Familiarize yourself with these 10 post-breach responsibilities before formulating your credit union’s cyber crisis management plan.
We never think it will happen to us, that a cyberattack like February’s credit union phishing campaign will be successful. But what if is? By now, you are probably aware that NCUA Part 748 Appendix A requires credit unions have a data breach incident response plan. But before you author or update your organization’s cyber crisis management plan, consider the steps of an incident response.
Step 1: Attorney-Client Privilege
Data breaches may result in litigation against the credit union. Communication with an attorney for the purpose of obtaining legal advice regarding the incident is privileged, meaning it is generally not discoverable during litigation. Attorney-client privilege, afforded by the courts so that clients may speak freely with their counsel, is important when dealing with potential data breaches. Be sure to train your team on how it works and when it applies, and review and implement it in each incident response.
Step 2: Reconnaissance
Only after you’ve briefed everyone on attorney-client privilege should your incident response team members be made aware of a breach situation, including the impacted systems, potentially accessed data and containment actions. Remember, the clock may be running, as data breach notification laws obligate an entity to notify either a state/federal authority or the data subjects themselves within a certain period of time. Your team will need to work quickly to understand the situation and its impact. Include your communications team member at this stage so he or she can start monitoring social media and begin preparation of public statements.
Step 3: Post-Recon Actions
Add relevant stakeholders to the incident briefings as needed. The team may also want to evaluate any insurance policy obligations—for example, some carriers require that they be notified within a specified time period—and engage third-party assistance, such as outside counsel or forensics.
Step 4: Supporting Stakeholder Coordination
Incident response team members may want to keep their respective departments or groups abreast of the incident. This includes briefing management and executives but also informing employees who might have a “need to know” (such as tellers or call center representatives fielding questions from potentially affected parties). For credit unions with separate disaster recovery, business continuity or emergency management teams, this is the time to coordinate the plans.
Step 5: Law Enforcement Engagement Assessment
Law enforcement can bring powerful tools to the table—like prior experience with similar incidents—to assist the investigation, containment, remediation or mitigation efforts. Law enforcement can issue grand jury subpoenas, search warrants and wiretaps, and has the authority to delay notification obligations.
But having law enforcement participate may also have drawbacks. For example, it may have its own public relations interests as it tries to demonstrate action against a cybercriminal. Apart from messaging, credit unions run the risk of losing control of the investigation. Furthermore, law enforcement may ask to remove hardware for investigation purposes, which could result in a business interruption.
The decision of whether to involve law enforcement is an important one. Credit unions would be wise to have those discussions and set out guidance/criteria for making this decision during the planning period, before an incident occurs.
Step 6: Notification Assessment
In this stage, the team (primarily the legal team member) reviews breach notification laws and relevant contracts to determine whether private/public notification is required. Review of breach notification legislation and internal contracts can require a large number of man-hours and, if done by outside counsel, this can be a costly phase. As such, the finance department and/or insurance carrier should be consulted.
Step 7: Keep on Briefing Executives
Upon determination of whether the incident is indeed considered a data breach under the law, the executive team should be briefed again. Public notification could have repercussions for the credit union, so executives should be involved in any public-facing communication.
Step 8: Document Preservation
At this point, the incident response team decides whether litigation is anticipated. If so, it initiates legal preservation—meaning relevant documents and data are identified and protected from deletion until such time as the litigation, or the threat thereof, expires.
Step 9: Breach Notification
When all preparations are in place (but before the end of the data breach notification period), the team initiates data breach notification, including (where necessary) setting up a call center, sending notices, maintaining a website for sharing public information, and offering identity theft monitoring. (The breach notification stage is complex in its own right and warrants a separate discussion.)
Step 10: Post-Incident
Just because the notification is complete doesn’t mean the incident response team’s job is done. In the post-incident phase, the team is briefed on its winding-down duties, reviews the remediation plan, discusses attorney-client privilege going forward, prepares any mandatory regulatory disclosures, and updates policies and procedures. Lastly, the team should implement a data-retention plan designed to purge information that is no longer relevant or pertinent to the incident or credit union operations.
Like any project, incident response plans benefit from the author having a thorough command of the cybersecurity and regulatory landscape. Credit unions would do well to speak with cybersecurity vendors, outside counsel, and public relations firms to gain an understanding of what data breach response entails before implementing or updating their incident response plans.cues icon
Seth Jaffe, CBCP, JD, is official rocket scientist in residence for CUES strategic partner LEO Cyber Security, Dallas. Hailing from NASA’s Mission Control Center, he brings a unique perspective to incident response, applying aspects of one of the world’s preeminent emergency operations platforms to cyber response. In addition to 20-plus years of technical experience, Jaffe was previously a member of the data protection task force at a large law firm and served as the lead legal team member of an incident response team at a major U.S. airline. He also wears the general counsel hat at LEO.