As the number of high-profile cyberattacks and data breaches has increased in recent years, more companies have made investments to better secure their systems and develop incident response plans. While these are essential concerns, a firm’s obligations don’t simply end when a threat is removed from the network and they are able to resume normal operations. They must also notify those whose data may have been impacted by the breach. This notification process can be daunting, but with preparation, strong defenses and the aid of an experienced breach response team, the notification process can be tamed.
Before a Breach Occurs: Proactive Steps
The mantra that suffering a data breach is a matter of “when” rather “if” still stands. There are numerous proactive steps organizations can take to better prepare for when that time comes. First and foremost, this involves the implementation and maintenance of a strong security program. If the impacted organization has already implemented a mature cybersecurity program, this will go a long way to ease the steps leading up to a notification. But, there are further nuances to be aware of.
The importance of knowing where your sensitive data is stored within the organization cannot be overstated and locating the sensitive data can be done relatively simply with solutions that may be readily accessible or existing within current software solutions. Such solutions allow you to better secure your most important assets, including the basics (such as granular access controls that limit the potential exposure to data). It is worth noting that this is also a requirement of several regulations, including the General Data Protection Regulation (GDPR).
Access rights can become even more stringent by enforcing the least privilege-principle. It is best practice to grant only the lowest level of permissions required to perform one's duties. Simple steps such as these help prevent, reduce or delay localized data exposure from becoming a near-total compromise of the system.
Analyzing logs is a critical part of understanding the scope of a data breach. Ensuring robust logging is retained is essential. This includes configuring cloud-based services such as Google Workplace or Microsoft 365. Doing so will allow the organization to determine the depth and scope of any unauthorized access. Such logging will be fundamental in confining the scope of potential data review for the data elements at risk of exposure. Regular review and evaluation of logging practices are critical to being able to sufficiently answer any expected investigative questions.
Finally, having a well-tested backup and recovery strategy will prevent loss of essential data and ensure business continuity in cases such as ransomware attacks. Companies that provide up-to-date and validated backups of their data can begin the notification process without significant time loss. Comprehensive backup strategy assists the data review and identification process as well as speeds up the return to full operations.
During a Breach: Preservation
When developing plans for breach notification, data preservation is key. In a forensic sense, data preservation means capturing a snapshot of a particular set of data at a particular moment in time. Organizations should make every effort to ensure copies of data are preserved immediately after exposure and that all necessary protocols for making and preserving those copies are followed. Any passage of time between the data exposure and preservation—and any lapses in established preservation procedures—can have a significant impact on the availability or reliability of exposed data.
This can be particularly difficult if an organization has high data churn, or if the impacted systems contain sensitive data that is highly transient. For example, if sensitive data is frequently shared, moved, added or deleted—whether automated or manual—it may be difficult to reconcile changes to the data as time passes. Organizations need to be cognizant of how their sensitive data is stored and used as they begin the data preservation process.
After a Breach: Data Mining
If the previous recommendations have been followed, data will be protected, organized and controlled in a way that will make the notification more efficient and accurate, and organizations will be in a stronger position to begin the breach notification process should that time come.
Once an organization has identified and preserved all the data exposed in the breach, the process of data mining can begin. Put simply, data mining is the programmatic searching and manual review of exposed data to determine what information has been exposed. Data mining directly produces the notification list. Ideally, this process will involve stakeholders of affected organization, legal counsel (internal and external), trained forensic examiners and the data mining team. For a complex data mining operation to succeed, these parties must work cohesively and in concert with one another.
They will also need to navigate some predictable but no less difficult hurdles, such as dealing with unstructured data. For example, several common file types, such as PDFs, require special handling and pre-processing. Manually pulling data from these files can be incredibly time consuming. Producing a listing from a searchable database that produced the data will likely provide better results. Sustained efforts aimed at other types of text recovery, translation or processing may be necessary for the data mining team to get a complete picture of the data. Having all the relevant stakeholders work in lockstep can significantly add to the effectiveness of the data mining phase.
A Seamless Data Breach Notification Process
By implementing these data processes before, during and after an incident, the data breach notification process can be dramatically simplified. In doing so, unforeseen costs are less likely, and the chances of logistical problems are minimized. What’s more, a strong cyber security foundation will go a long way to prevent and appropriately respond to a data breach, as the data is secured, stored and preserved using industry best practices.
Kroll’s Cyber Risk team has years of experience helping businesses navigate this difficult terrain. Our end-to-end proactive response and investigative services help organizations at any stage of a cyberattack, specifically to support effective breach notification. Kroll’s cyber security professionals can help clients design their system at the outset to ensure all necessary data is easily accessible and examinable. When a breach occurs, Kroll offers remote or on-site assistance to help organizations complete data preservation. Finally, after the fact, Kroll can step in with the right team to mine the data and be able to conduct notification. Ultimately, Kroll enables its clients to minimize risk by protecting customer data and fulfilling legal and regulatory obligations, all while maintaining a close eye on the company’s reputation.