Vetting Breach Resolution VendorsTips for Choosing the Best Partner
Hiring a breach resolution vendor before experiencing a security incident is as important as buying a fire extinguisher before experiencing a fire, says security consultant Robert Peterson.
"Any company can be breached, and for some firms, an information security breach is probably at least as likely as a major fire," he points out. "You don't wait until the office is filled with smoke to place your fire extinguishers."
The first question organizations should ask vendors is, "How do you plan to estimate the real risks to my clients from a potential breach?" Peterson says in an interview with Information Security Media Group's Howard Anderson (transcript below). Another important question to pose to vendors, Peterson says, is: "How do you plan to estimate my organization's potential liability?"
In an interview, Peterson:
- Provides a list of important questions to ask breach resolution vendors as well as ideal answers;
- Advises that to negotiate the best price for breach resolution services, the best first step is "to put your company in a solid information security status" by conducting a risk assessment and implementing appropriate controls. That way, your organization can narrow down the post-breach services it would need.
- Stresses that organizations that have experienced a breach caused by willful neglect should "aggressively deal with the breach and fixing the vulnerability that was exploited. This is no time to drag your heels and try to minimize your costs."
- Describes the key elements of a breach response plan.
Peterson is the chief technical officer at ACR 2 Solutions, which provides information security risk assessment and risk management software to the financial and medical industries. In 2006, he created an expert system computer model of the NIST 800-30 risk assessment protocol for use in the banking industry. In 2009, he created a HIPAA version of the risk management software based on NIST 800-66. He holds three U.S. patents and was awarded the American Consulting Engineers Council Grand Award for Engineering Excellence.
HOWARD ANDERSON: Tell us a bit about your company and your role.
ROBERT PETERSON: I'm chief technical officer for ACR 2 Solutions. ... We specialize in automated information security risk assessments in the financial and medical industries. As CTO, my job involves keeping up with current standards of care in information security risk management. It's very much a moving target. Now, information breaches are a big deal, especially in the medical area. The costs to remedy medical identity theft can exceed $20,000 per patient. Costs in a financial information breach can also be significant. Bank officers and directors can be held personally liable if they do not provide adequate information security. ...
Breach Resolution Assistance
ANDERSON: Under what circumstances does it make sense to seek outside help with breach resolution? Is outside assistance most important for breaches over a certain size, for example?
PETERSON: Because of liability issues, any time you have a breach or potential breach, an outside response vendor is useful. Rightly or wrongly, they bring a level of credibility that's difficult to equal by the company with the potentially lost customer data.
ANDERSON: So does it make sense to size up potential breach response vendors before even experiencing a breach to help shorten the amount of time it takes to complete an investigation and mitigate the risks?
PETERSON: Absolutely. The time to select a vendor is before you need one. Any company can be breached and, for some firms, an information security breach is probably at least as likely as a major fire. You don't wait until the office is filled with smoke to purchase fire extinguishers.
Questions for Breach Response Vendors
ANDERSON: What are the most important questions to pose to a breach response service vendor before you select one?
PETERSON: There are three basic functions to be provided by a breach consultant during an engagement. The first one is assessing the real risk to my clients. The second is assessing the liability to my organization and the third is advising me on what do we do next.
To start at the top, the real risks to a client from a breach are not always obvious. It depends very much on the details of the breach. The potential consultant should be asked the question, "How do you plan to estimate the real risks to my clients from a potential breach?" Not every incident is a breach. A good answer here would be, "We'll review the records' content, the storage details, the breach details and write an assessment of the risk." A possibly better answer is, "We'll re-enact the breach and experimentally determine if client data is actually at risk." And a not-so-good answer that you will hear a lot is, "It depends on the details." That's probably accurate, but that's not enough information to select a consultant.
The economic value of a breach consultant on this task is substantial. The interim final rule on [healthcare] breach notification [states:] "If a covered entity promptly investigates a recorded breach and can swiftly conclude that there was no breach, then the covered entity need not send out breach notifications." This is huge. If you can determine through your consultant the data was improperly accessed, but it was not put at risk, this could save you literally millions of dollars. Many times, real risk levels are not obvious - for example, theft or loss of a backup tape in an obscure format. This is where breach consultants can provide invaluable and credible support if they have the expertise and can testify to it in court.
