Platform Magazine Quotes Tuma Discussing CyberGard: The Public Relations Side of a Data Breach

CyberGard - Cyber Risk Protection ProgramThank you to Platform Magazine for quoting me discussing the PR component of my CyberGard – Business Cyber Risk Protection Program in this forward thinking article about the value of getting public relations on board before your company has a data breach.

In a recent post I explained why a data breach response must focus on the business side of the breach: “The most important issue is how the incident will impact the company’s overall business. No matter how great of a job we do on the legal side, if the business side suffers too much, it is an overall failure. These situations are not the time for tunnel vision.”

Click here to learn more about CyberGard

A key component to focusing on the business impact is the businesses’ communications with the public. This where having professionals to help with the “messaging” becomes so important. Read more in The Public Relations Side of a Data Breach | Platform Magazine.

 

“Defense wins championships” when preparing for the inevitable data breach

“The best strategy to manage the inevitable data breach of your enterprise is to be prepared.” -Adam Greenberg, SC Magazine

Exactly–you must prepare on 2 fronts: Defense & Response

In a recent article in SC Magazine, Adam Greenberg marches along faithfully with many of us in trying to get you, the business leader, to appreciate the severe risk that data breaches pose to your business. He starts by repeating the old data breach proverb, “It is not a matter of if, but when,” which readers of this site have heard many times before.

It is now a given that every enterprise either already has been, or will be, the victim of a data breach. It’s just life in the digital age, get used to it.

More importantly, prepare for it. A data breach can be either (1) a catastrophic event that threatens the very existence of your enterprise, or (2) just another adversity that your enterprise faces, manages, and learns from along its journey to success.

The choice is yours and is determined by whether you stick your head in the sand and ignore the risk or prepare for it. The first step you must take is to decide that you will not ignore this threat and that you will prepare for it. This is the most difficult step for many business leaders but, once we get past it, we start making progress.

Preparing for a data breach requires preparing a defensive strategy and a responsive strategy.

Preparing to Defend

-Defense Wins Championships-“Offense sells tickets; Defense wins championships” -Coach Paul “Bear” Bryant Jr.

When we talk about preparing for a data breach, some people jump the gun and start thinking about how they will respond. This loses sight of the primary objective–your duty–PROTECTING THE DATA which, necessarily, requires defending your system.

The top priority for your enterprise is to take steps to assess and strengthen its cyber security posture. Then, the deficiencies that are identified must be corrected (there are always deficiencies). And don’t forget to document the steps that are taken (here is why).

Preparing to Respond

After you have prepared your defensive strategy, the next step is to prepare for responding to the inevitable data breach. Every enterprise needs a data breach response strategy that is documented in a written breach response plan (here is why).

The breach response plan needs to be comprehensive, readily accessible in an emergency, and everyone needs to be trained on their roles in the plan. You can read more about breach response plans here.

Fortunately, this process is not as intimidating as it may sound. The most difficult part is that you must decide that you will make sure your enterprise is prepared for this risk. After you make that decision, a qualified adviser who has helped other enterprises prepare for these situations can guide you through the process.

Learn more about the author’s unique CyberGard–Cyber Risk Protection Program.

 

Source of original article: Plan ahead: Prepare for the inevitable data breach – SC Magazine.

 

Publix hasn’t had a data breach but is already seeking PR help in case it does — good or bad?

Chaos? Plan Ahead!This is interesting. Publix grocery store chain has made the news because of data breach — not because they have had a data breach (though they probably have and just don’t know it) — but because it has been learned that it is sending out proposals for PR help in the event it does have a data breach. The reaction to this is mixed. Some people think it is good but many are taking a cynical view of this move.

What do I think?

Well, thank you for asking!

I like it. First, one of the most important messages I try to preach these days is the need for companies to take the threat of data breach seriously, to prepare ahead of time, and have a plan in place so that all they have to do is execute that plan in the event a breach occurs. Look, I blogged about this just this past week and a whole bunch of times before.

Does the fact that the attention to Publix’s preparation is being focused on the fact that it is seeking PR help in any way diminish this?

That depends.

One of the key components to any breach response and breach response plan is to involve PR to help the company properly “message” their response to its customers to help minimize the overall disruption to the business. If the business crumbles, nothing else matters — the PR side is a key component to this is crucial.

So, if Publix is screening and assembling its PR team in an overall effort to prepare for a breach, that tells me that it is taking data breach seriously [give it a check] and that it is putting resources behind that concern [give it another check], and putting a plan in place to be prepared to respond to the inevitable data breach [give it another check]. This is good — this is what we are encouraging.

