Editor’s Note: On September 30, 2021, HaystackID shared an educational webcast presented at the 2021 Privacy + Security Fall Academy. The webcast provided viewers with a framework and solutions for deploying privacy-based information governance technologies, tactics, and strategies to help their organization comply with the ever-changing landscape of data privacy laws, while also reducing their exposure in the event of a security incident when sensitive data has been compromised by threat actors.
While the entire recorded presentation is available for on-demand viewing, provided for your convenience is a transcript of the presentation.
[Webcast Transcript] Information Governance, Data Privacy, and Data Breach Exposure Mitigation
+ Michael Sarlo, EnCE, CBE, RCA, CCLO, CCPA, HaystackID – Chief Innovation Officer and President of Global Investigation Services
+ Andrea D’Ambra, Norton Rose Fulbright – US Head of Technology, & US Head of eDiscovery & Information Governance
+ Shehla Qureshi, AXA XL – Senior Claims Specialist
+ David Wallack, KeepTruckin – Lead Privacy & Security Counsel
+ Matthew Miller, HaystackID – Senior Vice President of Information Governance and Data Privacy
Hey guys, thanks so much for joining us today with HaystackID. We’re really excited to be here for the Privacy + Security Fall Academy. Today’s panel presentation is on information governance, data privacy, and data breach exposure mitigation.
This session will present frameworks and solutions for deploying privacy-based information governance strategies, privacy-based information governance technologies, and privacy-based information governance tactics.
I’m going to let the presenters go around the room and introduce each other.
All right, I’ll start. My name is Andrea D’Ambra. I’m a partner at Norton Rose Fulbright in New York, and I’m the firm’s US Head of Technology and US Head of eDiscovery and Information Governance.
And I’ll jump in next. I’m Shehla Qureshi from AXA XL. I’m a senior claims specialist in cyber, media, and technology [ENL], and I have about 12 years of claims experience, and with the last four to five years focusing specifically on cyber.
I’ll jump in. It’s David Wallack with KeepTruckin Incorporated, I’m Lead Privacy and Security Counsel. I’m also CIPP/E and CIPM certified, I have held various privacy roles at different companies in this role. I work with our compliance and security teams to apply the regulatory landscape to all the data that we touch.
And finally, I’m Mike Sarlo. I’m the Chief Innovation Officer and President of Global Investigations and Cyber Discovery Services at HaystackID. I’ve been with the company for about ten years, focused on complex eDiscovery, digital forensics exercises, cross-border investigations, and post-breach events, and data mining in particular.
One of our colleagues, Matt Miller of HaystackID, will be joining the presentation later in the webcast.
So, just some high-level stats that I’m sure everybody’s seen. Obviously, the average cost of a data breach is rising actually. In 2020, the average cost of a breach was about 8.64 million. It’s up now in 2021 to 9.05. Globally, a little bit less expensive. Targets in the US, as a result, I think of more of the whale hunting that we’ve been seeing going on as far as major corporations and major enterprises going down, with the means to pay large ransoms, is about 3.86 million and 4.24. These stats certainly roll in some of the lost business elements; certainly, the post-breach activities like credit monitoring, some of the legal services. Probably not all of them, actually, as far as those workstreams are concerned with the way that this study was done.
In particular, and really just to set the stage for our discussion, information governance I think historically has been something that’s hard to track ROI on as far as going through such an exercise, but here it is. In 2021, we’re dealing with about $160 per stolen record, and in healthcare, much higher, $429. So, every time that somebody saves that file they’re not supposed to, just put it in your pocket, so to speak.
Certainly, this is on everybody’s minds. I can tell you that my corporate clients are highly concerned. Really, this is a watershed moment for organizations that are looking to really enhance the way that they handle their data, the way they think about data, and also from a regulatory standpoint, it’s an entirely new environment, and there’s a lot of budget out there for folks who are in-house on this call, and for the consultants as well, there’s a lot of folks out there who are looking for help in this domain.
So, really what we’re seeing is an ever-growing landscape of tools and different types of technologies where data may reside, and certainly, enterprise-level data mapping is an important set here. It’s become even more difficult in some ways. When we start thinking about the types of datasets that we see compromised at HaystackID where we’re doing data mining activities, it’s all over the place. We’re dealing with CRMs, we’re dealing with web-based applications, we’re dealing with databases and just lose files. Even in organizations that feel like they have strong information governance, or that they have contained their data, it is definitely usually not the case, even in the most sophisticated of organizations.
And I’m going to ask David here for a minute, what are some of the tools you use at KeepTruckin as Lead Privacy and Security Counsel? A growing technology startup, it’s really also a data aggregator. How do you leverage data mapping in its basic form, maybe in a past life, what type of technology have you used to get a hold of the landscape of privacy risk?
