Target, eBay, Yahoo!, Equifax, Marriott… . This is not just a list of successful American companies, it’s also a list of companies that have experienced some of the largest, most costly and headline-grabbing data breaches in recent years. And their experiences are never far from the minds of data security crisis managers like Phyllis Sumner, partner and Chief Privacy Officer at King & Spalding.
Sumner knows her clients are aware of this list as well. She makes it her business to try to keep them off of it or minimize the risk if they find themselves on it. Sumner has handled hundreds of cyber incidents, leveraging the lessons learned from each to help the firm’s clients respond reactively — and more importantly — proactively to address their cyber defenses. “These data breaches and privacy violations continue to play out in the media, and many companies recognize that they could easily be the center of the unwanted attention after a significant incident,” Sumner says.
As head of the firm’s Data, Privacy and Security practice, Sumner counsels corporate boards, senior executives and other clients about data breach prevention and protection, and how best to establish proactive emergency response protocols. “Companies recognize the need to be proactive and prepared for what may be an inevitable privacy or data security incident,” she says. “So, when they are faced with such an event, they can act effectively and respond efficiently in a way that will protect the organization, its employees, consumers, business partners and the brand.”
Indeed, Sumner says another positive development she sees is who within the company is now addressing these incidents. “It has become a discussion point at all levels within an organization, where it used to be more of an IT and security issue,” she notes. “Now it is an executive management and board issue.”
That changing attitude has made it easier for Sumner and her firm to work directly with clients to meet their cybersecurity and data privacy requirements, discuss proactive response plans and establish emergency protocol prior to an incident. “It is important to really get to know an organization, its culture and its people before you’re in the middle of a crisis. That way, we can have boots on the ground immediately and seamlessly support our clients.”
Crisis Is Our Day Job
As with any crisis, a solid plan and cool heads enable an organization to create order from the chaos. “That’s really our day job, and we do this a lot,” Sumner explains, adding that she and her team have handled hundreds of security incidents and privacy issues for clients. “We have directed internal investigations, collaborated with law enforcement, conducted forensic reviews, evaluated legal risk and obligations, and helped our clients work through difficult communication strategy questions in order to reduce risk while responding to a security incident,” she says. “And we recognize that’s not our client’s day job.”
Previously, Sumner served as an Assistant U.S. Attorney in the Northern District of Illinois and in the Northern District of Georgia, a role she says helped prepare her for work in cyber-incident response. “When you are in the middle of a crisis with a client and you are working sometimes around the clock as it is unfolding, you must be calm under pressure, reassuring and bring order,” she says. “And some of the high-profile matters that I worked on as a prosecutor really fine-tuned those skills.”
Now, Sumner frequently uses those skills to offer clients the assistance they need to craft and implement an enterprise-wide incident response plan (IRP) that includes legal and communications playbooks in the event of a data security incident. The firm also supplies a project manager, if needed, to help the client organize the many work streams that arise out of a significant breach. The task of maintaining order alone can quickly overwhelm company employees as they simultaneously strive to address the crisis as it is happening while continuing to operate the business.
How can a company proactively prepare itself and safeguard its highly sensitive data to prevent it from becoming the target of the next cyberattack? That’s where Sumner’s team comes in, conducting risk assessments and building within the organization its own customized IRP. “We customize the assessment and the IRP with the client based on its industry, the size of the organization, the culture, as well as the client’s particular risks,” she says, adding however, that most IRPs have common elements that can be established early.
For example, Sumner explains that an important step is selecting the client’s incident response team. It needs to include the right cross section of individuals who will be the core decision makers during a crisis, as well as those individuals involved in addressing issues that arise. Sometimes, even that key task goes awry. “I have walked into security incidents when we had not been involved prior to the incident and come into a crisis center where there were 30 or more people in the room – so many people that the client itself was losing track of how many people were there, listening to very sensitive conversations,” Sumner says. “Clearly, it’s important not to make the response group so large that it’s unworkable.”
It’s also important to determine whether and when to engage legal counsel because establishing a privileged environment and communication channel is also an important part of an IRP. Likewise, it’s critical to determine whether and when to engage a third-party forensic investigator or examiner and to efficiently stop data loss, contain the incident and preserve evidence.
Critical First Days
Indeed, a company’s response in the hours and days following a cyber incident is crucial to its long-term reputation and corporate well-being. “Companies need to think about it in the context of what could develop down the road,” Sumner says. “For example, could other investigations evolve? Could regulators become involved? Or could litigation be likely?” That’s why in those crucial early days, it’s important to have a plan, a team and a process in place to document what is occurring to better aid later coordination with a variety of stakeholders, including law enforcement and regulatory agencies.
“Now, as we move to some very strict laws in the US and globally, the time frame to make all these determinations and notifications is shrinking fast and smart action is critically important, especially in analyzing those legal obligations.”
“It is important to really get to know an organization, its culture, and its people before you’re in the middle of a crisis.”
An IRP also needs a process for assessing what happened and why, and how the company can improve its response next time. “For our part, we must be proactive in developing an ongoing program that is reasonable for that company,” Sumner explains. That means continuing to evolve the process and regularly update and exercise the IRP muscle. This could involve making sure IRP team members — including lawyers, IT and security personnel — continue to communicate and perform risk assessments and gap analyses to ensure the company is able to effectively monitor, detect and address future security issues. Sumner says these forward-looking efforts also should include the executive and board level, so that the company’s leadership stays focused on this issue from a cultural standpoint.
“I do not view this role as a security issue for our firm or for our clients,” Sumner says. “I view it as a national security issue. As a country we have to come together and address some of these cybersecurity problems that we face daily — it has become a global security issue. If we can move toward cooperative work between the public and private sectors, we can address many of these security issues and make a difference.”