Once you determine the real risks or determine that your consultant can do that, the next question is, "How do you plan to estimate my organization's potential liability?" And key words and phrases to listen for this include: negligence, reasonable and appropriate, willful neglect and reasonable diligence. Under HIPAA [Health Insurance Portability and Accountability Act] and GLBA [Gramm-Leach-Bliley Act], a breach is not, in and of itself proof of negligence. The HIPAA standard for information security involves implementing reasonable and appropriate safeguards against reasonably foreseeable risks. This is also true for financial data under the Gramm-Leach-Bliley Act. Absolute security is not required, and it's not even theoretically possible. With enough resources, any system can be breached, including the Pentagon, which was penetrated last year. Assessing an organization's liability involves considering the risks of the data, reviewing the procedures and safeguards in use, and comparing the safeguards to some standard for "reasonable and appropriate."
An important sub-question for the consultant is, "What standard ... do you use to determine reasonable and appropriate?" An acceptable answer would be along the lines of; "We use the International Standards Organization ISO 27001 and 27002." A better answer is, "We use the standards published by the National Institute of Standards and Technology." The HHS Office for Civil Rights [oversees] HIPAA compliance, and they cite the NIST protocols as the industry standard. Both the OCC [Office of the Comptroller of the Currency] and the OCR are required to use NIST protocols internally. It just makes sense to use the same protocols.
Unfortunately, a common but not a real good answer, for a reasonable appropriate standard is: "We use a proprietary set of standards based on our many years of experience." Well I'm sorry, I've met a lot of smart people out there, but, "I'm Dave and I'm real smart," just doesn't carry the same weight in court as, "This is how the federal government said to do it."
Failure of an organization to comply with reasonable and appropriate [standards] can be costly. Under HIPAA, an organization that commits willful neglect of HIPAA security rules can be fined a minimum of $50,000 per incident up to $1.5 million in a single year. This is not theoretical. Tennessee BlueCross BlueShield was fined $1.5 million under that statute. Under the Gramm-Leach-Bliley Act, bank officers and directors can be personally liable for $11,000 per day a violation. They can lose their banking license and, in some cases, receive up to five years in prison. Understanding your liability is key to managing it.
Now if your consultant determines that you're actually guilty of willful neglect - which is unfortunately common - and you have a breach, it's critically important that you aggressively deal with the breach in fixing the vulnerability that was exploited. This is no time to drag your heels and try to minimize your cost. If you're visibly doing everything possible, you may get some consideration from the regulators, even if you started the situation with willful neglect.
At this point you should be almost ready to select your breach consultant. Hopefully you will have two or three that meet the basic requirements. And the last question would be, "How soon can you get started if we have a breach?"
Elements of Breach Response Plan
ANDERSON: What are the key elements of a breach response plan, and which components of breach resolution are best suited for outsourcing to a vendor?
PETERSON: The key tasks for breach response are, first, assessment of the actual risk, and second, notification of all of the potential clients. We have already discussed the actual risk assessment and it's key to have a credible outside consultant do that assessment, particularly if the results end up in your favor, which is often the case. The ability to notify all of your customers is important, and it's not easy. ... I doubt that very many organizations have got absolutely current address information for all of their thousands of customers. This is where an experienced consultant can be a big help. They know a lot of tricks.
Negotiating the Best Price
ANDERSON: What insights can you offer on negotiating the best possible price for these breach resolution services then?
PETERSON: A lot depends on whether or not your organization is in willful neglect. If you have never done a risk assessment or it's more than a year old, you're in willful neglect and if you have a breach, your issue isn't cost, it's survival. Red Adair, the oil well firefighting expert, was once asked, "How much will it cost to put out my oil well fire?" His response was, "Sir, if you can ask that question, you don't need me bad enough yet."
Now if you're not in willful neglect, you've got a lot more options and you need a lot less service. You need to know what your information security status is, and there's not much of an excuse for not having that information at your fingertips. There are literally thousands of consultants who can write up a risk assessment. There's software available from multiple sources. If you don't know what your risk status is, you're playing Russian roulette with your customer's data. If you've got a solid program, you don't need a lot of expensive services. If you don't have a solid program, you need everything you can get. When you're looking at cost, the fastest and cheapest thing you can do to negotiate the best price is put your company in a solid information security status and then only negotiate for the stuff you still really need.
Finding a Partner
ANDERSON: Finally, do you have any other tips on how to select the right breach response vendor partner?
PETERSON: Again, the main thing depends on how vulnerable you currently are. If you have legitimately implemented reasonable and appropriate safeguards using a recognizable objective standard against reasonably foreseeable risks, you don't need a lot of help. If you need a lot of help, price becomes a lot less relevant. The best thing you can do to reduce the price is do your risk assessment, set up your program, get your situation under control and then get whatever is left over. You're not required to be bulletproof. You're required to be reasonable and appropriate, so the more stuff you've already got in place, the less of damage a breach is. If a breach happens, and you have already implemented your reasonably appropriate safeguards, it's still your loss. You still have to fix the vulnerability, but it's no longer your fault.