Yes, so one caveat to that is that I just eclipsed my three-month tenure with KeepTruckin, so we are still very much on this journey right now of betting technology. We will bring an in-house solution in. It will probably be something that connects at the API level and detects our data flows to the various vendors we have, which almost everyone that you had on the previous slide is something that we work with in some form or capacity. We prefer a tool that does not actually touch the data itself.
So, there are a variety of tools on the marketplace, some of them actually touch the data, which can create another privacy concern in and of itself, because now you have a new data flow going to someplace else and a new security problem. But I still think for us it’s going to be a multi-tool solution. It will be a tool that does AI classification and categorization, and then allows us to identify where the vulnerabilities are, with what vendors, and based on what the contracts say and what the stipulations are in that contract, where we’re not meeting our data obligations, or regulatory obligations, either contractually or regulatory, and then we will use a different tool to actually pull that out and analyze where we can be better or what needs to be reviewed.
But I still think for us, it’s going to be a multi-tool solution, and then at the end of the day, really, the best thing that you can do is you can also start to interview as many of the people in your organization as well to find out how they’re actually using these tools. We bring on, it seems, a new vendor almost every single day at KeepTruckin for one purpose or another, and I think it really sometimes goes overlooked, the actual process of getting to know from your client, in this case, whether it’s engineering or product, or IT or enterprise, how they intend to use that tool, and what data is actually going into that tool, and sometimes the anecdotal interview can be just as powerful as the actual technology.
Certainly, I find that that is sometimes the most powerful place and the tech definitely loses its value if you don’t have those interviews. So, Shehla and Andrea, for you guys, Shehla as a lawyer and a senior claim specialist focused on cyber incidents, you said in a unique position at AXA XL supporting clients who need vetted resources when a security incident occurs, the headlines are obviously dominated by high profile data breaches after another. Is this related to the pandemic? What are you guys seeing? How has the landscape changed in general with the way carriers are operating in your seat, and then what are some of the common themes as it relates to an attack message over the last year you have encountered?
Yes, I definitely think that there’s been an increase, for sure, in the last year, year and a half, as everyone’s moved more towards remote working. That’s definitely something that we’ve seen. We’ve seen more claims it feels like industry-wide, whether you’re looking at it from an insurance perspective, whether you’re looking at it from a forensics perspective, whether you’re looking at it as privacy counsel. It’s exploded in that last year and a half.
What that relation is, that I think there’s definitely some debate about. I think there’s one school of thought that you don’t have your IT personnel on hand, on-premises, as focused on updating servers and making sure that they’re conducting trainings and reminding people not to click on phishing emails and allowing them to get their credentials. The other thing you have is people are working from home more, so they are maybe using their work computer in more of a fashion where they’re putting their own personal data there and not letting – so companies aren’t able to actually know exactly what data is there, which is really a big issue post-breach, is does a company really know what data they have, what data their employees have put out, and where they’ve put it?
So, that becomes a central question that both us as the carrier, I think, Andrea, as privacy counsel asked, is do you know what data you have? OK, if we know this server has been affected, what data do you potentially think you have? Is it embarrassing? Is it going to be something that has a lot of PII (personally identifiable information)? Is it something that we really need to be concerned about because it has information about your CEO or your COO that could be embarrassing if released out to whatever industry you’re in? So, those are things that we definitely think are happening.
I personally think that I’ve seen a lot more of people just being careless and clicking on phishing emails, and the phishing emails are a little bit more sophisticated than they were two or three years ago, but allowing their credentials to be harvested, and then that really allows threat actors to navigate the entire network.
I’ve seen situations where a company, a smaller company, but they’re not receiving – the person who gets the ransom demand isn’t notifying IT immediately. They’re waiting. Because they’re at home or whatever delay there is, there’s just a delay, and in that moment, where hours matter, that can increase what we’re seeing, where demands are increasing, based on that sort of delay.
Obviously, I think that personally what I have seen as the most common attack method has been attacking networks through harvesting credentials through phishing emails, seeing threat actors exfiltrating data. That seems to be more going through the network, looking to see what could be embarrassing, and encrypting data and really encrypting networks as a whole and saying, we’ve got a hold of your network, we’re going to be on here. If you want access to your network, you’ve got to pay us and that really has become a problem.
I’ve also seen claims where you’re having them access networks through vendors that a company may have a contract with, an existing contract with, because you can control your own network, but can you control your vendor’s network and what their employees are doing, what they’re doing. So, if those employees are getting phished, and then their access into their network gets compromised, and then leads to a compromise of the bigger vendor, that’s also been an issue. So, I definitely think that’s obviously become an issue. Ransomware is obviously the hot topic and the issue that everybody’s seen in the last year and a half. So, I mean, from my end, I think those are really the big issues that we’re seeing.
