Kaylee Cox is an Associate in Holland & Knight's Washington D.C. office

The Merchant Financial Cyber Partnership ("the Partnership") recently released eight recommendations aimed at enhancing the data security of the payments system across the merchant and financial industries. The Partnership was established by leading industry groups in the wake of the well-publicized data breach incidents that occurred last year. The Retail Industry Leaders Association (RILA) and the Financial Services Roundtable (FSR) led discussions in the establishment of the Partnership in February 2014, accompanied by other key representatives, including: the American Bankers Association (ABA); the American Hotel & Lodging Association (AH&LA); The Clearing House (TCH); the Consumer Bankers Association (CBA); the Food Marketing Institute (FMI); Independent Community Bankers of America (ICBA); the International Council of Shopping Centers (ICSC); the National Associations of Convenience Stores (NACS); the National Grocers Association (NGA); the National Restaurant Association (NRA); and, the National Retail Federation (NRF).

The Partnership focuses on exploring methods to increase information sharing and enhance card security technology for payments systems. Key representatives from financial services, merchant industries, and the government sector collaborated for nearly a year to develop the following recommendations. The recommendations can be broken up into three categories: Threat Information Sharing, Cyber Risk Mitigation, and Advanced Card Technologies. The recommendations that impact individual companies most directly relate to Cyber Risk Mitigation. These recommendations included:

  • Hosting a joint "table top" cyber exercise with financial and merchant institutions to simulate a significant attack against a processor or multiple processors simultaneously that degrades ability to conduct commerce.
  • Leveraging the National Institutes of Standards and Technology (NIST) ongoing workshops to implement and refine the voluntary NIST Cybersecurity Framework and drive its usage along with existing work with the FSSCC, FS-ISAC and other relevant bodies, and developing a compendium listing of leading practices.
  • Developing a paper on breach notification response programs.

We believe the Partnership has set forth several very important recommendations, and we assist companies in implementing many of these steps. We regularly review incident response programs and help identify gaps in policies and procedures. We also frequently conduct cyber exercises - sometimes in partnerships with other vendors to ensure that the exercises are realistic from a technological perspective. It is imperative to note, however, that conducting an exercise without legal counsel is a mistake and puts the company at a disadvantage. When a breach occurs, legal teams will largely be driving the response; at the same time, coordination with IT and information security teams is critical. We have developed our services to test coordination between technical and non-technical teams to ensure that companies are adequately prepared to act in concert during an incident.

No one is immune from the cyber threat, and the many high-profile breaches in 2014 are prime evidence of this fact. As such, it is critical that companies be proactive in their preparation for and response to cyber incidents, and it is incredibly advantageous for companies to exercise incident response policies and procedures for the first time in a controlled environment rather than a live event. In addition, regulators expect companies to routinely test their data security programs, and periodic cyber breach exercises can help prevent against allegations by plaintiffs' attorneys that a company failed to adhere to industry standards.1

Our Data Privacy and Security Team was asked to conduct more table top cyber exercises in 2014 than all prior years combined. We have found these exercises to be extremely valuable in getting to the heart of an adequate breach response program, and having a tested program will help decrease legal liability exposure when a real event happens.

Simulated cyber breach exercises provide numerous benefits to an organization; companies can expect the exercise to help evaluate response plans by:

  • Testing incident response policies and procedures to determine (i) whether personnel are following company protocols; and (ii) whether existing policies and procedures are sufficient to respond to a cyber incident
  • Testing cross-functional communications and cooperation across the organization
  • Testing the organization's ability and effectiveness in communicating internally and externally regarding a cyber incident
  • Testing collaboration and communication between technical and non-technical staff, business lines, and executives
  • Testing collaboration and processes between the organization and its third-party vendors
  • Testing litigation readiness
  • Ensuring appropriate communication protocols with IT and InfoSec
  • Ensuring appropriate vendor oversight and management protocols
  • Ensuring adequate board and/or senior management oversight
  • Ensuring preparedness for press coverage from a public relations/customer relations standpoint
  • Ensuring readiness for responses to congressional hearings and regulatory inquiries
  • Identifying technical and architectural gaps in company infrastructure
  • Identifying need for allocation of resources to various business lines and key stakeholders
  • Identifying areas of legal risk and/or potential liability
  • Evaluating internal privacy and security programs
  • Raising organizational awareness of various business departments and their respective interests
  • Allowing the organization to identify and improve upon areas of weakness before a real-life incident occurs

Footnote

1. In the consumer putative class action case against Home Depot, the plaintiffs have requested that the court enter an injunction "ordering that Home Depot, consistent with industry standard practices, engage third party security auditors/penetration testers as well as internal security personnel to conduct testing, including simulated attacks, penetration tests, and audits on Home Depot's systems on a periodic basis." Compl. at ¶ 45, Earls v. The Home Depot Inc., No. 3:14-cv-4315 (N.D. Cal, Sept. 24, 2014) (emphasis added).

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.