Your Customer Data Has Been Compromised, Now What?

Developing an incidence response plan can help organizations be better prepared when a data security breach occurs, and internal auditors can become an active part of the response process.

Carol Stucki, CISA, CICA, PMP
Manager of Financial Systems, LDS Church

Because organizations worldwide process all kinds of confidential information every day, it is important for executives to understand the repercussions a data security breach can have on the organization — from the moment the breach is detected to the way the company responds after the breach occurs. When data security mishaps occur, an incidence response plan can become an organization's most trusted ally. Internal auditors can help organizations plan ahead by becoming part of the incidence response planning process and by providing recommendations that can help companies overcome even the worst data security breach.

WHY IS AN INCIDENT RESPONSE PLAN NECESSARY?

A security breach is the unauthorized acquisition of data that compromises the security, confidentiality, or integrity of personal information maintained by an organization. The data could consist of credit card and financial account numbers, medical information, Social Security numbers, insurance information, and a person's credit history report. The unlawful access to this kind of data can lead to loss of profits, lack of public confidence in the organization, and legal ramifications stemming from noncompliance with data privacy laws. Having an incident response plan that addresses different data security breaches can minimize the damage a company may incur when information is exposed. The following example can help to illustrate how a security breach can affect an organization.

Visa, Master Card, American Express, and Discover Card require companies to notify them, affected customers, and the necessary credit and law enforcement agencies when a security breach occurs within 24 hours of the incident. Failure to notify agencies or customers can result in large fines, company restrictions, and even the prohibition of using credit card services in the future. Companies using Visa or MasterCard, for example, can pay fines as high as US $500,000. Table 1 puts these fines and restitution costs into perspective:

# Cards	Card Restitution Costs	Replacement Cards Costs	Monitoring	Fines from Visa	Fines from MasterCard	Total Liability
500	$500,000	$37,500	$22,500	$32,500	$27,500	$620,000
5,000	$5,000,000	$375,000	$225,000	$65,000	$55,000	$5,720,000
50,000	$50,000,000	$3,750,000	$2,250,000	$130,000	$110,000	$56,240,000
500,000	$500,000,000	$37,500,000	$22,500,000	$650,000	$550,000	$561,200,000

Table 1. Credit card restitution costs and fines (Source: Wells Fargo Web site)

Unfortunately, many companies still lack a coordinated approach to respond to a data security breach. An incident response plan that addresses how the organization will respond when a breach occurs can help reduce fines and restitution amounts. For instance, companies that have a response plan but fail to detect or report a breach may be fined by Visa, MasterCard, or American Express. The next section provides different steps internal auditors can recommend for organizations that wish to create an incident response plan, but don't know where to begin. These steps include determining how to respond to the breach, identifying what kinds of data could be impacted, putting together the plan's creation team, drafting the plan, and formulating and contacting the response team.

Important Data Security and Breach Notification Laws

In the United States, 32 states currently have breach notification laws. These laws generally follow the California model, which recommends that victims be notified when their data is compromised. Below is a list of the main data notification laws impacting the way organizations work in the United States and member countries of the European Union (EU).

California Civil Code 1798.82. This law requires companies that conduct business in California and own or license computerized data containing unencrypted personal information to notify California residents of any security breach of their unencrypted personal information.
The U.S. Health Insurance Portability and Accountability Act (HIPPA) of 1996. This legislation provides guidance regarding the proper ways to protect personal health information through the act's Privacy and Security rules. Furthermore, the act requires any entity collecting, storing, or transmitting medical data to implement policies and procedures to address security incidents.
The U.S. Gramm-Leach-Bliley Act (GLBA) of 1999. This act includes provisions to protect a consumer's personal financial information that is held by a financial institution. GLBA gives authority to eight federal agencies and all 50 states to administer and enforce the act's Financial Privacy and Safeguards rules.
The Organization for Economic Co-operation and Development's Guidelines on the Protection of Privacy and Transborder Flows of Personal Data. These guidelines were established to protect individuals from the automatic processing of personal information, such as the unlawful storage of personal data, the storage of inaccurate personal data, or the abuse or unauthorized disclosure of such data.
Safe Harbor. The European Union and the United States have different approaches to data security. To bridge this gap, the U.S. Department of Commerce and European Commission created the Safe Harbor framework. The Safe Harbor enables U.S. companies to conduct business with member countries of the EU without interruption, as long as U.S. organizations comply with the framework's seven principles.

