When it comes to incident response, it isn't all about forensics and technology.
Solution providers said the Equifax mega breach this week highlighted that fact, saying public criticisms of the company's failure to have adequate public relations and breach notification procedures in place show the need for the "nontechnical' in an incident response plan.
Jeremy Samide, CEO of North Olmsted, Ohio-based Stealthcare, which offers incident response services as part of its security solution provider practice, said thorough incident response needs to include steps beyond forensics, including legal, regulatory and compliance, executive notifications, breach notification to customers, and more.
"You need both pieces," Samide said, referring to both the technical and nontechnical pieces, such as legal. "It's really that layered approach. … These are real risks."
Stealthcare regularly works with inside and outside legal counsel when it does incident response engagements with clients, acccording to Samide. Companies in various industries have different requirements for legal and regulatory involvement, depending on their size and vertical.
The Equifax breach, disclosed Thursday, impacts 143 million customers of Equifax's credit and information services. The company said the breach included information on names, birth dates, Social Security numbers, addresses, and some driver's license numbers. It also included more than 200,000 credit card numbers and nearly 200,000 other documents with personal identifying information. It said the breach did not appear to impact its core consumer or commercial credit reporting databases.
Equifax has been heavily criticized by the public on Twitter and other avenues for the quality of its response, including criticisms of the company's offer of a year of credit monitoring services to those affected. It has also proved challenging for some customers to find out if they have actually been impacted, with reports that the call centers set up to field customer questions don't have enough information to tell users if their personal information was hacked. The company did launch a site for users to check to see if their information was included in the breach, but checking the information reportedly waives a user's right to be part of a class-action lawsuit.
Alton Kizziah, vice president of global managed services at Kudelski Security, said Equifax's response to the breach is "quite fast compared to what we see usually," but that the quality of the response was lacking. Kizziah highlighted the company's offering of credit monitoring services to affected customers as a "sad joke."
"I’m sure I have multiple free credit monitoring offers at this point," Kizziah said, adding that he appears to have been impacted by this particular breach. "Vendors should think about how to get better at response and the softer side of the actions they take afterwards. Free credit monitoring just isn’t valuable anymore and, in this case, it’s quite ironic."