Incident Response: Don’t Rush the Security Breach Notification Timeline

Despite the expectation to report findings almost immediately, officials should use caution and avoid communicating information too quickly.

by Jayne Friedland Holland, CSO and Associate General Counsel, NIC Inc. / October 17, 2014

Data breaches are becoming more prevalent. Since the Target breach in late 2013, a major data breach has been discovered almost every month, including those at Home Depot, Neiman Marcus, AOL and eBay, to name just a few. There were more than 600 reported data breaches in 2013 -- a 30 percent increase over 2012. And all of this has cost the U.S. economy $100 billion annually, making the U.S. the hardest hit of any country.

When dealing with a security breach, one of the primary concerns is notifying the affected parties. And, as security breaches and compromised personal information have become nearly a constant in news headlines, there are an increasing number of laws and regulations related to how breach notifications should be handled.

In 2014 alone, 19 states either introduced or considered security breach legislation. The Florida Information Protection Act of 2014 was passed, requiring that affected individuals be notified as soon as possible -- but no more than 30 days after the breach's discovery (the state's previous law had a 45-day requirement). And Kentucky joined the ranks, becoming the latest state to enact such legislation. Now only a few states lack laws that require notification of security breaches involving personal information. 

With any crime scene, whether cyber or physical, notification about the incident is important. In a physical crime scene, it can take days or even weeks to collect toxicology reports; receive conclusive autopsy reports; and collect, analyze and report the findings. In general, the public understands and seems to accept this.

When it comes to cybercrime scenes, however, we see something quite different: It's expected that companies, governments and cyber-forensics professionals will provide immediate and detailed information about a security incident. And, while the notification expectations seem to vary widely between physical and cybercrime scenes, the process of uncovering facts is fairly similar. In both cases, a thorough review of the evidence is an essential and necessary part of the process -- before any conclusions can be drawn. 

Despite this expectation to report findings almost as soon as a security incident becomes known, it is advisable to use caution and avoid communicating information too quickly. First, understand state breach notification laws, notification requirements set by federal law and industry standards, such as the Payment Card Industry’s Data Security Standard. In addition, make sure sufficient facts have been gathered before making a public statement.

Accuracy is paramount, and it is not appropriate to jump to conclusions or make assumptions when in the midst of investigating a security breach.  Do not rush evidence collection and analysis simply to provide immediate information to the public, as this information may eventually turn out to be erroneous or inaccurate. If the initial information you provide is later determined to be incorrect, this misinformation can ultimately damage your credibility and could complicate your ability to effectively manage the breach. Rushing the notification timeline also means running the risk of having to recant and explain earlier statements.

Detectives working a physical crime scene often establish a command post to host team meetings and communicate media updates, and handing cybercrime scenes in a similar fashion may also be a good idea, depending on the magnitude of the issue. 

Additionally a thorough incident response plan should serve as the guide for handling a security breach, The incident response plan should, first and foremost, establish is the incident response team members, and then designate specific roles and responsibilities for multiple teams and team members, notification and communication. Often, team members identified in the plan include the highest leadership levels within the organization, communications personnel, security and IT professionals and frontline operations employees. Ultimately the incident response plan is the playbook to be followed step-by-step should a security incident occur.

And on an annual basis, the plan should undergo a comprehensive review. Modifications should be made, where appropriate, and employees should be trained on how to effectively carry out the plan. This will help ensure that the plan is up to date and that incident response team members are prepared should a security incident occur. This will also help alleviate any pressure to report findings immediately as the plan should guide the communication timeline.

Again, even as new legislation continues to tighten security breach notification timelines, it is inadvisable to rush the communication process during a security incident. The best response will stem from taking the necessary time to gather and analyze the cybercrime scene evidence, and following a detailed incident response plan.

Jayne Friedland Holland is the Chief Security Officer and Associate General Counsel at NIC Inc. She speaks regularly to all levels of government regarding sound cybersecurity procedures. She can be reached at Jayne@egov.com.