Other national and international laws exist that companies need to take into consideration when implementing compliance activities and creating an incident response plan. Auditors need to become familiar with these laws to ensure the company meets their requirements before a breach occurs.

What to Consider When Creating a Plan
Before the plan is drafted, the company needs to determine how it will respond if a security breach occurs and what kinds of data could be exposed. The way the plan is drafted depends of these two crucial steps.

Determining How to Respond to the Breach
First, the company needs to identify what it will do after the incident is detected. This will help to decide the type of plan that is created. An important decision to make is whether the company will prosecute the person(s) responsible for the security breach, because this will determine the information that is included in the plan.

If the company decides to prosecute, the plan needs to identify how evidence will be collected and documented, so that evidence is not compromised and the information is obtained correctly. Otherwise, the chain of evidence could be broken and the prosecution's case may not hold up in a court of law. For example, if the company does not follow forensic procedures while collecting the evidence, the judge may consider the evidence inadmissible in court, defense lawyers may argue the evidence's validity, and the case may be damaged.

The company also needs to determine if it will attempt to trap the culprit or just prevent further damage. Although catching a culprit can be a complicated process, it will enable the company to have a stronger case if it decides to prosecute. Whether or not to catch the culprit needs to be decided before the plan is created, based on how the company wishes to proceed, which depends on the company's mode of operation and type of work.

Identifying What Kinds of Data Could Be Exposed
Second, the company needs to determine what kinds of data could be impacted if a breach occurs. This risk assessment is based on what type of work the company does on a daily basis and can be conducted by the internal auditor, information security officer, or appointed security staff. For instance, if a company accepts credit card purchases, a credit card data breach should be taken into account as a possible risk. If the company processes insurance claims, the risk assessment should consider any possible breaches of personal and medical data.

The kinds of data that might be exposed during a breach also depend on how the company conducts business transactions. For example, if the company uses the Internet to collect information, it will have different security issues to consider, such as how to capture and protect the data collected via the Internet. Therefore, the company will need to assess the different risks that are likely to happen, categorize risks based on their level (i.e., low, medium, or high), and prioritize how each risk will be remedied when a problem arises.

Putting Together the Plan's Creation Team
Once the organization knows how to proceed in the event of a breach, and scenarios are outlined that address the high-risk areas identified in the risk assessment, the company should put together a team to create and test the response plan. The team, which reports to senior management, should consist of subject-matter experts on each of the company's business processes, internal auditors, legal advisors, and systems security staff.

To develop the plan, the team should first learn what other companies in the same industry are doing. Getting examples of actual incidence response plans will assist companies in determining what their plans need to include. The American Institute of Certified Public Accountants (AICPA) and The Canadian Institute of Chartered Accountants (CICA) have posted an incidence response plan template, Incident Response Plan — Template for Breach of Personal Information, which can be found on their sites. The incidence response plan is available for a fee to any interested party. In addition, various U.S. universities, including the University of Texas, University of Illinois, and Yale University, have posted their security response plans on the Internet.

The creation team also should determine what best practices to include as part of the plan. For information on incidence response best practices, companies can check out Visa's What to Do if Compromised (PDF, 176KB), available free of charge on the company's Web site. The document outlines how Visa expects to be notified when a data breach takes place and provides advice on how to perform a forensic investigation if an incident is discovered. In addition, California's Department of Consumer Affairs has posted useful information for companies looking to comply with California's data notification law, Civil Code 1798.82. The document, Recommended Practices on Notice of Security Breach Involving Personal Information (PDF, 94KB), also gives examples of letters companies can send to customers.

Drafting the Plan
Once the plan creation team is established, the company can begin drafting the plan. Effective incidence response plans should incorporate the following elements:

Scenarios that cover what kinds of data the company handles on a daily basis and how it collects that data.
The completed risk assessment, including all of the risk scenarios and vulnerabilities identified.
Who to contact based on the kind of risk. Contact information should include the person's title, name, phone number(s), and e-mail, as well as an alternate contact name.
A complete list with the name and contact information for the entire response team and any backups.
Escalation protocols (i.e., how to proceed when the breach is identified, such as when and who to call for more help).
How to preserve and record evidence and examples of the kinds of evidence that need to be gathered.
Sample notification letters to send to customers after the incidence is discovered.
Sample press releases to send to the news media.
Information on what to tell senior managers and how to notify them.
Information on what to tell partners, including credit card companies, law enforcement agencies, and business partners, and how to notify them.
A plan for testing the response scenarios.
Change control procedures to keep the plans updated.