I think that’s absolutely what we’re seeing as well. Andrea, I’d be interested, in your role as US Head of Technology, and US Head of eDiscovery and Information Governance at Norton rose, you’ve been in this space forever, you advise clients, you’ve been through all the IG challenges, the eDiscovery challenges. Now, it’s all about privacy. During an incident, where do you pick your pocket of where to start and investigate where the unknown private data might live, and are you seeing things in collaboration platforms and any of the new tools? We don’t really see that as much on our end, surprisingly. Maybe it’s because of more advanced authentication methods, but we’d love to hear what you have been seeing.
Yes, so when we come in to assist with a breach, most of the time we’re taking our cues from either the forensic analysis and where the footprint is as to where the threat actor has gone, or the threat actor themselves and what information they give us about the dataset that they’ve exfiltrated. We’ve had incidents where they’ve told us we took four terabytes of your data, and at the end of the day, it ends up being like 150 gigabytes, and then on the other end, we’ve had times where they’ve said, oh, we took two terabytes of your data, and we’ve figured out where that is, and then we’ve gotten additional information about another two terabytes of data. So, some of it is detective work, some of it is just using the information that you’re given.
We haven’t seen a lot of collaborative platforms compromised yet, although a lot of times that’s where people might be less guarded about their communications, and therefore, there might be something embarrassing there. Mostly what we’ve seen has been hitting file servers, where there’s financial data, where there’s personnel data, where the insurance contracts are. They’re pretty targeted, and I think that the threat actors realize where the most pain is. They do their research before they get in there, and they’re looking for things that they know will be embarrassing to the company, that will impact the company’s relationships with customers, and therefore, they’re going to be more likely to pay whatever ransom is out there.
So, I’m sure companies that have strong information governance policies, at least knowing where those crown jewels are early on, is helpful as far starting an investigation, and we’re on the forensic side, as you guys are frequently coming in as firefighters to save the day. So, I’m sure that’s helpful. Matt, did you manage to make it into the Zoom?
I did, I did, and apologize for my technical difficulties. There are two things I wanted to point out before we moved on to that next slide, but it’s OK to pull it up. When Shehla was talking about the third parties, like making sure that those other networks are secure that have access to your network. Just a couple of terminology things. I believe she was referencing a supply chain attack, and the supply chain attacks, I think the most famous one ever was when Target was breached like 10 years ago, almost now, but when Target was breached, yes, she’s 100% right. the HVAC contractor had access to Target’s network, and that was how they initially got in. And then another term of art would be advanced persistent threat, and they sit out there on the network, and they’re waiting, and to Andrea’s point, and gathering information. One of the CISOs I talked to last week absolutely validated that percentage that we had up there on the screen. They are seeing 400 to 800% more attacks since the pandemic started. I mean, those are extremely high numbers and what we see on this next slide is that these data challenges, they’re really intertwined, and what’s the problem?
We’re talking about trying to build these data maps. Well, it’s very hard to have a data map and know where all your most important data is if you lack visibility across the entire network. How are you supposed to know what we need to protect, and keep it safe, and address other concerns such as the retention policies and being able to handle the storage growth, and identify your most critical and sensitive information that’s involved in many different areas? That same kind of data is going to come up in litigation. It’s going to come up in a privacy situation and so organizations need to be able to gain control, have visibility for all that data, and another problem is that we’re running into with many companies small and large, I mean the biggest companies in the world, we’ve seen it, there is a lack of internal resources, the people, and sometimes it’s just one piece out of the three – people, process, or technology.
Totally and it can be a daunting task certainly with the growing sense of global regulatory frameworks and now here in the US at a state level, so I think a lot of organizations don’t have the resources that they may need, even here in the US where the privacy by design, the design concept hasn’t fully been pored over, although I think that’s beginning now. And Andrea, you as the data privacy expert, maybe you can clue us all in on really where we are in the state of data privacy and how that relates to breach and some of the Sedona items that I think are becoming highly relevant pretty quickly here now.
Yes, I mean, across the world, um countries are starting to adopt data protection and data privacy rules, and a lot of these talk about data minimization and data handling, and when you have a breach, the compliance or lack of compliance with those particular regulations really comes to the forefront. I think in the past, companies have – information governance has been a necessary evil that gets a little bit of attention, but really not enough attention, because everybody thinks, well, if I just keep it, then I’m limiting my risk because they can’t say I got rid of it, and what we’re learning now is that there’s a twofold risk in taking that approach.
One is that if the regulator finds out you have documents from 1998, that you didn’t need to have, they’re not going to be happy, and they’re going to slap you for not keeping your data minimized. But also, if you have a breach, there are all these other people that are now on your data subject list that you have to notify from the documents from 1998, that you wouldn’t have had to notify if you’d gotten rid of those documents in a timely manner. So, it can significantly increase your liability on both those fronts.
And I was going to say – this is Shehla just jumping in on what you’re saying – I agree with you, because notify… you and I have seen it, where you have data subjects who are notified, who really have nothing to do with what’s going on, and it’s just that their data had been stored for years and years and never been taken off of the network, so they’re notified, and then those actually, surprisingly, tend to be the people that when they’re calling and getting notifications, and calling the call centers, are the loudest and threatening the most third-party litigation, and looking at class actions, where it really increases the exposure. I mean, I can say it from an insurance perspective, it increases the exposure significantly.
