I. Cyber Security Breach Planning
Due to the increasing number of significant data breaches, often involving individual consumer financial data, or in the cases of health insurers or medical providers, personal health information, aviation industry players in turn have been compelled to grapple with advanced approaches to data security. While data security was once limited to the realm of firewalls, encryption, and security programming, all of that has changed in the last decade. An international cybercrime ecosystem has become highly sophisticated, and the lone hacker is fading as a threat. What has emerged is an organized, specialized, and well-monetized cybercrime marketplace of criminal rings, hacktivists and nation state actors estimated in the last 18 months to be worth $104 billion annually. In contrast, only $46 billion is being spent to stop attacks.1 Phishing, jamming, and malware injection, distributed denial of service, and WiFi attacks in the aviation space have either occurred, or are, according to many experts, inevitable.
But as companies in the aviation industry collect much of the same personal identifying information and data common–and not so common–to other large corporate targets of breach, the increase in the amount of data available and collected either voluntarily or as required by governmental authorities makes all the more important a well thought out data breach response plan. Indeed, the most significant damage in data breaches in the near future may involve loss of international consumer data – data in turn particularly common to day to day operations of international air carriers. When the General Data Protection Regulation (GDPR) goes into effect in May 2018, any airline that handles EU citizens' data must report data breaches within 72 hours. Sanctions for violating the GDPR may run as high as 20,000,000 EUR, or up to 4% of annual worldwide turnover, whichever is higher.2
Passport and citizenship information, personally identifiable government issued identification information, financial data, product preferences that may implicate health issues, and other discrete personal information from customers, and employees alike, collected by the air transportation industry make effective data breach plans and their parallel cybersecurity incident response plans (CSIRP) an essential component of enterprise risk management. While such plans often are extremely detailed, lengthy, and will eventually rival the well thought-out plans for other more developed aviation disaster scenarios, such sophistication is necessary, as the threats unique to data breaches are not going away. Per the Identity Theft Resource Center, of 533 breaches in 2015, more than 140 million records were exposed, and the average consolidated cost of a data breach in 2015 was $3.8 million.3 While coverage of data breach response planning can fill hundreds of pages, some basic components of such plans and planning regarding IP, customer and employee data are presented herewith for your consideration.
A. Data Breach Response Plans/CSIRP's: The Six Essential Components.
i. Senior Leadership Involvement
The success of any data breach response plan begins with (a) reducing it to writing, and (b) early and significant involvement of senior executive leadership in its preparation, development, and implementation. Often customer and employee data are viewed as IT functions, but there are increasing trends toward separating out from Chief Information Officer (CIO) responsibilities those of a Chief Privacy Officer (CPO), and more and more companies have created a title of Chief Information Security Officer (CISO). The importance of having senior leadership involved in preparing and implementing data breach plans early on in the process is borne out by the numbers: in 2015 U.S. company losses from unauthorized use of computers, by employees alone, was $40 billion.4 Average loss in brand value, contingent upon the type of data compromised, was $184-$330 million per affected US company in 2015.5 These numbers and their impact on overall enterprise value speak volumes to the wisdom of having senior management involved in data breach response planning.
ii. Nuts and Bolts of the Plan: The Response Team
With respect to the nuts and bolts of an actual data breach response plan, the personnel designated in advance are the bedrock of the plan. The plan begins with a designated incident lead, usually a CPO, CISO, or individual with experience in the laws of the data privacy arena; a public relations representative; one or more members of the executive leadership team, to ensure decisions have management support as well as to maintain lines of communication with the board, investors, and other stakeholders. IT specialists in networking, database management, applications, and mobile technology, preferably with forensic experience, will be required. Rounding out the plan's "must haves" on the team are legal personnel who should determine the notifications required under applicable laws and regulations; customer service/customer care representatives, if customer data is at issue; HR representatives if employee data has been breached; a risk management professional if insurance has been placed (see infra); and, in a publicly traded company, an investor relations specialist.
With respect to external partners, most data breach plans should include options for expanded forensic partners, outside legal counsel, crisis communications professionals, and data breach resolution providers. These external providers can be, and often are, important players with regulators, as well as law-enforcement officials.
iii. Cyber Insurance
Reputational risk for breaches handled incorrectly is significant. Cyber insurance is rapidly increasing in popularity, and often provides an external audit component that increases preparedness for a breach while emphasizing up-to-date plans and drills.
iv. Communication Is Essential
Communication at the start of a discovered data breach, and through the point of mitigation, is essential. Many air transportation companies have communication materials developed for a variety of data breach incident types, i.e., if the breach is related to internal employee information containing sensitive information versus breaches affecting customer data. Model public Q & A drafts should be considered for use with internal and external stakeholders, as should letters to customers from senior management, or internal memoranda to employees. With respect to these communications, while templates may be developed, each constituency will ultimately want answers to several iterations of the same questions: What happened? What does the breach mean to me/how does it affect me? What does the breach mean to the company?
v. Preparing to Test the Plan
With a data breach response plan in place, best practices dictate the plan be tested and practiced. Training specific to individual departments should flow from the response team. In addition to simulation exercises involving all departments, the prudent company invests in the following activities pre-breach and before testing its plan:
- training of employees to integrate data security efforts in daily work habits;
- developing and maintaining security and mobile device policies that are updated, communicated to all employees and business partners, and that will withstand the minimum expectations of regulators;
- investing in firewall encryption and cyber security programming, and updating regularly;
- limiting access of employees to only the hard and electronic data they need for their job requirements; and
- training and retraining employees once a year, either by in-person live training, or online module.
vi. Testing the Plan.
Response exercises should, as a best practice, be considered at least yearly. Because the first 24 hours following discovery of a breach are critical, drills may want to focus on this period. With a desktop simulation exercise, testing multiple scenarios is key. Like the mass disaster drills, data breach trials can be a sophisticated as you like. A tabletop exercise of less than four hours, including debrief, can be developed by an outside facilitator that unfolds in real time and that includes communications challenges such as media leaks, customer complaints, financial market reactions, employee and business partner questions, social media reaction, and inquiries from law-enforcement and State Attorneys General can all bring a bracing, if not sobering, sense of reality to the risks presented.
Cyber security breach planning is more crucial than ever to overall aviation enterprise risk management. The sheer cost of a breach, in management time, litigation expense and damages, coupled with potential sanctions, makes the creation of a robust security breach plan by senior management an organizational priority.
- See "Breaking the Cyber Attack Lifecycle," Hewlett-Packard Enterprise, 2015.
- General Data Protection Regulation, Article 83.
- See "2015 Cost of Data Breach Study: Global Analysis," Ponemon Institute & IBM, 2015.
- See "Is Your Company Ready for a Data Breach?," Ponemon Institute, 2015.
- See "Reputational Impact of a Data Breach Study," Ponemon Institute, 2015.