Hands off the panic button: Post-breach advice from the experts

Everything that can go wrong doesn’t have to go wrong following a network security breach.

While it’s unfair to say victims of breaches do everything wrong in the minutes, hours, and days following a breach, it is fair to say companies are not the experts—though they unfortunately sometimes think they are.

Managing the aftermath is “not the do-it-yourself portion of the breach,” said Molly McGinnis Stine, partner of the Cyber Insurance Group of Locke Lord, at Advisen’s Cyber Risk Insights Conference in Chicago last month.

“Preparation is the key—the most important thing you can do,” said Bo Holland, founder and CEO of AllClear during a recent Advisen webinar, “The game has changed. A company does not control the timeline.”

Companies can longer handle post-breach responses on their own terms. Oftentimes—70 percent of the time, according to Holland—companies learn of breaches from outside sources such as law enforcement or the press. Breached entities may think they have a handle on the situation until the breach goes public and a list of emergency numbers to call in the event of an incident “is not sufficient,” Holland said.

But as Mark Greisiger, president of NetDiligence said, “An incident response plan is easier said than done.” Right now, an unfortunate common element of post-event response is panic, he added.

Don’t delay; don’t be too quick

According to John Mullen, partner at Lewis Brisbois, one of the “most fatal things that can go wrong” following a data breach is delaying action. Companies have a habit of rationalizing reasons not to pick up the phone, whether it be denial or an outright attempt to keep the breach under wraps.

Ironically, speed can also hurt a company following a breach, Mullen adds.

“They want to fix it and move on,” Mullen said. But most breaches aren’t that easy and the only thing a rush-decision to publish notifications accomplishes is putting out misstatements and inaccuracies.

“While disclosures are warranted, you want to time that with correct information,” said George Pagano, complex cyber and technology claim director at AIG, in Chicago.

Greisiger said companies have launched notifications before understanding whether they have triggered any law that would require them to do so.

Overstatements and a projecting a false sense of security are other commons missteps by companies after a network security breach.

Companies will tell the public they’ve solved the problem entirely, which is “setting [a company] up for a problem,” said Mullen. “It’s never happened before. You can’t possible know what happened until you know.” And that can take weeks, if not much longer.

“Make sure the fire’s out,” Mullen said.

Document, define

There is no easy answer. Data-breach response is not a one-size-fits-all proposition and it becomes much more complicated without insurance. But experts at the conference and in the webinar agree a good start involves people who know what they are doing. In other words, companies need to count on guidance from outside forensic firms, public relations and attorneys—often provided by as part of an insurance policy.

“Document an incident response plan with a protocol to sound the alarm,” said Holland. “Define internal leads in IT, legal, communications, and customer support, and have external vendors ready to go.”

Breach coaches understand state and federal law, and could have relationships with state attorneys general—which could mitigate fines, Greisiger said. Experienced forensic investigators can identify a breach and determine whether personal identifiable information was touched, he added. But companies would be better off—if they go without a comprehensive insurance program that includes these services—to pre-negotiate rates with vendors instead of waiting until vendors can use a company’s demand and desperation against it.

And buyer beware: “Any vendor who tells you they do it all—don’t trust them,” Mullen said. “No one can handle this cradle to grave.”

Also take a look at how far downstream insurance coverage goes. Outsourcing IT can make sense financially, but there can be problems when a breach occurs.

“It adds a layer of complexity,” Mullen said. “Find out your rights under the contract.”

Practice

Holland additionally recommended in-house training of employees and regular table-top exercises to test responses of public relations and legal departments. Include mock notifications.

Mullen said firms should routinely assess network security, using outside vendors who can provide them with a graded report card.

“It helps if they are going to be defensible as my future client and you can get better insurance rates,” said Mullen, adding succinctly: “Get insurance.”

“The level of stress is bad enough with insurance,” he said.

Advantages include tapping an industry that has been tracking and studying experts with diverse skill sets in the cyber and technology industries, said Greisiger.

Who ya gonna call?

“Let us know,” said Pagano. “We can get you in touch with counsel and adequately experienced forensics.”

Likewise, Mullen advised breached companies to call their broker, carrier or breach coach. And include the company’s risk manager, who likely has the best knowledge of what is covered. Experts said companies often spend money when there is coverage.

“I’ve seen that,” said Joshua Ladeau, US Technology Practice lead at Allied World. “Include the risk manager in the [post-event] team. Get the most out of the policy.”

It seems as though inside counsel often trumps risk managers in the decision-making process following a breach, which can be a mistake, experts said. “The risk manager should be involved early,” Greisiger said.

Holland said companies may want to “give regulators a heads up” after a breach. “Sometimes that can go a long way,” he said.