Yes, well, interestingly enough, what we’ve seen almost universally is when a company gets hit with a cyber-attack, almost the first thing they do post-breach after remediation, and notification, all that, is revise and rework their information governance program, because now there’s a will.
You’re right, and I think an ounce of prevention is worth quite a bit in this scenario. So, can you, David and Andrea, talk a little bit about where we start to implement more defensible data disposition? Just at a high level, what are some of the principles, knowing that we’re going to start to really talk about more some information governance frameworks in general, but I do think this is really one of the key elements, it’s more why are you doing it, right?
Yes, I mean, I’ll jump in here. I mean, on the data minimization part, I do think that it’s important to take active steps to keep as much data on the edge as you possibly can. So, we, on the product side, generally speaking, try to put as little into our cloud environment as we possibly can. But also increasingly, and anybody who’s in the tech space knows this, when you look at your agreements with your vendors, there are always these clauses that say that we may use the data as aggregated and deidentified for essentially any purpose under the sun – process improvement, quality, whatever. But really, what that means is they can do whatever they want, and a lot of people mistake that to mean that the data has actually been deidentified and aggregated, but it hasn’t been. They’re just saying that it has been or they’re using a very superficial tool to remove the names, but it can all be traced back. So, I think that with data retention, one of the tricky parts becomes when you tell somebody that you have actually remediated their data, making sure that you have remediated it in all the ways that it may have been propagated across the universe with all the different vendors, and that is a really pervasive problem. And if you’re saying that you’re doing it and you’re not doing it, it’s an even bigger problem than not doing it at all. Because now you’re actually exposing yourself to liability with people that you have contractual obligations with to remediate that data.
So, I think that that is one of the parts that’s the most challenging is actually… is not only doing it but doing it completely in a way that satisfies the obligation, so that later you’re not called to the mat for not doing what you said you were going to.
The FTC is going after just those sorts of people, people who have made claims about how they’re handling data and then as it turns out, it’s not actually what’s happening.
So, David, during our planning sessions, you shared that your company, KeepTruckin, that it was going through a massive growth phase, so I’m sure you have your hands pretty full. Where do you start and what are some of the spots here that, really, as far as analyzing your current state and maybe you can give us some advice here?
Well, and I’ll just sort of speak personally, I think any time that you step into a new role, which I have, you sort of start with triage issues and they become readily apparent as you start doing your interviews across the organization, which I think is probably the first step.
The first step is to know who is who. Who has got what and who is in charge of what? And then talk to them and figure out if they have seen anything that looks like it could be a susceptible practice that needs to be addressed right away. So, those types of things are the easy wins.
From a broader programmatic lift, then I do think that step number one is always data mapping and classification. You need to know what data is out there, where it exists, who the owner is, if there’s any regulatory reason to retain the data. Then you start to build out your retention schedules based upon what business interest might be and business intelligence is telling you about the value of the data, and then you try to get rid of the rest of it. But it’s not… I will say this, it’s not easy, it takes collaboration across almost every single silo in the organization from what I’ve found.
I think that organizations are getting better about this. I work for a Silicon Valley tech startup, I think, for me, I don’t have to preach to the choir as much maybe as some other sort of more staid companies do with older processes. But there is no way to do this without buy-in from product, engineering, IT, enterprise, legal. Everybody has got to be behind this as an absolute priority for the organization.
So, finding out who your A-team is, who is interested in doing this type of stuff with you. Some people might just not have the bandwidth for it. You might find people that think that data classification is really cool and they want to help out with it, and they come from weird cob-webby places of the organization, and you recruit them to the information governance committee.
So, I think that really a lot of it is still human, figuring out who wants to do this with you in the organization.
So, Andrea, you’ve dealt with clients, obviously, with the different resource allocations. How has your approach changed over time when discussing IG as it relates to also managing privacy risk? And how do you go about providing advice to clients, like David, as far as where to start? And how has your plan changed as far as where we used to be at, now to the large-scale breach world?
I think that a lot of what we’re talking about these days is the increased risk, but clients, oftentimes, are sort of overwhelmed by the amount of data that they have out there, and it seems like it’s too big of a job. So, we really counsel them to sort of start by turning off the tap. If you’re filling up a bathtub and you’ve got a ton of stuff in there, let’s just start by turning off the tap. And by that we mean really start with what you’re creating now, and getting that classified and getting a process in place. And then once you’ve done that, you can go back and remediate all the stuff that’s sitting out there that is unclassified.
Like I said before, there seems to be – comparing what we’re doing now to 10 years ago, nobody was really… everybody was interested in IG but nobody was doing IG, because they didn’t have the funding for it. And now, I think that there is a lot more funding for it, because it’s a recognized risk. And once you have to remediate that risk, people start to give you the resources to do that.