What this also tells me, and that I hope is the case, is that if Publix is devoting energy and resources to this kind of preparation, there is at least a decent chance that it is putting energy and resources into actually hardening its data security systems and improving its overall cyber security as a company. If this is true, then this is great — this is exactly what we are trying to encourage!

Now, if my assumptions are wrong and all that Publix cares about is the PR message and nothing else, well, then that is a much different story. If it is, then I really have to question the wisdom of its leadership because what this shows is that Publix is aware of the threat, recognizes the harm it can cause, is devoting energy and resources to it but in a self-centered and careless way, and is making a conscious decision to not correct it — and when that happens, if it has a breach, it just may be the one to get it!

Check out the article for yourself, here’s a brief quote:

Publix operates 1,082 locations in six states across the South and Southeast, and ranks as one of the 10 largest supermarkets by volume. The company’s request for proposals says it “would like to understand how a PR company could provide assistance preparing for, and during a data breach, e.g. advice and assistance with messages.”That could include a “proactive review” of Publix customer relations and “rapid response scheduling in the event of a confirmed breach. Publix prides ourselves in the relationships we build with our customers and associates and as such will require a company with outstanding communications skills and experience.”

via ‘Proactive’ Publix seeks PR help in event of data breach | TBO.com, The Tampa Tribune and The Tampa Times.

Gov’t Contractors Must Notify of Data Breach Within 3 days

Is your company prepared to respond to aIf your business is a contractor for the federal government, you had better have your data breach response ducks in a row. The moment you detect a breach, the clock starts ticking and you have only 3 days to notify of the breach. Yes, I said 3 days!

You better already know who your legal counsel a/k/a “breach coach” will be.

You better already know who is on your company’s breach response team.

You better already know who your cyber security forensics and remediation firm will be.

You better already have your PR professional in place.

You better already have your notification vendor in place.

You better already know what information must be in your notifications, depending on the jurisdiction.

You better already know what information cannot be in your notifications, depending on the jurisdiction.

You better already have your cyber insurance in place.

In other words, you had better have your breach response plan in place and be ready to execute that plan within 3 days’ time.

Tick. Tock.

 If you are not prepared, now is time to get prepared. Take the first step by contacting Shawn Tuma and learning more about his unique CyberGard–Cyber Risk Protection Program.

 

Source: Feds to Toughen Up Data-Breach Reporting Rules | Corporate Counsel.

 

3 Important Questions the State Attorneys General Will Ask Your Company Following A Data Breach

shutterstock_67743352

In an earlier blog post I wrote about how

[w]hen your company has a data breach, these are the top 3 questions that you will be required to answer:

  1. How did the breach happen?
  2. What steps did your company take before the breach to protect the data and keep it from happening?
  3. What steps is your company taking after the breach to ensure this does not happen again?

These 3 questions serve as the framework for how you need to think about your company’s data security policies, procedures, and systems. (3 Important Questions Your Company Must Answer After A Data Breach | Shawn E. Tuma).

One of the main sources of these questions will be the Attorneys General of the states whose residents’ information was compromised in the data breach. In helping clients respond to data breach events in recent years, I have seen a tremendous increase in the level of interest and depth of inquiry from the AG’s offices within the last year and I expect this trend to continue.

This hunch seems to have some support from a recent article in Time discussing the response to the recent eBay data breach:

Attorneys General in three U.S. states along with European officials are investigating a massive data breach at eBay which may have compromised more than 100 million users’ passwords.

“The magnitude of the reported eBay data breach could be of historic proportions, and my office is part of a group of other attorneys general in the country investigating the matter,” said Florida Attorney General Pam Bondi in a statement Thursday.

The Federal Trade Commission and Attorneys General in Illinois and Connecticut have also vowed to conduct a probe into the incident.

“My office will be looking into the circumstances surrounding this breach as well as the steps eBay is taking to prevent any future incidents,” said Connecticut Attorney General Jepsen in a statement Thursday. “However, the most important step for consumers to take right now is to change their password and to choose a strong, unique password that is not easily guessed.”

(via Investigators Target eBay Over Massive Data Breach)

At this point, the article only mentions the AGs from 3 states — but my hunch tells me there will be a lot more involved before the dust has settled. What do you think?

