How Long Should It Take You To Disclose A Breach?
Whenever I read the news that a data breach has occurred, my first two questions are “how big is it?” and “How long did it go for”.
For example, the Omni Hotel chain announced a breach this week and they said it affected 49 out of their 60 hotels, affected 50,000 customer cards, was detected on May 30th and it ran between Dec. 23, 2015 and Jun. 14, 2016, but many hotels had a shorter time when they were affected.
On the other hand, Wendy’s, which I have written about a lot, first denied the story, then said 300 stores, then more than 300 stores, now says 1,025 stores and has never said how many cards were compromised, even though the banks have said it is really big.
So what is a business to do?
The first question is how long after the breach did you detect it? Nortel Networks, which filed for bankruptcy in 2009 and was sold off in parts, did not detect a breach at the very highest levels of the company for 10 years. While this is not the record, it is close to it (the longest running breach I know of was in Europe and lasted 12 years before it was detected).
Now that you have detected the breach, the next step is to take out your cyber incident response plan – the one that is well thought out and periodically tested – and follow what it says. Advisen says that 75% of organizations have a response plan and that 58% have never tested it. I think both numbers are way too high. WAY too high.
The next question is figuring out what the bad guys got. For most companies, Wendy’s included, that is the biggest challenge. Even for what I think is the few that have a well done and tested incident response plan, they don’t have the log data in order to figure out what happened. This was confirmed yesterday by a friend who works for a three letter agency who helps very large companies deal with breaches. And if the very large companies can’t do it, how could the small companies do it.
The next question, which MUST be done in conjunction with counsel who understands the cyber domain, is legally, how long do you have to disclose it and to whom. For example, if you are a Department of Defense contractor, you have 72 hours to notify DoD, but that doesn’t mean that you have to notify the public at the same time. Under HIPAA , for breaches of more than 500 people, you have 60 days to notify the Secretary of HHS. Every oversight body has it’s own rules, but typically, it is 30-90 days. But don’t assume. Not notifying in a timely manner has it’s own problems.
At the same time, you are trying to figure out what was taken, you want to activate your crisis communications plan. Since you have already engaged a crisis communications expert, you pick up your phone and hit Speed Dial 2 (Speed Dial 1 is reserved for your cyber knowledgeable attorney) and activate the plan. Oh, wait, most companies don’t have a crisis communications plan – which becomes a crisis of it’s own.
Bottom line, there is no “answer” to how long, but the better prepared you are, the better plan that you have, the more log data that you can actually use, the more experts that you can rely on, easier that answer will be to find.
Wendy’s discovered that they didn’t do so good in that department. In part that is likely because they thought their business was feeding people. While that is certainly true, most companies are information companies. The reason Wendy’s has those fancy POS systems is so that company executives know, hour by hour, how many hungry people they fed. That is an information company.
So as you review your already written and well tested incident response plan, think about the above and see if you need to update that plan.
Information for this post came from ID Experts.
by 