So, Shehla, how are carriers like AXA XL actively participating in or evaluating your insurance security programs? Are you guys a part of this IG exercise and strategy, so to speak, even if it’s tangentially?
I think one of the things that we’re looking at is what kind of information do you have, what kind of information are you storing, what potential exposure are you creating for yourself. But then also taking a step back and saying, “OK, what security protocols do you have? What do you have in place? Are you using multi-factor authentication?” I think that’s… I think MFA has become a really hot topic as we’ve moved through the pandemic, tying back into what we were talking about earlier. As we’re coming into more people working remotely, what are you doing to secure your access to the network? Are you having a two-step process where people can’t just log in? Because that’s pretty easy for someone to steal someone’s credentials, but if you have that two-factor authentication, I think, in general, it’s making carriers feel better about what you’re doing for your network and what you’re doing for security.
I think, obviously, there’s a look at what sort of incident response plan do you have. What’s your plan if something does happen? Do you have something in place?
I’ve said this before, I think I was probably saying this to Andrea, an incident response plan is great, it’s a piece of paper, it tells what you’re going to do, but it’s an ideal situation. This is what we’re going to do. And sometimes, and what’s unpredictable is how much a company is actually going to stick to their incident response plan, and that’s something that I think needs to – companies, in general, need to look at and spend some time.
I think that the last year and a half has definitely had an effect on the cyber market as a whole, whether it’s from the forensics standpoint, whether it’s privacy counsel, whether it’s as a carrier, we’re definitely seeing that. We’re seeing claims increase. And so, I think carriers are continuing to evaluate what are you doing. Are companies doing any sort of training program for their employees? Are you sending out phishing emails and seeing who clicks on it and offering any sort of training to them? Like we were talking about earlier with vendor access to your network, what safety protocols are in place there? What are you doing to prevent a threat actor accessing your network that way?
So, those are the things that I think are always being evaluated and looked at from the carrier perspective.
I love that whole turn off the faucet approach, because everybody does – when I’m talking to them, they seem to want to go backwards in time and, of course, we have this risk, but I think sometimes it’s so much easier to start a new going-forward plan.
Do you ever see anybody who is really building in, “Hey, we’ve had a breach”, most incident response playbooks that I see, they really are centered around the security outfit, and legal is certainly involved in that playbook? We’re spending a lot of time with some clients, now, really starting to advise them around, “Here’s what’s going to happen if you do have a breach outside of the security elements and the IT framework, here’s how you close it”. But then there’s this whole other massive paradigm of cyber discovery and breach notification, and I think that can be just as crippling for an organization as the actual hardware breach.
Are you seeing clients starting to ask about, “Hey, what do we actually do if this happens?” Maybe this is for Andrea or anybody else here, that they’re building the post-breach discovery process into their incident response plan. Or is that purely a legal function still?
No, I think that we’re seeing that. I definitely think we’re seeing it. I think that’s one of the services I know AXA XL provides is we will have an onboarding call. OK, now we’re insuring you, let’s talk to you. Let’s talk about what services you have access to. And one of the biggest things I always say to any insured that comes on is before you have a breach, go ahead, and spend the time. Spend the time to get to know which one of the forensics firms you like, which one of the breach counsel you like, so that you can sit there and say, “OK, this is what we want to do”, so that they feel comfortable and they feel – they know who they can go to, and look at that, and look at what kind of notification obligations they have.
I think the other thing is a lot of companies don’t necessarily think about the regulatory side. They think, “Oh, we’ve got a breach”, and they think about the first party costs of, “OK, we’ve got this forensics, we’ve got to remediate, we’ve got to make decisions about whether or not we pay a ransom and how legal plays into that”, but they’re not looking to the next step, which is exactly what I think you’re talking about is, “OK, what else? What about the regulatory agencies? What are you going to do there? How are you going to manage that?” And that’s where I think having good privacy counsel really makes a difference, and having a good relationship with them, I think that really helps. I personally have seen that insureds that have taken that step to create a relationship with privacy counsel prior to anything happening, tend to have a better understanding of things like notification costs, call center costs, regulatory investigations, and notifications, so that they understand that potential exposure too.
So, I think that’s a good tipping point here into our next slide.
David, how do you go about kind of – and you’re on the in-house side, and we’ll go round robin with David, Andrea, to Shehla and then to Matt to talk a little bit more about the technical measures around data minimization. How do you go about building a scalable bench of in-house and external resources? And Andrea, what advice do you have as it relates to leveraging in-house client resources during a security incident versus pushing it to vendors, because I think that’s an important topic.
