WorkforceTweaking Your Incident Response Plan to Address A Distributed Workforce

Tweaking Your Incident Response Plan to Address A Distributed Workforce

With the sudden, drastic increase of distributed workforces came implementation of new practices and access solutions, which in turn created more surface area for bad actors to attack and more potential gaps for them to exploit.  

A business’s Incident Response Plan is its playbook for deploying a rapid, proportional response to a potential security threat, with the goal of complying with applicable data privacy and security laws while maintaining client services. Such a plan generally lists the roles and responsibilities of staff positions as they work through phases of Detection, Analysis, Containment and Eradication, Recovery, and Reporting. The collection of key staff members is commonly understood to be the Incident Response Team (IRT) and their familiarity with the plan and preparation in advance of a potential incident are often key to successful responses.  

Here are some important considerations in evaluating your current Incident Response Plan:

Communication

Communication is always key, but now it may need to be handled without face-to-face meetings or assembling the IRT in a conference room. An Incident Response Plan, similar to a Disaster Recovery Plan or Business Continuity Plan, should plainly state the methods of communication IRT members will rely on, in order of preference, in response to a potential incident. Thought should be given to what forms of communication are likely to be interrupted or compromised in an incident, and what back up communication method(s) will be relied on. With IRT members working from home, which communication methods yield lower risk of interruption, are more secure, and are available to all IRT members? Be careful of using free platforms or apps to communicate.  Many are not secure, there is no expectation of privacy, and the data stored can be discoverable or subject to subpoena.

Relatedly, does the Plan identify which leaders are responsible for internal or external communications regarding an incident? For example, in an office setting business phone lines and clustering of staff could allow a team to efficiently direct all inbound questions or concerns about an incident to a VP of Communications. Pick a title not a department. Now, with cell phones serving as a primary tool of communication, does your team need a refresher of how to address communication from external parties or a reminder of professional responsibilities when confronting a potential incident? Also remember, during an incident, systems are likely not accessible because they are encrypted. So, does every member of the IRT have a printed version of the Incident Response Plan at home with everyone’s contact information?

Resource Allocation

The first phase of most Incident Response Plans revolves around detection – identifying what is happening and collecting details about a potential incident. Your Incident Response Plan might implicitly assume that IT staff or others with specialized knowledge related to identifying a security or privacy issue are on hand or available at the same location as a point of compromise. When considering your new work from home environment, it is time to consider how your IT staff will be available in the earliest moments after a potential incident is reported. Where possible, it may be time to consider end point detection and response solutions – an addition to your IT management environment that can provide remote insight and management of laptops being used by employees from their homes. Such a solution can speed the collection of important forensic details while hastening the containment and wider response.  

Role Adaptation

Work from home environments may change a member of the IRT’s ability to address the role or responsibilities they were previously assigned. Often times Incident Response requires confidential conversations, privileged communication and/or discussion about sensitive data and it is important to address with members of the IRT whether they can meaningfully, and responsibly participate in incident response when working from home. There are often more competing interests in a homebound setting than in an office and when updating and reviewing an Incident Response Plan, your company has the chance to address with each member of the IRT whether they can still satisfy their role while potentially handling such competing interests.  Such review can allow for updates and edits to IRT members’ roles and responsibilities in advance of a potential incident, instead of in the midst of one, saving valuable time, energy and focus.

Practice

An Incident Response Plan best serves its purpose when it is regularly reviewed as part of a tabletop exercise.  Such an exercise promotes clarifying questions amongst members of an IRT and familiarizes everyone involved with their roles and expectations for others. Additionally, an Incident Response Plan rehearsal reminds all IRT members of the importance of communication and how critical legal determinations, such as what constitutes a data breach, must be considered when discussing or communicating about an incident.

Now that your IRT is working from home, how will they make use of your Incident Response Plan? The best way to find out is to schedule time to run a remote tabletop exercise. The updated exercise can provide insight into new strengths or weaknesses created by a distributed IRT.  Such practice can highlight the differences created by an at-home response, such as does everyone on the IRT have a hard copy of the Incident Response Plan in the event one is not accessible online?

Coordinated Vigilance

Updating your Incident Response Plan is key, but it should be done in coordination with improvement to other safeguards.  In parallel with rolling out new work-from-home measures, companies should consider adjusting relevant policies, such as the Acceptable Use Policy, and assess how new access controls or encryption measures, such as virtual private networks, can mitigate risks to security. While employees are adjusting to an array of new norms, it may be less disruptive to add a few more, including multi-factor authorization, new password complexity standards, and other access control measures. By remaining vigilant and keeping continuous focus on the issues of security and privacy, companies stitch best practices into the cultural fabric of their team.

If you have questions about creating a legally defensive Incident Response Plan contact sophisticated tech counsel, we would be happy to help. Beckage is a law firm focused only on tech, data security and privacy. Its lawyers are also technologist and former tech business owners. Beckage is also proud to be a certified Minority and/or Women Owned Business Enterprise (MWBE).