About the author

Shawn Tuma is a lawyer who is experienced in advising clients on complex digital information law and intellectual property issues. These issues include things such as trade secrets litigation and misappropriation of trade secrets (under common law and the Texas Uniform Trade Secrets Act), unfair competition, and cyber crimes such as the Computer Fraud and Abuse Act; helping companies with data security issues from assessing their data security strengths and vulnerabilities, helping them implement policies and procedures for better securing their data, preparing data breach incident response plans, leading them through responses to a data breach, and litigating disputes that have arisen from data breaches. Shawn is a partner at BrittonTuma, a boutique business law firm with offices near the border of Frisco and Plano, Texas which is located minutes from the District Courts of Collin County, Texas and the Plano Court of the United States District Court, Eastern District of Texas. He represents clients in lawsuits across the Dallas / Fort Worth Metroplex including state and federal courts in Collin County, Denton County, Dallas County, and Tarrant County, which are all courts in which he regularly handles cases (as well as throughout the nation pro hac vice). Tuma regularly serves as a consultant to other lawyers on issues within his area of expertise and also serves as local counsel for attorneys with cases in the District Courts of Collin County, Texas, the United States District Court, Eastern District of Texas, and the United States District Court, Northern District of Texas.

 

3 Important Questions Your Company Must Answer After A Data Breach

shutterstock_67743352Riddle: What has sensitive data, is the target of cyber criminals, and will (almost certainly) have a data breach?

Answer: YOUR COMPANY!

When your company has a data breach, these are the top 3 questions that you will be required to answer:

  1. How did the breach happen?
  2. What steps did your company take before the breach to protect the data and keep it from happening?
  3. What steps is your company taking after the breach to ensure this does not happen again?

These 3 questions serve as the framework for how you need to think about your company’s data security policies, procedures, and systems. A great response to the second question is to show that your company had — both for itself and third parties with which it does business — adequate security policies, procedures, and systems and that they were audited. This is the focus of a blog post I co-authored with Scott Geye that was recently published on Whitley Penn’s In the Black blog.

Here is a brief excerpt:

 

If a company suffers a data breach that results in the compromise of PII, the company is then required to follow applicable breach notification rules and disclose the breach to, in most cases, certain governmental bodies, agencies, industry groups, and the consumers whose information was compromised. When this happens, the first thing many of those will ask is “how did the breach happen?” and the second thing they will ask is “what steps did the company take before the breach to protect the data and keep this from happening?”

When the company has been proactive and prepared for this, it can minimize the potential enforcement actions that will come against it, if it can show two things: First, that it had strong data security policies and procedures in place. Second, that its data security policies and procedures had been properly audited. The message that these two steps sends is that the company had taken its data security obligations seriously and that it was diligent in following up to ensure that it had done so.  Something as simple as this can make a very big difference when others, such as those governmental bodies, agencies, industry groups, or even a jury, look back with the 20/20 vision of hindsight and decide if the company should be penalized because of the data breach.

*   *   *

The framework for reporting on internal controls for data privacy at service organizations has already been established.  You may be familiar with Service Organization Control (“SOC”) reports.  SOC reports include both SOC 1, which is intended for reporting on service organization controls over financial reporting, and SOC 2, which are intending for reporting on service organization controls to meet the Trust Services Principles Criteria.  The Trust Services Principles Criteria has five defined principles, Security, Availability, Confidentiality, Processing Integrity, and Privacy.  Currently, the demand for SOC 2 Privacy reports has been minimal, but the demand will likely increase as more organization seeks to gain assurance over their service organizations’ compliance with the growing number of data privacy regulations.

Read more here: The Perfect Storm for Data Privacy Regulations « In The Black – A blog from Whitley Penn, LLP – CPAs and Professional Consultants.

About the author

Shawn Tuma is a lawyer who is experienced in advising clients on complex digital information law and intellectual property issues. These issues include things such as trade secrets litigation and misappropriation of trade secrets (under common law and the Texas Uniform Trade Secrets Act), unfair competition, and cyber crimes such as the Computer Fraud and Abuse Act; helping companies with data security issues from assessing their data security strengths and vulnerabilities, helping them implement policies and procedures for better securing their data, preparing data breach incident response plans, leading them through responses to a data breach, and litigating disputes that have arisen from data breaches. Shawn is a partner at BrittonTuma, a boutique business law firm with offices near the border of Frisco and Plano, Texas which is located minutes from the District Courts of Collin County, Texas and the Plano Court of the United States District Court, Eastern District of Texas. He represents clients in lawsuits across the Dallas / Fort Worth Metroplex including state and federal courts in Collin County, Denton County, Dallas County, and Tarrant County, which are all courts in which he regularly handles cases (as well as throughout the nation pro hac vice). Tuma regularly serves as a consultant to other lawyers on issues within his area of expertise and also serves as local counsel for attorneys with cases in the District Courts of Collin County, Texas, the United States District Court, Eastern District of Texas, and the United States District Court, Northern District of Texas.