I think during a security incident, most of the in-house resources are pretty tied up just doing the remediation part of it. So, all those other pieces really end up getting outsourced. And one of the challenges, I think, we’re seeing these days, particularly in the US, is around privilege. So, when these companies have breaches, they want to go with somebody they’re comfortable with. And like Shehla said, if they’ve done their homework ahead of time, they know which forensics vendor they want to go with, they know who their privacy counsel is going to be. But sometimes they want to leverage whoever is doing their IT security already, and that can be problematic at times, because they have been directly engaged by the company. We can do some things to establish a privileged relationship with those companies, but that can be – it’s a little fraught with peril as it were, particularly given some of the recent decisions.
So, comfort is good, but I think there needs to be a line between the company’s usual data security folks and who they’re going to use in a breach.
I’ll just jump in, I completely agree. I think most notable is the Capital One decision, which probably sort of has everybody a little on pins and needles with how they retain the bench in the event of a breach. It’s also important to know, to Shehla’s point, that reports that are made for regulatory response are usually not privileged, so you may need to have siloed teams that (1) are working on the regulatory aspect, and others that are doing things that are more in anticipation of third party claims in litigation, so that you can maintain some privilege over those if they have distinct facets to them that you might want to retain privilege over.
The other thing I would note too is that, obviously, you’re going to get a bench of potential outside counsel from your carrier and it is absolutely vital to get to know them and to pick your favorite, but to also be prepared that in the event of one of these breaches that your outside counsel might find themselves conflicted out. So, you definitely need to sort of have 1A and 1B ready to go in the event that your outside counsel of choice is also representing, perhaps, somebody who is potentially oppositional to you in the breach.
So, definitely, this is one of these areas where it really pays off, in the end, to have all of these sorts of pieces of the puzzle put together. You do not want to be picking your breach counsel 48 hours into the event, that you’re way behind the eight-ball at that point.
And then I’m sure that all the contracts that are floating around in an organization – so many contractual obligations. I spend, I feel like so much time at Haystack working through liability issues, and notification issues, and trying to get people on the same terms so that we can respond effectively, and nobody is burned in the event of something happening.
Andrea, how do you go in during a breach and try to assess who falls to the top of the chain here, as far as who has the worst set of terms for the organization versus who is reasonable? And what does that look like? I don’t know how you get around everything else going on. Is there a way that you guys prioritize trying to understand their third party obligations?
Are you talking about as far as breach response is concerned or the contractual obligations with customers and vendors?
More of the customers and the burden to notify.
Pretty early on in the process, we end up asking our client for any and all contracts that might be implicated by the breach, and doing a fairly substantive analysis of those obligations. But then we get to the point where we’ve got to delve into the data, and so that takes a while. So, we might have analyzed and identified 17 customers that we’re going to have to notify but we don’t have to notify them until we find out if their data has actually been affected, and that might take months depending on the volume of data that you’re dealing with and a number of factors.
So, it’s sort of a tiered process and it takes some time.
It would be nice if all those contracts were in one location and there was some contract management system—
Yes, it would be. I’m still waiting for contracts from Poland right now in one of my cases.
And Andrea, the other thing that I think becomes something that has to be managed in that situation is where you have the business relationship, where the company that’s been hit with this cyber incident or security incident wants to try to control their business relationships. So, they want to sometimes over-notify because they want to try to appear as if they’re being helpful and letting everybody know, without necessarily allowing that full contractual analysis to happen as to what obligations they truly have. And I think, sometimes, is a balancing act mostly that, I think, privacy counsel ends up having to have. But I think from my perspective, as the carrier, we end up having to look at that too to say, “Wait a minute, are you increasing our potential exposure by over-notifying, by letting customers that didn’t necessarily have data involved know about this incident yet? Hold on, let’s wait”. And because it can take so long to get through the data mining, and to determine what’s actually included and necessary, I think that can become an issue as well.
Yes, and I understand there are some clients who have like a marquee customer that if they lost that customer, their business would go under, and so I get it that they want to make sure to keep those folks really happy and really tuned in. But you’re absolutely right, over-notification can have its own perils.
So, again, I think data minimization is key as far as limiting any organization’s exposure.
Matt and David, let’s kind of jump forward a little bit. So, where do we start then again? What’s the short-term plan around data minimization? Matt, can you talk about some technologies that you’ve leveraged or what’s out there, in general? And then, Andrea, Matt, Shehla, why don’t you guys really talk more about the long-term plan, noting that there’s all these obstacles that we’re trying to minimize from a risk standpoint in the event of a security incident.
Thanks, Mike. And I think some people have talked about increased security ever since the pandemic, like two-factor or multi-factor authentication. And the reason that I was unable to get in, I figured out I have multiple Zoom accounts, and I’ve logged onto them from my computer before. Because I teach a class at LMU for cyber, and so trying to log in with my LMU account, and I guess the good news is, is that it worked, it kind of kept me from doing my bio, but having those additional layers of security in place are good.