*Attorney Advertising. Prior results do not guarantee future outcomes.

Subscribe to our newsletter.

PrivacyData Breach Compliance Under the CCPA – What You Need to Know

Data Breach Compliance Under the CCPA – What You Need to Know

The California Consumer Privacy Act (“CCPA”) went into effect on January 1, 2020 and with it came expanded data breach laws and an increased risk of litigation. Attorney General enforcement of privacy-related suits cannot be initiated until six months after final regulations are approved by the California Attorney General or July 1 (whichever comes first), however data breaches are subject to enforcement via plaintiff private right of action now.

In fact, substantial data breach litigation has already begun under the CCPA, primarily in the form of consumer class actions brought in federal courts in California.

Businesses should be aware and prepared to comply with the data breach compliance requirements of the CCPA in the event of a data breach incident, as discussed below, or risk facing litigation.

Breach Defined

The CCPA provides consumers with a limited private right of action when “nonencrypted and nonredacted personal information…is subject to an unauthorized access and exfiltration, theft, or disclosure as a result of the business’ violation of the duty to implement and maintain reasonable security procedures and practices appropriate to the nature of the information.” Violations are subject to penalties of $100 to $750 per incident, actual damages, and injunctive relief.

Personal Information Defined

In order for a data breach to be actionable, the information breached must be personal information as narrowly defined by California’s data breach notification law, Section 1798.81.5, not the broad definition included in the CCPA.  For the private right of action for data breaches, personal information means:

An individual’s first name or first initial and the individual’s last name in combination with any one or more of the following data elements…:

(i) Social security number.

(ii) Driver’s license number, California identification card number, tax identification number, passport number, military identification number, or other unique identification number issued on a government document commonly used to verify the identity of a specific individual.

(iii) Account number or credit or debit card number, in combination with any required security code, access code, or password that would permit access to an individual’s financial account.

(iv) Medical information.

(v) Health insurance information.

(vi) Unique biometric data generated from measurements or technical analysis of human body characteristics, such as a fingerprint, retina, or iris image, used to authenticate a specific individual.

This narrower definition of personal information should work to limit the availability of CCPA’s private right of action.

What Constitutes “Reasonable Security?”

The CCPA does not define “reasonable security” and the California Attorney General has not yet offered guidance on the subject. However, some California regulators have endorsed certain security measures as providing “reasonable security” in contexts outside of the CCPA.  

For example, the former California Attorney General, Senator Kamala Harris, provided clear guidance on what she considered reasonable security in the February 2016 California Data Breach Report. As highlighted in the report, covered entities should look to the Center for Internet Security’s list of 20 Critical Controls (“CIS Controls”) as a potential baseline security standard for reference. The CIS Controls consist of twenty key actions, including authentication, incident-response plans, data-protection policies, and other security safeguards. Although these CIS Controls are not prescriptive safeguards for CCPA compliance, they are a good place to start.

Notice and Cure Period

Before bringing an action for a security breach, the CCPA requires consumers to provide covered businesses with 30 days written notice, identifying the specific provisions the business allegedly violated. Businesses then have 30 days to address and resolve the violations without penalty. Businesses who fail to cure the violation open themselves up to civil action for monetary damages, injunctive relief, and any other relief the court deems proper.

CCPA Prohibition

The CCPA does appear to prohibit the commencement of lawsuits which leverage the CCPA to state other claims. The CCPA explicitly prohibits consumers from using alleged CCPA violations “to serve as the basis for a private right of action under any other law,” thus prohibiting a plaintiff from alleging that a CCPA violation constitutes a violation of the California Unfair Competition Law, Cal. Bus. & Prof. Code §§ 17200, et seq. or other statutes. However, as described in other blogs, this has not stopped plaintiffs from bringing just these types of claims. Judicial decisions are required on the scope and enforceability of the CCPA’s prohibition on non-CCPA claims.

Takeaway

Businesses should continue to follow CCPA developments and carefully monitor related litigation in the coming months for further clarity on enforcement and compliance. CCPA data breach litigation is expected to considerably increase as plaintiffs take advantage of the CCPA’s private right of action for data breaches resulting from a company’s failure to implement and maintain “reasonable” security measure. Beckage will continue to provide updates as they become available. Additionally, AG enforcement of the CCPA data breach and privacy provisions is expected to commence soon, providing an additional layer of enforcement activity that businesses must be aware of. The Beckage team will continue to provide timely updates on the CCPA landscape and potential claims, and is available to discuss practical low-cost, high-impact tips for mitigating CCPA litigation risk.  

*Attorney Advertising. Prior results do not guarantee future outcomes.

Subscribe to our newsletter.

