7 Common Breach Disclosure Mistakes
How you report a data breach can have a big impact on its fallout.
December 6, 2018
Marriot International is quickly emerging as the latest example of the importance of proper breach disclosure.
Last week the hotel giant disclosed that sensitive data belonging to some 500 million Starwood Hotels customers had been compromised in an intrusion that began in 2014 and remained undiscovered until this September.
Since the disclosure, the parent company has been hit with at least two lawsuits accusing it of delaying the breach disclosure and not providing enough details on the incident. The lawsuits are expected to be the first of many the company will face over the breach.
The breach has focused considerable attention on familiar topics, such as the need for organizations to have better breach detection and response capabilities, and on issues including data collection and data minimization, encryption, access controls, and strong authentication.
It is also serving as a new example of the need for organizations to have strong processes in place for breach reporting and disclosure, especially in an era of stringent regulations like the EU's GDPR.
"The fact this breach happened around four years ago and Marriott found out two months ago is concerning," says Ken Underhill, master instructor at Cybrary. "We all understand that a company needs to investigate what happened, but two months to report something this large is not acceptable," he says.
Here, according to Underhill and several security industry experts, are some of the most common pitfalls to avoid when making a breach disclosure.
To a large extent, how well you report and disclose a breach depends on how well you have planned for it in advance. Make sure the response plan cuts across functions and includes members from marketing, communications, and legal, says Tim Erlin, vice president of product management and strategy at Tripwire. "The worst time to figure out how to respond to a breach is while it's happening," he says. "Make decisions ahead of time, not in the heat of the moment.
The plan should include who will release breach information, what information will be released, and when. "If you don't do it correctly, not only can you have extra damage to your brand, but you increase your likelihood of being sued, which drives up the cost of the breach," says Laura Lee, executive vice president of rapid prototyping at Circadence.
Don't attempt to cover up the breach or mislead. Not only will you not succeed, it is also likely illegal.
Ultimately, cover-up operations are likely to backfire, Tripwire's Erlin says. "Understand your obligations under the law and to your customers, then prepare ahead of time," he says.
Unless there's a legal or a law-enforcement-related reason, don't delay breach notification. "If you delay notification, there needs to be a good reason for it, which you will need to explain," says Dave Klein, senior director of architecture and engineering at GuardiCore. Before communicating the breach publicly, allow cyberexperts final review to ensure reporting is accurate and addresses inaccurate assumptions, he adds.
When a breach happens, speed and clarity are vital, adds Mike Lloyd, CTO at RedSeal. Organizations that have fared badly after a breach have always been the entities that mishandled the disclosure, took too long to disclose, miscommunicated the details, or tried to cover up the issues, he says.
"There is always a surprise factor when you realize someone has broken in, but the better you know your own organization, the faster you can respond," Lloyd says. It's critical to have a working map of your business and infrastructure, knowing what your critical assets are, and understanding all the interdependencies that exist in your infrastructure. "If you have to figure this out live, while you're trying to update the press, the public markets, and your regulators, it's not going to go well," Lloyd says.
Be prudent about what you share. "While breach disclosure may be a requirement, the detail you need to share is variable," Tripwire's Erlin says. Make the effort to understand what's really required and also what will ultimately benefit your customers, shareholders, and the market, he says.
Sharing too much information about what happened can be dangerous and give other bad actors clues on how to exploit the situation. In the Equifax breach, for example, the company was quick to disclose that the initial breach resulted from a security flaw in Apache Struts, GuardiCore's Klein notes.
"Incident responders would have had go through an exhaustive process to ensure they still weren't susceptible to that vulnerability to include it in the reporting," he says."You need to be as detailed as possible without giving out information that could leave you still vulnerable."
The flip side to sharing too much information is sharing too little. The point of notifying customers is to allow them to protect themselves, so share what you can in order to help them do so, Tripwire's Erlin notes. "There's nothing more frustrating than a notification that really doesn't tell you enough to take action," he says.
Not saying something is a lie of omission, adds James Carder, CISO at LogRhythm. "This is never a good thing and could cause significant damage to your brand," he says. Organizations that are unsure about their obligations should hire an incident or breach adviser or consultant with expertise around breaches, breach disclosure practices, and subsequent public relations. "If you do it right, you will minimize the negative impact of the breach and might even come out looking better than you did prior to it," Carder says.
Bringing law enforcement into the investigation is a good way to understand what you can and have to disclose publicly, Carder says. "In many cases, law enforcement limits what can be shared so as not to impede the investigation itself," he says. "Involving law enforcement is free and can significantly help protect your company."
Hiring an incident or breach adviser or consultant can inject your team with expertise around breaches, breach disclosure practices, and subsequent public relations. You only get one chance to initially go public with a breach and minimize the potential impact to your brand. You have to demonstrate that you took the appropriate actions, acted responsibly, and followed best practices around due care and due diligence.
While the attackers or circumstances may be technical, the impact is very much a business problem. So breach response shouldn't be dealt with in silos, Erlin says.
Organizations without mature processes for handling data breaches can waste precious time attempting to find the best course of action while a massive fire is already burning, adds Bogdan Botezatu, director of threat research and reporting at BitDefender.
Often, the IT security team runs an internal audit to understand the scope and magnitude of a data breach before notifying the PR and legal team of the incident. "This delay in notification buys attackers precious time to capitalize on the breach or to break the news themselves to the victims," Botezatu says.
While the attackers or circumstances may be technical, the impact is very much a business problem. So breach response shouldn't be dealt with in silos, Erlin says.
Organizations without mature processes for handling data breaches can waste precious time attempting to find the best course of action while a massive fire is already burning, adds Bogdan Botezatu, director of threat research and reporting at BitDefender.
Often, the IT security team runs an internal audit to understand the scope and magnitude of a data breach before notifying the PR and legal team of the incident. "This delay in notification buys attackers precious time to capitalize on the breach or to break the news themselves to the victims," Botezatu says.
Marriot International is quickly emerging as the latest example of the importance of proper breach disclosure.
Last week the hotel giant disclosed that sensitive data belonging to some 500 million Starwood Hotels customers had been compromised in an intrusion that began in 2014 and remained undiscovered until this September.
Since the disclosure, the parent company has been hit with at least two lawsuits accusing it of delaying the breach disclosure and not providing enough details on the incident. The lawsuits are expected to be the first of many the company will face over the breach.
The breach has focused considerable attention on familiar topics, such as the need for organizations to have better breach detection and response capabilities, and on issues including data collection and data minimization, encryption, access controls, and strong authentication.
It is also serving as a new example of the need for organizations to have strong processes in place for breach reporting and disclosure, especially in an era of stringent regulations like the EU's GDPR.
"The fact this breach happened around four years ago and Marriott found out two months ago is concerning," says Ken Underhill, master instructor at Cybrary. "We all understand that a company needs to investigate what happened, but two months to report something this large is not acceptable," he says.
Here, according to Underhill and several security industry experts, are some of the most common pitfalls to avoid when making a breach disclosure.
About the Author(s)
You May Also Like
CISO Perspectives: How to make AI an Accelerator, Not a Blocker
August 20, 2024Securing Your Cloud Assets
August 27, 2024