Post Blog: Defending a breach

Data breaches can severely wound a company and have become a major boardroom concern. Last year's data breach at Sony will apparently cost the company at least $5.6bn.

Investigating the incident, notifying and supporting those whose data has been compromised, and potentially paying for fines or lawsuits, can all be costly.

But the greatest loss can be to a company's reputation. There are serious consequences if personal or corporate data falls into the wrong hands, and even long-time and dedicated customers can be driven away if a breach is not handled properly.

A profitable market has grown up around the collection and resale of stolen data. It is surprisingly familiar in many regards.

The sellers are competing with one another on price, volumes and quality of their products and we've seen everything from volume discounts to special sales: ‘This week only buy 1000 bank records and get 1000 free drivers licence records.'

The UK's Information Commissioner's Office is able to fine companies up to £500 000 for serious breaches of the Data Protection Act. These might include losing financial data that subjects an individual to identity fraud or loss of sensitive personal medical data that causes worry and anxiety.

Regulatory scrutiny of data breaches is currently intensifying in Europe, following the example set in the US.

An EU regulation, which may come into force as early as 2014, threatens draconian fines of up to 2% of worldwide turnover for firms that fail to provide timely notification to customers who suffer financial loss as a result of a data breach.

A key element in the successful response to a data breach is coordination of the range of expert services a company needs to minimise its losses and protect its reputation in the eyes of customers.

The company will need instant access to high quality forensic, legal, credit monitoring and/or identity theft protection services, and sound PR advice.

Can the media blow things out of proportion? Sure, but companies that have suffered a data breach often shoot themselves in the foot when responding.

Some try to keep the data breach a secret, acting as if they believed that hiding the truth would make it go away. Others try to get away with doing as little as possible.

Too many companies that believe they have suffered a data breach are being advised to immediately notify their customers and relevant government agencies.

Every data breach law provides a short period from a few days to several weeks during which an investigation can be carried out.

It is essential for a victim company to understand exactly what has happened and what data, if any, has actually been compromised. Failing to do so can result in a company spending millions to remediate a breach that never occurred.

When it comes to investigating a breach, first steps involve working out whether the breach was initiated internally or externally, whether the source of the attack is identifiable and if it is still on-going. Limiting a live intrusion to protect data is also essential.

Organisations can do a number of things to prevent incidents occurring and to mitigate risks to their business.

Data should not be stored if it's not needed for a specific, definable and real business process, and should not be kept for longer than it has value unless required to do so by law or regulation. The simple message here is: ‘They can't steal what you don't have.'

Companies should also set ‘need-to-know' limits to determine who can access what data. Security patches should be rapidly applied, to close security holes that would otherwise exist in your systems. Intrusion detection and prevention systems should also be used to detect and prevent data leakage.

It is also important to test your systems regularly with penetration tests that attempt to breach your security and by running vulnerability scanners to identify unpatched machines, servers that haven't undergone appropriate security hardening, and rogue wireless communications.

When it comes to a data breach, companies have a lot to lose: data, time, money, customers and credibility. The stakes are getting higher as data protection and notification laws tighten.

A data breach is not the place to learn crisis management. We're encouraging companies to develop and test data breach incident response plans so that they know, and have practiced, what to do if an incident happens.

Paul Bantick is head of technology, media and business services at Beazley, and Tracey Stretton is a legal consultant at Kroll Ontrack.