Posted: Aug 14, 2018
Comments: 0
Author: Lou Grilli

Planning for the Breach - the WISP and IRP

Understanding and managing the risks associated with the changing world of data security, and being prepared for breaches and how to respond, have become business necessities. This three-part series, based in part on a presentation given by Michele L. Cohen, a principal with the law firm Miles & Stockbridge P.C., at Trellance’s immersion 2018 conference, outlines the balancing act between convenience and data, and provides a framework for preparing for breaches and what actions to take in response. Part 1 focused on what is at risk; what causes breaches, and the fact that breaches are inevitable. This Part 2 will focus on planning and documentation for the inevitable.

The first step in planning for a breach involves investigation, assessment, and a lot of “legwork” to establish a process for evaluating data collected and managed by the organization. Every piece of data must be evaluated to determine whether it is personal to an individual. Every place that such data is stored, and each recipient receiving access to the data, must be identified, with formal controls established over each step. The data that is collected by the organization may include member data, employee data (and possibly vendor personnel data), and non-member data in the case of former members or prospective members. The data may be collected for various reasons based on organization needs, including for loan applications, member account set-up and administration, and communicating with members. Remember that personal data of the organization’s employees and non-employee personnel is subject to the same concerns and planning process. Where data comes from, how it is collected, where it is used, shared, and stored all must be identified, along with policies and procedures to manage its use, access, release, and disposition. This is also the time to determine what data the organization’s employees and third-party providers need to access in order to perform their roles, so that only the needed access is provided.

The second step in planning for the breach is to develop a Written Information Security Plan (WISP). This plan may be used as a defense to regulatory and litigation actions and is also helpful in establishing a game plan for how the organization will handle a breach incident. When a breach does occur, having a WISP will help you manage the incident response. It is also required under some state and federal laws. The WISP should include:

  • Data Mapping – the results from the assessment in step one.

  • Safeguards – what access controls are in place?

  • Current Threat Profile – third party access, laptops, cloud versus in-house server, and applications should all be considered.

  • Liability Exposure – what kinds of data are at risk?

  • Priorities for Remediation – what steps have been identified for execution immediately following identification and confirmation of a breach.

  • Training Programs – the internal and external training to be done.

  • Provisions for updates and evaluations, as well as who is responsible for the document.

The third step is to develop the Internal Response Plan. This is the document that gets “activated” in the event of a breach. The development of this document should be considered as another compliance task, not something for a “doomsday” event. A well-written and well-maintained plan is clearly an “ounce of prevention …” activity. As soon as a breach is discovered, there is understandable chaos with the potential for mixed messages provided within and outside of the organization, and conflicting opinions on how to address the breach response. The IRP helps to manage the process by pre-determining the chain of responsibilities; the priority for protection of critical data, networks, and services; who is responsible for notifications, including to law enforcement.

When it comes to data breach notification, Target remains the poster child of what not to do when a breach occurs. According to InfoSecurity magazine “The retailer experienced a massive breach in 2013 which resulted in up to 40 million customer payment cards being compromised. The world learned about the breach from Brian Krebs, who broke the news on his blog after discovering stolen card details for sale on the dark web. In the days following, Target failed to communicate with banks about which payment cards were stolen, while customers were unable to reach the company due to a jammed customer service line. Consequently, Target’s share price fluctuated, and both the CIO and CEO resigned.”

The IRP should have as its core theme that “we take your data seriously”, but also acknowledge that breaches can’t be prevented 100% - the fraudsters are always one step ahead. Emphasize that the organization is ready to react quickly and appropriately and professionally when the breach occurs. The IRP is not any one single person’s responsibility to develop. For example, the CIO understands how the tech works, but is not the expert in compliance risk, or communications. The plan should be developed by a team consisting of the CIO, Legal, Compliance, Risk Management, Marketing, Senior Management, and others as appropriate and should be reviewed and updated on a regular basis. Since many organizations don’t have experience in developing this plan the first time, don’t be afraid to ask for help. Outside council that are well-versed in data security breach activity can contribute valuable input to the plan, and there are many consulting companies that specialize in data breach planning and preparation.

Although the “I” of the IRP means Internal, the plan needs to incorporate several external partners. Insurance plans need to be evaluated for breach coverage against the various risks. Outside counsel will provide useful assistance with the breach response and improvement process – your insurer and outside counsel should be the first partners contacted.  In addition, external PR is also often brought in post-breach, and cyber experts and data forensic specialist are often required to help determine the scope and timeframe of the breach. These professionals need to be identified in advance, with contracts negotiated and ready for execution (and where applicable, with prior approval from any insurance companies who may have approval rights over third party providers). All pertinent law enforcement (local, state, FBI) contacts need to be identified for ease in initial communications. The need is the same for all of these external partners – identify who to call, and who from inside the organization will be contacting them.

Rate this article:
No rating
Lou Grilli

Lou GrilliLou Grilli

Lou is the AVP of Product Development & Thought Leadership at Trellance. In this role, he is responsible for managing the organization’s product portfolio, as well as providing leadership on industry trends related to data analytics and payments.

Other posts by Lou Grilli

Full biography , Contact author

Please login or register to post comments.


Featured Stories