Exploring the Evolution of Incident Response on the Elevate. Together. Podcast
What should you do if your company suffers a cyber incident? Which comes first, laws or tech? And how has Data Breach Response evolved over its short lifetime?
🌳🌳🌳Canopy COO Adi Elliott joined an expert panel on the Elevate.Together.Podcast to answer these questions and more, covering data breaches from three angles: legal, technology, and services. You can listen to the full episode here or wherever you tune in to podcasts.
James Manari, Vice President at Elevate, moderated the fast-paced discussion between Adi, Melissa Ventrone, Leader of the Cybersecurity, Data Protection and Privacy Business Unit at Clark Hill, and Megan Silverman, Director of Litigation Services at Elevate.
Here’s a quick look at what they shared:
How have you seen Data Breach Response evolve?
Adi shared that unlike adjacent sectors like ediscovery that have extensive history going back decades, Data Breach Response is a space that spontaneously popped up in recent years. There wasn’t really a need for purpose-built tech and processes until around 2018, when data protection regulations like GDPR matured enough to justify its existence. Public awareness also began to rise around that time, so companies began experiencing more reputational damage from cyber incidents, driving them to invest more in incident response.
Melissa observed that the evolution is driven by three factors:
- What the laws are,
- Consumer reaction, and
- Attackers’ tactics & techniques.
People are getting increasingly more concerned about the use of their personal information, and consumers are holding companies to a high standard when it comes to protecting their data. If a company is breached leading to loss of data, consumers are increasingly more often holding the company — not the cyber criminals — responsible, and that view is leading to more aggressive regulatory actions against companies of all sizes.
Which came first: the laws or the tech?
Adi observed that regulations have widely influenced the development of Data Breach Response tech and processes over the past few years, telling software providers what problems they need to solve: locating personally identifiable information (PII) and people in compromised data. When GDPR went into effect, it was essentially impossible for companies to meet its 72-hour deadline when dealing with compromised data exceeding 20-40 GB using the technology available at the time. The cobbled-together, manual tools and processes used for incident response at that time were simply too slow to provide a supervisory authority with any information about what was in a large data set. Now, tech has advanced to provide faster insights with more specificity.
Does GDPR apply to you? Download this guide to find out & learn how to comply.
Megan agreed, adding that lawmakers don’t necessarily understand what they’re asking companies and attorneys to do when responding to cyber incidents — they probably wouldn’t ever imagine teams of 500 people working around the clock to meet a 72-hour notification deadline. But as purpose-built technology like Canopy has rolled out to meet this need, incident response teams and counsel have seen great advances in their ability to comply with these deadlines much faster and within a reasonable budget.
Melissa noted that in other respects, the laws can also lag behind technology, such as when attorneys try to take laws that were passed as far back as the 1970s and apply them going forward. Further, some states’ data privacy laws still don’t have a “low risk of harm” or “no risk of identity theft” caveat, which places an unnecessary burden on companies. On the flip side, companies need to have a better understanding of what data they have and who has access to it. Sometimes companies have no process for tracking what people and departments use data for different purposes, so if they suffer an incident, they would have no idea what they’re dealing with until a full investigation is complete.
What surprises do you find when working with affected parties?
Melissa shared that affected entities across the board, regardless of size, are often very surprised at the amount of data they have and what that data contains. Companies have duplicative data without realizing it, or collect more PII than they realize — it can quickly add up to terabytes of information.
Megan said that with almost every review Elevate does, they find 10,000-page PDFs or 100,000-page Excel spreadsheets, neatly organized with tons of sensitive PII elements — name, address, social security number, bank account information, etc. It’s common practice for companies to keep data in this format and not understand that they have it or know where it is. Elevate’s average entity list has over 100,000 people, so these are big companies with a lot of sensitive data.
Adi shared that almost every time Canopy sees a PII-heavy PDF or spreadsheet, it’s not because the breached company doesn’t care about PII or an employee was behaving in a nefarious way. It’s because someone was trying to solve some business problem by getting data from Point A to Point B as quickly and easily as possible. Companies can evaluate the goals behind data handling and build safer processes from there.
How do your employees really handle PII and sensitive data? Download our guide to learn how to assess your privacy impact.
What advice would you give to someone about to go through the IR process?
Create backups. Without backups of your data, you can’t get back up and running quickly, and you may even have to redo everything your company has started to do from scratch. So we’re seeing major business interruptions being caused by cyber attacks right now.
Have a plan in place now. You’re never prepared enough. Host roundtable exercises and pick your providers in advance so you can maintain a sense of confidence throughout the process, and there isn’t a huge lag between discovery of the incident and bringing in the right team to respond. It’s worth it to have a few billed conversations proactively so that you’re ready to go immediately if-and-when an incident occurs.
Don’t panic. If you’ve already been hit by an attack and you’re responding, don’t delete all the encrypted information because you know you have backups — the attackers may have hit your backups as well. Don’t communicate to everyone that you’ve had an attack, because you’ll be fielding questions instead of responding to the incident. Take a deep breath, and follow your plan.
Go on a data diet. Understand where your information is and audit your document retention policy regularly. If you don’t need it, don’t keep it. Data mapping will help you accomplish this and make it easy to know what data was potentially compromised if you are attacked.
Know what’s in your data. Even when companies are doing cyber training and sending out compliance surveys, they don’t really know what’s in their emails and file shares. What employees report in surveys isn’t necessarily indicative of how they work — not because they’re being intentionally deceptive, but because they forget or don’t think too much about how they’re handling sensitive data. Audit to know with certainty.
What are your predictions for the future?
Megan: I see consumers becoming desensitized to cyber incidents over the next few years because of how frequently they happen. I see plaintiff’s attorneys filing large lawsuits when they’re able to. And I see our controls improving over time, as people start to reevaluate how they store data.
Melissa: In my dream world, the government will rethink how they use PII like social security numbers, making identity theft incidents less frequent. Proactive cyber tech would become simpler so that small companies can use it easily, too. In the real world, I think we’ll see increased data exfiltration and attackers continuing to adapt to protective measures. I also predict that the U.S. will continue advancing data protection legislation, especially for critical infrastructure and defense contractors, which will drive tighter security controls down the supply chain.
Adi: It’s going to continue to normalize and regulations will continue to evolve, which will highlight each region’s different perspectives on data privacy. But we’ll have to find a way for them all to work together, as it’s easier than ever now for even small companies to have a global presence. Technology is evolving to make keeping up with these problems achievable, and it will continue to do so as threat actors and legislation change. The market is growing and our goal is both morally and intellectually interesting, so I’m excited to see this area evolve.