal information and perform due diligence in preventive areas such as risk assessments.
"As a CISO, my role has become increasingly focused on collaborating with different agency units to understand their core processes and the information workflow within their jurisdiction," he says. "It ultimately comes down to having the intelligence to recognize how to restrict and enforce the rules around data and systems, and understand where data can potentially be at risk."
5 Tips for Better Breach Notification PracticesTo address some of these new challenges, here are five tips shared by security leaders:
- Educate and Communicate security best-practices, written policies and priorities to every single employee, even if some of the security measures don't affect those people. This step helps ensure every employee understands what the company expects in terms of its security and privacy needs.
- Map and Align Data with the information security strategy as a whole. and review the entire architecture and systems network to understand where your data actually needs to live, who needs access, where it needs to transit, and use other technologies to help you enforce those rules, says McMillan. "Data mapping and segmentation are crucial so that organizations can follow a 'need to know' access for all information."
- Become Legally Aware of the threat landscape and legislation around breach notification. Be prepared to know: What constitutes a breach? What does the process involve? What are the exceptions to the breach notification requirements? Also understand how to provide a notice and communicate to affected individuals, media outlets and relevant state or federal authorities. As organizations get further into the concept of accountability and having to give notices in the event of a breach, "There is going to be a greater responsibility for security leaders to understand specific pieces of legislation at the local, state and federal level - and how those pieces are applicable to them in securing their systems and data," Wilkinson says.
- Maintain Close Ties with Public Relations. Handling data breaches, incident response and notifications is becoming a routine job function for many security leaders, requiring them to work closely with the public relations department within their organizations to ensure the company's reputation is safeguarded. In preparing for a breach, or at a time when the security incident reaches a certain magnitude and needs to be notified to relevant authorities, CISOs have to consider having a strategy in place to handle the communications associated with the notification process. "They need public relations to define the right approach and develop a corporate message and image that is transparent and unified across business units," Russo says.
- Collaborate with Business Units. As business units use new levels of information and data, security leaders need to coordinate with key C-level executives and "take on the task of managing information, in addition to securing it," says Russo. A security leader needs to clearly define a comprehensive security strategy with the help of others to address protection and security of the entire lifecycle of information within an organization. Included in the development of an information-centric security strategy are a number of steps that leaders need to implement, including risk assessment, securing access to information, and assuring policy and regulatory compliance.
Ultimately, leaders say, as breach notification laws get tougher, CISOs find not just greater responsibilities, but also new career opportunities.
"An interesting trend is happening," says McMillan. "IT security leaders are getting expanded in responsibilities that range from incident response, investigative analysis and breach notification to IT compliance. And now it's their actions that will dictate their freedom and relevance given to this position within the enterprise."