 

The SEC Will Begin Looking at Companies’ IT Security and Data Breach Response Policies

Securities and Exchange CommissionTHE POINT: Recent statements from the SEC indicate that the new standard of care for companies may require policies in place for (1) prevention, detection, and response to cyber attacks and data breaches, (2) IT training focused on security, and (3) vendor access to company systems and vendor due diligence. Do you still think your company’s are not that important? Wrong — you better get them updated and here is why.

More Lessons From Target’s Data Breach

Last week we learned that the likely penetration point for the intrusion into Target’s system that led to the massive data breach was traced back to network credentials that were stolen from a third party vendor. Apparently a refrigeration, heating and air conditioning subcontractor that had worked many Target locations, as well as for several other retailers. (KrebsonSecurity) The obvious question that many are asking is, “why did Target give an HVAC company access to its network?”

Recent Statements from the SEC

While we are still searching for an answer to that question, however, the Securities and Exchange Commission (SEC) has already foreseen the potential problems that come about when companies give others — including vendors — access to their systems. In late January 2014, Jane Jarcho, the National Associate Director for the SEC’s Investment Adviser Exam Program said they will begin looking to see whether companies have policies to prevent and detect cyber attacks and are properly safeguarding against security risks that could arise from vendors having access to their systems:

“We will be looking to see what policies are in place to prevent, detect and respond to cyber attacks,”

“We will be looking at policies on IT training, vendor access and vendor due diligence, and what information you have on any vendors,” 

via SEC examiners to review how asset managers fend off cyber attacks | Reuters.

What do you think the lesson for any business is if the SEC is now making a point to begin looking to see if companies have policies in place for (1) prevention, detection, and response to cyber attacks and data breaches, (2) IT training focused on security, and (3) vendor access to the company’s system and vendor due diligence? That’s right — this is becoming the new standard of care and your company had better have them.

Now, I know what you may be thinking, “but we have a full set of policies and they were done by some really good professionals, they must cover this.” Maybe. Maybe not. The problem is not that your company did not have great professionals writing very good policies … a couple of years ago, or even last year. The problem is that we are now facing emerging issues with hacking, cyber security, and data breaches that most people did not foresee even a year or two ago (such as with the Target third party vendor), thus they did not know to include these issues in the policies they were writing for companies. The speed with which technology is evolving and the nature of security threats are evolving, demands that companies review and, if necessary, update their policies on a yearly basis. Shouldn’t yours? Do you need to hear more?

Ok, let’s try this. Back in July 2011, I wrote a post that I titled Data Breach — Who’s Gonna Get it? The main point of the post was that data breaches were becoming so common that companies could no longer claim that they were not a foreseeable risk. Data breaches had become foreseeable and, by not taking appropriate measures to protect against them, companies were showing a callous disregard to the protection of their customers’ private information which, to the right jury, could result in a punitive damage award that would literally kill the company. Do you think data breaches are less foreseeable today than they were when I wrote about them in 2011?

Of course not! And, now we not only have enterprising lawyers out there continually testing theories for how get a data breach lawsuit to trial, but we also have substantially increased enforcement from the states’ attorneys general, the Department of Health and Human Services Office of Civil Rights, the Federal Trade Commission, and the Securities and Exchange Commission getting into the action. There will be more as this is the new hot issue and it really does deserve your attention.

One of my favorite sayings is, “an ounce of prevention is cheaper than the very first day of litigation.”

Nothing could be more true than when it comes to the issue of policies and procedures for cyber security and data breach response plans. If your company need policies and procedures for types of cyber security and data breach issues discussed herein, or if you would simply like to have its existing policies reviewed to ensure they are adequate, please feel free to give me a call (469.635.1335) or email me (stuma |at| brittontuma.com). I have assisted many companies with data security issues from assessing their data security strengths and vulnerabilities, helping them implement policies and procedures for better securing their data, preparing data breach incident response plans, leading them through responses to a data breach, and litigating disputes that have arisen from data breaches. When it comes to data security, I see the whole playing field and I would be happy to use my experience to help your company as well.