Related to how do we get to this data minimization using technology, sometimes you’ve got to take a step back to take a step forward. And also, sometimes, the way that I approach this with clients is that we don’t necessarily want to boil the entire ocean. So, bringing together some of the thoughts that Andrea, and Shehla, and David have put out there is that from an organizational perspective, leveraging the data map and working with that steering committee that hopefully is in place at this point that has all these different siloed lines of business, if we have those kinds of foundational elements in place along with some retention policies, and legal hold policies that are effected out on the network, you can start to balance knowing where all of the information is that we process that has PII in it, for example. Or finding all of the intellectual property or critical information that’s that high value data that’s out on the network.
So, there’s a couple of different tactics from a technology perspective that we use to get there. One is to do like high level scanning of your high priority repositories, looking at metadata alone, at the beginning, enables you to take that large amount of data that you have and start to trim the corpus of… let’s say, you’ve got 500 terabytes sitting out on a network fileshare, but we have a retention policy that says anything over seven years old isn’t going to… it could be put into a data disposition workflow. And as long as it’s not on legal hold and it’s over seven years old and it’s in line with your organization’s standards that you’ve set up, just based on metadata alone, you can start making decisions at a high level on data that can enter that disposition workflow.
So, having visibility into metadata and where all that content sits out on the network, I think, is kind of like half the – that’s half the battle right there. We’ve run projects where we’ve been able to eliminate 82% of data on network fileshares without ever opening a document, because from a decision tree perspective, you can actually trim out the redundant, outdated, and trivial data that’s out there.
And so, every company might have different criteria for what I call ROT, redundant or duplicated, outdated, obsolete or trivial non-business related data, but that’s where I would begin from a technology perspective. And you don’t even have to do the full content scanning yet, but that would be where I’d want to get to, is to… once we’ve kind of trimmed down where all the good data is, I would want to be able to know what’s inside the content of those documents that remain, my high value information. Where is all that PII?
Is it, to David’s point, de-identified? Is it masked? Is it obfuscated? Or is all that data encrypted? And then if the malicious actors get and obtain my encrypted data, as long as they don’t have the key – I mean I’ll ask the panel – but I think we’re pretty safe. If they steal my encrypted or de-identified data, it’s really valueless malicious actors.
Under most statutes. There are a few that – I find it ridiculous – that do not have an encryption exemption. But about 99% of the time, yes.
And healthcare, I think, is in the worst position where a name, in the US, in some ways, can require a notification OCR.
So, I think some of the key points we talked about too, which is, I think, really interesting for me is, Andrea, the stop-the-faucet approach is almost somewhat starting with the long-term plan as far as here’s the tools and technology that you need to stop the inflow of data and to change the way you work today. A lot of organizations might think the short-term plan is to kind of remediate everything. Do you find that there’s just some organizations that just don’t have the resources to get to that long-term plan, or that they’re going in there, in some cases, it’s so easy just to step back and deal with the short-term data?
Shehla, maybe you can jump in here too, when you guys go in to talk to clients when they’re really at stage “short-term” and impact and things aren’t that great, let’s say, you are agreeing to insure them, are you setting benchmarks as far as their maturity that reduces their actual spend as it relates to policies. I know that’s more of an underwriting question, but I’m wondering if you have any feedback there. Is that in a plan and are your clients aware of that as well?
I don’t know, Andrea, if you guys are advising them in that way as well. How do you bring this all in from a spend standpoint?
Shehla, do you want to go first?
I was going to let you go first, but sure.
Yes, that is definitely an underwriting question in terms of setting benchmarks. I think that, from my perspective, it’s really dealing with the incident, whatever it is, and getting them through that and getting them to a point that they would have been at prior to that.
I think what happens then, the majority of companies when they have this happen to them, when they have some sort of security incident, to say, “Oh my god, we need to make sure this doesn’t happen.” It was too expensive, it took us offline, it cost us in multiple ways. And that’s when they tend to set their own benchmarks, and I think that that’s when they then come and say, “This is what we’re doing.” And a lot of what they tend to be doing depends on what incident actually happened. If it was a security incident due to the lack of multi-factor authentication, then they’ll start talking about, “OK, we’ve got multi-factor on this many devices,” and they’ll build out their goals as to how they’re moving forward. But I think that’s really how they tend to handle it.
But Andrea, I would defer to you as to what you’re all… I don’t know what privacy counsel does in that situation.
Well, I think you’re absolutely right, it really depends on the nature of the incident itself where everybody starts to focus first. In the incidents we’ve seen most recently, the big pain point has been all this data that was sitting around that shouldn’t have been sitting around. And so, the companies are really starting to get a handle on that and assess what’s actually necessary for the business and what do they have to keep from a regulatory perspective, and then trying to carve away all this data that just really has no value that people have either forgotten about or are/were keeping just in case.
I think, like I said before, information governance, as a whole, is very overwhelming for a lot of people and a lot of companies that have been keeping data as a stopgap against spoliation claims or any sort of regulatory problems. And so, we always sort of recommend to take a little bite-at-a-time approach.
