One thing that all data security breaches have in common is that someone must first uncover the breach and then reveal the breach to the appropriate parties (i.e., employers, law enforcement, other appropriate state and federal agencies, etc.). In the case of a business that is attacked and breached, an undetected data breach can wind up being costly for a business as the business must immediately address the lost data, implement security updates, and issue notifications once the breach is identified. Due to the ever-evolving state of cybersecurity and data protection, it can be difficult for companies to stay up to date with the current best practices for protecting data, which can leave them vulnerable to attacks. In today’s current state, it is less a question of if a data breach will occur at a company and is rather a question of when a data breach will occur at a company.

Who is Most Likely to Discover Data Security Breaches?

According to a survey conducted by AT&T, employees are the most likely to discover data security breaches. This makes sense since it is often employees who are using the company’s computer system. But generally speaking, employees are also likely to be those responsible for causing or enabling a data breach to happen in the first place. Employees who implement weak password protection techniques, or employees who open phishing-type emails containing malware or ransomware are some of the main reasons why a data breach happens in the first place.

It is also becoming more common that law enforcement is the source of the identification of a data breach affecting a company. Nearly 25% of data breaches affecting companies are identified by law enforcement agents who have come into possession of certain files or data that they may not otherwise have unless a data breach had occurred.

The Impacts of a Data Breach

Security breaches can be a real problem for an affected company. Often times systems must be taken offline in order to address existing security vulnerabilities and problems, which translates to lost work time and production. Furthermore, once customers learn that there has been a data security breach at the company, the company is likely to suffer reputation damage or a loss of customers due to damaged perceptions of trust. It is important that companies that are affected by a data breach act quickly to address the problem and to notify those customers, partners, vendors, suppliers and other third parties that may have been affected by the data security breach.

Work With a Data Breach Lawyer

It does not matter if your run a large business or a small one, data security breaches happen. When a breach happens to your business you need to be ready to act. Most companies prepare in advance of a data breach a response plan that lays out how the company will address the major events that happen after a data breach is identified. Closing the system vulnerability, raising awareness about data security amongst employees and notifying affected parties are all critical early steps that need to be taken after a data breach. Data breach notification laws vary from state to state, but the data breach notification lawyers at Revision Legal are ready and available to help you. Contact us using the form on this page or call us at 855-473-8474.

The Mean Time to Detection Problem

The interval between the moment a breach begins and the moment it is discovered — known in the security industry as mean time to detection (MTTD) — is one of the most consequential variables in determining the scope of harm a breach causes. According to industry research from IBM and the Ponemon Institute, the average MTTD for a data breach has historically exceeded 200 days, with additional time required to contain the breach after detection. Every day a breach goes undetected is a day in which attackers may be exfiltrating additional data, escalating their privileges within the network, or installing additional persistence mechanisms.

Long MTTD also directly affects legal exposure. Notification statutes in all 50 states begin their countdown from the point of discovery, not from the point of initial intrusion. A business that is breached in January but does not discover the breach until June has, in theory, complied with a 60-day notification statute if it issues notice within 60 days of the June discovery. But a breach that remained undetected for six months is a target for negligence claims based on the failure to implement detection controls sufficient to identify the intrusion sooner.

How Breaches Are Actually Discovered: Data and Patterns

The methods by which data breaches are discovered fall into several distinct categories, each with different implications for how quickly a business can respond.

Internal Discovery by Employees or IT Staff

Employee-initiated discovery typically occurs when a worker notices anomalous system behavior — unusually slow performance, unexpected file changes, unfamiliar processes running in the background, or locked accounts. IT staff may detect breaches through network monitoring tools, security information and event management (SIEM) alerts, or during routine log reviews. The effectiveness of employee detection depends heavily on security awareness training and whether employees understand what normal system behavior looks like and feel empowered to report anomalies without fear of blame.

Third-Party Discovery: Customers, Vendors, and Security Researchers

A significant percentage of breaches are discovered not by the victimized organization itself, but by an external party. A customer may notice that their credit card was fraudulently charged shortly after making a purchase at a specific merchant, leading them to contact the merchant or their bank. A security researcher may discover a database left publicly accessible on the internet and notify the organization. A payment card processor may flag an uptick in fraudulent transactions that correlates with a specific merchant’s system. These external discovery events are often deeply embarrassing for the affected business, but more importantly, they signal that the breach has likely been ongoing for some time before the report arrived.

Law Enforcement Notification

Federal and state law enforcement agencies — including the FBI’s Cyber Division, Secret Service, and state attorneys general — frequently identify data breaches in the course of unrelated investigations. When investigators seize a criminal’s computer and find databases of stolen payment card information or personal records, they can work backward to identify which businesses were breached. Businesses that receive an unexpected contact from a federal agent informing them that their customer data has appeared in a criminal investigation should immediately engage experienced breach counsel before responding to law enforcement.

Reducing Discovery Lag: Technical and Legal Best Practices

Reducing the time between intrusion and discovery is both a security imperative and a legal risk management strategy. Businesses should implement network monitoring and intrusion detection systems (IDS) capable of flagging anomalous traffic patterns, deploy endpoint detection and response (EDR) tools on all company devices, centralize logging and retain logs for a sufficient period to support forensic analysis, and conduct regular penetration testing to identify detection gaps. Security awareness training for all employees — not just IT staff — should include specific instruction on recognizing signs of a compromised system and the internal reporting procedure to follow.

From a legal standpoint, businesses should have a written incident response plan that designates who within the organization has authority to declare a breach, defines the notification escalation path, identifies outside counsel and forensic investigation firms to be engaged, and sets internal deadlines for completing the initial notification analysis. Having this plan in place before a breach occurs dramatically reduces the chaos of the first 72 hours and helps ensure that notification deadlines are met. Contact the data breach attorneys at Revision Legal to help develop or review your incident response program. Reach us using the form on this page or call us at 855-473-8474.

Editor’s note: this post was originally published in February, 2017. It has been updated for content and clarity.

Image Credit: Techtw twyahoo.