A “novel” virus is one that has not been previously identified, according to the Centers for Disease Control and Prevention.[1]  In 2000, like the COVID-19 virus that was officially named on February 11, 2020, the ILOVEYOU virus became a global pandemic for data systems.  Within days, millions of computers were infected as the virus compromised files and caused widespread email outages.  The virus appeared in inboxes as fake messages with infected attachments:

Since then, scores of novel viruses have been deployed as destructive malware.  The ILOVEYOU virus, MyDoom worm, SOBig spam, and WannaCry ransomware alone are said to be responsible for $95 billion in financial damages.  As a result, anti-virus software has become a multi-billion-dollar, must-have computer program, and cybersecurity has become a multidisciplinary industry fighting an evolving threatscape.

Step 1 – Be Ready

Given the importance of data, preparing for the destructive traits of viruses and other malicious software is a business imperative.  It is no longer adequate to only prepare for “if” a cyberattack will occur but “when” it occurs is also a must.  As Ed Yong searingly wrote in his article about COVID-19’s arrival, “Hypotheticals became reality. ‘What if?’ became ‘Now what?’”[2]

Recent legal decisions provide guidance.[3]  For example, last summer the Federal Trade Commission announced a $700 million settlement with Equifax for “the 2017 data breach that jeopardized the personal data of a staggering 147 million people.”[4]  In the settlement agreement, Equifax agreed to implement a comprehensive written information security program (“WISP”) with at least 26 different requirements including a procedure for reporting incidents.[5]

Recent laws also provide guidance.  For example, the New York Department of Financial Services’ cybersecurity regulation, which applies to all organizations operating financial institutions and their third-party service providers, requires covered entities to have a written incident response plan (“IR Plan”).  The plan must include detailed response processes that articulate communication, documentation, and evaluation activities.[6]

Step 2 – Have a Plan

“Everybody has a plan until they get punched in the face,” said a former heavyweight boxing champ.  Despite becoming infamous in and out of the ring, the sentiment remains true; you cannot be prepared for everything.  But the right preparation and plan can lessen the sting of the blows when they happen.

As a starting point for an IR Plan, define such basic elements as the plan’s purpose and scope, who will be responsible for its administration, and the procedures that will be followed.  Included in the procedures should be details relating to detection and discovery of the incident, and then containment, remediation, and recovery from its grasp.

Next, adopt a reliable framework.  As noted here, here and here, regulators have endorsed certain frameworks including the National Institute of Standards and Technology Cybersecurity Framework (“CSF”) and the Center for Internet Security’s Critical Controls (“CIS Controls”).  The CSF integrates industry standards to help organizations manage their cybersecurity risks.  It is a guide divided into five functions.  Under the fourth function, titled “Response,” is guidance relevant to the communication, analysis, mitigation, and improvement of an IR Plan.

To go with the CSF, NIST has published the Computer Security Incident Handling Guide (“Guide”).[7]  The Guide is a 70-page publication for a more “complex undertaking … [that] requires substantial planning and resources.”  The Guide has an incident handling checklist and 20 recommendations for an IR Plan that include these key features:

  • Know your data – understand the normal behaviors of networks, systems, and applications so that when abnormalities occur, they are noticed.
  • Have a knowledge base – including general information from previous incidents, as reference points for early detection.
  • Document and timestamp steps taken – in addition to serving “as evidence in a court of law if legal prosecution is pursued,” this leads to less errors.
  • Include reporting provisions – specify “which incidents must be reported, when they must be reported, and to whom they must be reported.”
  • Follow established procedures for evidence – document how all evidence has been gathered and handled, and how and whether counsel is involved.
  • Meet afterwards – in the use of an “incident as gift” category, lessons learned help improve security measures and processes.

Similar to the CSF and the Guide, the CIS Controls were developed to help organizations manage cybersecurity risks.  The CIS Controls consist of 20 controls divided into three categories: basic, foundational, and organizational.  No. 19, titled “Incident Response and Management” includes these main points:

  • Define Roles – ensure that the IR Plan defines roles of personnel as well as phases on incident handling/management.
  • Have Contact Information – assemble and maintain information on third-parties to be used to report a security incident (e.g., law enforcement and vendors).

In addition to meeting industry standards, adopting the right framework can have the benefit of complying with specific laws.  For example, following such states as New York and Ohio, Utah is poised to pass a law that provides, if at the time of a data breach a covered entity has created, maintained, and complied with a written cybersecurity program that incorporates an industry recognized cybersecurity framework – i.e., the CSF and CIS Controls – it has an affirmative defense to a civil tort claim.[8]

Step 3 – Train, Practice, Refine

Heroes emerge amidst chaos.  As prime examples, the tireless medical workers and fearless essential workers confronting COVID-19.  In this context, heroes have also informed about the benefits of an effective IR Plan.  A prime example, H-E-B, a supermarket chain in San Antonio, Texas, which has not let employees go but has given them raises, has effectively managed product shortage, and implemented policies to ensure COVID-19’s impact is minimal.

As told by the Texas Monthly, H-E-B learned vital lessons from the 2005 H5N1 and 2009 H1N1 pandemics (the bird and swine flus) and has been working on its IR Plan ever since, including year-round by at least one person.[9]  After those outbreaks, H-E-B amended its plan to require establishing relationships with its counterparts to talk about mutual challenges.

As early as February 2, 2020, H-E-B began to activate its IR Plan – only two weeks after it was announced COVID-19 was spreading – and was able to learn firsthand what was happening in China, Italy, and Spain.  H-E-B then modeled what was taking place in these locations based on the detailed data it gathered.  This enabled it to be prepared for workflow adjustments and deploy key team members, all according to its plan.

Just as disasters test regimes, cybersecurity incidents test organizations.  Some fail and don’t survive.  But with an IR Plan that has been properly designed and tested, an organization greatly increases its chances of survival.  In other words, an effective IR Plan will not be “the crack that split apart the rest of the response, when it should have tied everything together.”

If you have questions about WISPs and IR Plans for cybersecurity, please contact Romaine Marshall, who has represented clients in more than 100 cybersecurity incidents, at romaine.marshall@stoel.com or (801) 578-6905, or Jose Abarca at jose.abarca@stoel.com or (801) 578-6948.

_________________________________

[1] https://www.cdc.gov/coronavirus/2019-ncov/faq.html#Coronavirus-Disease-2019-Basics

[2] https://amp-theatlantic-com.cdn.ampproject.org/c/s/amp.theatlantic.com/amp/article/608719/

[3] https://www.stoelprivacyblog.com/2019/10/articles/privacy/achieving-industry-standards/

[4] https://www.stoelprivacyblog.com/2019/08/articles/privacy/recent-ftc-enforcement-actions/

[5] https://www.ftc.gov/system/files/documents/cases/172_3203_equifax_order_signed_7-23-19.pdf

[6] https://www.dfs.ny.gov/docs/legal/regulations/adoptions/dfsrf500txt.pdf

[7] https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-61r2.pdf

[8] https://www.stoelprivacyblog.com/2020/02/articles/lawregulation-update/utah-considers-a-cybersecurity-safe-harbor-as-ransomware-runs-riot/

[9] https://www.texasmonthly.com/food/heb-prepared-coronavirus-pandemic/