After the plan is created, it needs to be tested and altered based on the test results to determine whether the plan is effective and supported with the appropriate company resources and staff. Changes to the plan should be made based on the company's change management policies and procedures.

Formulating and Contacting the Response Team
The company might need more than one response team, depending on the scenarios identified during the plan's creation. However, some of the same members may be on more than one team. Possible members of the response team include the company's:

Internal auditor, IT auditor, fraud auditor, or forensic specialist.
Systems security staff, such as SANS certified staff in cyber forensics.
Data privacy officer.
Legal counsel.
Business analysts with expertise in the areas identified in the risk assessment.
Public affairs staff.
Credit card relationship owners (e.g., treasury or accounting staff).
Human resources staff.
Operations or facilities staff.

Each team member will perform different tasks based on their roles, for instance:

Internal auditors can conduct a risk assessment that estimates the potential liability of a breach to the company; evaluate the company's internal controls to determine whether information systems and third-party data are secure; review the incidence response plan to determine whether it enables the company to comply with internal and external regulatory mandates; and enhance systems security through the recommendations of best practices.

Systems security staff can detect the problem and the systems affected, as well as help to determine the amount and type of data that were breached.
Data privacy officers can interpret and enforce the company's policy and act as the point of contact to the organization's legal counsel on data privacy issues.
Legal staff can act as the point of contact between the company and other regulatory agencies, and advise the company on the appropriate method of collecting and documenting evidence.
Business analysts can inform the company on what data was affected by the breach and how it was used.
Public affairs employees can provide statements to the press, company partners, and customers.
Treasury or accounting staff can act as liaisons to credit card agencies and financial institutions.

Escalating the Breach
Because most breaches are not initially recognized, education on how to spot, report, and escalate a potential breach is needed. For instance, someone will notice a server is performing slowly or some file is not accessible, which will prompt the person to call the help desk or IT department. As a result, the help desk's or IT support staff need to be able to identify whether something has happened. A list of data breach "clues or symptoms" can be created and given to help desk employees so they can better assess whether a breach has occurred.

After the help desk or IT support staff is contacted, they should notify the systems security team, who should be able to determine what actually occurred and whether private or confidential data was on the breached system, file, or transmission. If systems security staff finds anything unusual, they should contact the next person on their list — the incidence response team plan coordinator. The plan coordinator will contact all members of the response team, as well as third parities — such as law enforcement agencies, customers, state agencies, credit reporting agencies, and possibly the media.

STAYING ALERT

Given the current security landscape, companies can no longer afford to sit by the sidelines when a security breach occurs. Being proactive by creating and implementing an effective incidence response plan will help organizations react in a timely and effective manner to any data security breach. This, in turn, will save the company time and money, while their business reputation remains intact. After all, how a company responds to a data security breach can be the difference between staying in business or not.

Auditors and executives who wish to learn more about different privacy standards and issues can visit the following Web sites:

www.pcisecuritystandards.org/index.htm. This Web site is the home of the PCI Security Standards Council.
Epic.org. This Web site contains useful resources and news items on electronic privacy issues, including an online guide to privacy resources.
Privacy International's Web site. This human rights group maintains a privacy archive of international materials on privacy protection, including laws, treaties, and proposed standards.
The Institute of Internal Auditor's (The IIA's) Web site. The IIA has published a Global Technology Audit Guide on privacy, Managing and Auditing Privacy Risks, available on its Web site. Besides discussing different privacy principles and frameworks, the guide provides a list of resources that can help companies manage data privacy risks more effectively. In addition, the guide provides a summary of the different IIA Practice Advisories that are related to data privacy issues.

Carol Stucki, CISA, CICA, PMP, is manager of financial systems for the LDS Church. Stucki has provided management and IT audit consulting services, conducted technical audit reviews, and held positions in IT project management and programming. She has worked as a senior IT auditor with the University of California and as a strategic project manager and technical producer for PurchasePro, and has worked for other companies including Arthur Andersen, Perot Systems, and Verizon.