Cannabis PrivacyRecent Cannabis Industry Data Breach Highlights Importance of Risk Mitigation Through IT Contracting & Insurance

Recent Cannabis Industry Data Breach Highlights Importance of Risk Mitigation Through IT Contracting & Insurance

When it comes to cyber security threats, everyone is at risk – regardless of the size or industry of the business. We see this as the cannabis industry was hit hard last week when a software vulnerability, which revealed data from at least 30,000 people from multiple dispensaries across the U.S., was exposed.

Although it remains unclear by whom the data was accessed by, this incident highlights the particular risk that businesses in the cannabis industry face: legal requirements to collect detailed personal records from clients and a fluid regulatory landscape. This incident also highlights that a proactive cyber security plan can help shift legal risk, and likewise well-drafted liability protections if a data breach does happen.

What is Cyber Liability Insurance?

Similar to other types of liability insurance, cyber liability policies protect businesses in the case of a data breach, ransomware attack, or other cyber security failure. These types of policies cover expenses or losses incurred when a network or database has been hacked, ransomed, or otherwise compromised. Coverage typically includes:

• Notification costs – including investigating, responding to and resolving an actual or suspected data breach, and alerting potentially affected people. You might need mailings, call centers, or even additional staff.

• Credit monitoring costs – companies trying to mitigate a security breach often provide free credit reports or monitoring, as well as identity theft insurance costs to defend claims by state or federal regulators.

• Ransom payments – sadly, hackers can (and have) taken networks and databases hostage. Liability insurance would cover ransom payments, as well as costs for data recovery and restoration and loss from business interruption.

• Fines and penalties – with new data privacy laws emerging, the penalties for failing to protect consumer data could be substantial.

• Third party liability – if allegations of negligence or failure to take reasonable measures to prevent a security breach arise then, a third party business could be held responsible.

• Crisis management costs – to track and contain both the cyber threat and the fallout, you may need forensic investigators, professional crisis management, or strategic communications support.

Cyber liability insurance is an increasingly important risk management tool that organizations rely on as a part of a larger, comprehensive cyber security and privacy breach response plan. Take note that cyber liability insurance is different from technology errors and omissions (tech E&O) insurance, which is designed to protect companies that provide technology products and services, such as computer software manufacturers. Cyber liability insurance covers the fallout from a particular breach of customer or client data.

Why Cannabis Businesses Need It

Any business that collects personal data could face substantial liability in the event of a breach, however the cannabis industry faces even more risk, because of the unique amount and often type of information dispensaries and other businesses are required to collect. In addition, due to constantly shifting industry and regulatory landscape, many cannabis businesses may find themselves in uncharted territory and are likely to have questions about cyber liability risks. It is also important to note that while general liability insurance policies may cover some cybercrime losses, they generally will not provide the comprehensive coverage needed to mitigate the damage from a data breach. Some general liability policies may even contain exclusions for cyber liability losses and claims.

One thing is for certain: data is becoming increasingly valuable. Our Beckage CannaPrivacy Team understands the importance steps businesses should implement to protect this valuable data. If the worst happens, it is critical to have the right liability coverage to minimize losses and disruption. Our team can help assess liability coverage, using their expertise to help map out a nuanced cyber liability insurance plan for any business in the cannabis industry.

*Attorney Advertising. Prior results do not guarantee future outcomes.

Subscribe to the Beckage Blog and Newsletter

2019 Year in Review_ Beckage Blog Top 52019 Year in Review: Beckage Blog Top 5

2019 Year in Review: Beckage Blog Top 5

The end of the year is finally upon us. As the year draws to a close, we look back over our most popular blog posts of 2019. From understanding New York’s SHIELD Act to website accessibility claims under the Americans with Disabilities Act and gearing up for the California Consumer Protection Act (CCPA), it has certainly been a great year for the Beckage team. We pride ourselves on producing informative and timely content to our community in this fast-moving legal landscape. For this reason, we have picked out our very best blog posts from 2019 just in case you missed any of our top posts. We thank you all for your continued support, Happy Holidays from all of us!

Read More
How IoT Will Impact Data Security & Privacy For BusinessesHow IoT Will Impact Data Security & Privacy For Businesses

How IoT Will Impact Data Security & Privacy For Businesses

You’ve probably heard the buzz about the Internet of Things (IoT) – a suite of emerging technologies that promises great value to businesses, individuals and society. As broadband internet and Wi-Fi capable devices become more readily available, and reduced costs in technology supply chain fuel innovation, the number of IoT devices and applications is estimated to grow into the billions. What’s more, the nature and applicability of IoT is constantly evolving. According to the Government Accountability Office, IoT “can be used in almost any circumstance in which human activity or machine function can be enhanced by data collection or automation.” IoT is clearly the future, enabling new efficiencies and technological capabilities for businesses looking to grow and compete in a competitive marketplace. But before businesses jump into this next big thing, it’s critical to understand exactly what IoT is and how it will impact data security and privacy issues.  

Read More
1 2 3 4