A hacker gained access to more than 100 million Capital One customers’ accounts and credit card applications on July 30. The suspect is accused of stealing 140,000 social security numbers, 80,000 bank account numbers, and one million social insurance numbers, the Canadian equivalent of social security numbers. More detail is available in the company’s press statement.
The fact that such a large breach was allegedly carried out by a single individual serves as a reminder for private equity firms to continuously make sure they are covered on the tech side, as well as legally, so firms know what to do after a cyber-breach. Before a breach occurs it’s important to have a plan ahead of time on how to respond to potential backlash and questions from your clients, media, and regulators.
“Your incident response policy has to prepare for the small breaches, medium breaches and the mega-breaches, says Alysa Hutnik, the chairwoman of the privacy and information security practice at Kelley Drye & Warren. “Having an aspirational but realistic timeline of what happens in the first 12, 24, and 36 hours.”
Understanding what the potential consequences are, legally, and how to make sure you take the right steps after a security breach is vital. That includes knowing when you have to notify your insurance provider and affected consumers under the state data breach notification laws. PE firms must be cognizant of regulations such as the Safeguards Rule under the GLBA Act which requires financial institutions to have security programs in place and “identify reasonably foreseeable internal and external risks to the security, confidentiality, and integrity of customer information”.
“If the PE firm is SEC-registered, there is a risk of an SEC enforcement action or investigation for failing to take reasonable steps to protect client data,” Clifford Chance lawyers wrote in a note. “[This] does not mean perfect but must be adequate given the manager’s understanding of their cybersecurity. If the PE firm is not registered, there is no risk of SEC enforcement action, but private action does remain as well as possible state and other federal actions may apply.”
Financial institutions are currently ‘scrambling’ to shore up their firewalls and checking if data they store in the cloud can also be breached, the Clifford Chance lawyers went on to write.
It’s impossible to anticipate every potential breach, and mistakes will happen, but there is one way to limit the risk of a cybersecurity breach when it comes to working with a third-party cloud service, says Grigoriy Milis, chief technology officer at RFA, an IT and cybersecurity service provider.
“They need to ask their main service provider to provide some kind of compliance/configuration best practices reporting or evidence of the wall that they build around the workload and how they monitor if somebody is able to get through,” he says. Ideally firms should monitor their cloud service regularly by asking their service provider to provide monthly reports, Milis continues.