And I think it is somewhat of a cyclical process in some ways, because when you think about the new remote world, you may be the most regimented organization with all of your policies, and all of a sudden… we hear about it from the most sophisticated organizations, you have a lot of departing employees. Where’s your laptop? Even some of the basic stuff, like the asset tracking when somebody leaves, which I think there’s a lot of risk out there. We talk a lot about threat actors, but it’s the insider threats as well. It’s the employees who just leave, they have a laptop that’s loaded with company data, it’s never returned. Where does it go?
So, I think you’re constantly having to reevaluate your policies and maybe you’re doing a better job at it in the long-term plan.
Mike, you know how you were just saying about that constant reassessing of the policies, the other place that, I think, they need to get to is that continuous monitoring of the most important data that’s out on the network. NIST is pointing you in that direction. The Sedona Conference rules or guidelines are pointing us in that direction as well. So, it’s both the policy and the technology side that need to have that continuous monitoring and updating going on.
We’re running out of time a little bit. David, go ahead.
I just was going to say, I think you brought up one of the most important points of all, which is that it’s your own house, sometimes, that is the biggest risk factor. Way too often do I see totally unnecessary levels of access to data for inappropriate roles inside of organizations, almost no provisional access control whatsoever. And those are the types of risks, actually, that will really be the ones, ultimately, to come up and bite you.
So, I think it’s an information governance policy, it’s a security plan, they’re interrelated. How do you go about – for everybody on this panel, starting with you David, and then Andrea, and Shehla – can you tell us how you support clients like David as they’re going to get budget and build consensus and get buy-in?
Again, I just think that this is – it’s about getting buy-in from the top of the organization. Realizing how important this has become, it has to be dictated, really, at the top, and you have to work across almost every silo in the organization to get people on the same page with just how important it is.
And I would say one of the things that we do, a lot of times, is sort of senior management and board briefings. I was talking at the very beginning of this call about something we’re going around and doing right now, which is ransomware lessons learned. And that sort of thing, when people start to hear about the experiences of all our other clients and the challenges that they’re having and the regulatory issues they’re facing, it starts to get much more real to them and they start to really understand what the risks are out there, and off of that, allocate more budget.
I would agree with Andrea. The thing that I’ve seen that’s the most effective is really doing sort of a tabletop exercise. And the most buy-in you can get is getting your C-suite involved in that tabletop exercise, getting them to set aside half a day or a full day to say, “OK, we want to see how this plays out”, and when they actually see how crippled they are, that’s when I’ve seen the most amount of interest in moving forward with, not just a security plan or an incident response plan, but with information governance and looking at data minimization, and how they can completely get involved and reduce their risk.
Shehla, I think in another forum, we were talking about adding to your tabletop plan this server was encrypted, what’s the oldest data that was on there, and having them go and look. Because all of a sudden, they’re like, “Oh my god.”
I was going to say, just having them understand the time that it takes to go look for that oldest piece of data and how long that can take, and how they’re just sitting there, I think that will be really eye-opening.
And we definitely have done exercises where, even in a general litigation, where we actually are going for an information exercise is going in there, sweeping the enterprise, coming in with high level reports where we start to actually calculate cost savings around some of the hard resources, storage, things you can actually calculate and put a dollar sign on. We’ve seen that, for some of our clients, be a great catalyst to go up to the top, to generate buy-in at the board level, at the C-suite, to actually start an exercise, even when it’s just not privacy-oriented.
So, we’re just about over time. Does anybody have any questions they’d like to raise in the chat? We’d be happy to field anything pretty quickly here. I haven’t really seen anything come in, so that’s fine. I’m sure you already would have had some.
I want to thank all of our panelists today for joining us here. Thanks so much for your time. I want to thank Privacy and Security for having us and allowing us to be here. This is a great conference. It brings so much value to this community. And certainly, all of you for joining, we really appreciate your time, we hope you’ve found that this presentation was informal but pertinent and invaluable to your days out there as privacy and security consultants and mavericks.
So, thank you very much, we appreciate it, and have a great day.
HaystackID is a specialized eDiscovery services firm that helps corporations and law firms securely find, understand, and learn from data when facing complex, data-intensive investigations and litigation. HaystackID mobilizes industry-leading cyber discovery services, enterprise managed solutions, and legal discovery offerings to serve more than 500 of the world’s leading corporations and law firms in North America and Europe. Serving nearly half of the Fortune 100, HaystackID is an alternative cyber and legal services provider that combines expertise and technical excellence with a culture of white-glove customer service. In addition to consistently being ranked by Chambers USA, the company was recently named a worldwide leader in eDiscovery services by IDC MarketScape and a representative vendor in the 2021 Gartner Market Guide for E-Discovery Solutions. Further, HaystackID has achieved SOC 2 Type II attestation in the five trust service areas of security, availability, processing integrity, confidentiality, and privacy. For more information about its suite of services, including programs and solutions for unique legal enterprise needs, go to HaystackID.com.