Be prepared for breach disclosure and a magnitude assessment

SEC breach disclosure rules

The Securities and Exchange Commission (SEC) announced revised rules for disclosing material cybersecurity incidents in June 2023. Those rules require mandatory reporting of material incidents within four business days of determining materiality. Every company has a different equation when it comes to gauging materiality because every business is different. You need to understand what compromised data you are dealing with to help inform that materiality determination. And you need to know which data stores were affected and what is inside them. That is where data discovery and classification come into play.

Data discovery and classification tools might be homegrown, meaning developed internally, or commercial off-the-shelf offerings. Tools run the gamut from backup and restore tools for data protection, data loss prevention tools, cloud access security brokers and data governance tools. When it comes to large data repositories in the cloud or on premises that might have data with more scale and variety, enterprises typically gravitate toward data security posture management (DSPM) tools.

Whatever your approach, being prepared by understanding where your sensitive data stores are located and categorizing the data inside of them will enable you to quickly evaluate the magnitude of a potential breach so you can make an accurate determination of materiality. While reporting a data breach will result in negative PR and reputational damage, accurately determining the magnitude of a breach helps you avoid having to publish multiple notifications to publicly revise the number and type of compromised records.

Overestimating the magnitude of a breach: Marriott International

The hospitality conglomerate Marriott International reported in November 2018 that hackers had breached its Starwood reservation systems and stolen the personal data of up to 500 million guests. The breach affected customers who had reservations with Marriott-owned Starwood properties, such as Sheraton, Westin, W Hotels and St. Regis. The breach started in 2014 and went unnoticed by Starwood for four years. Then, in January 2019, Marriott International subsequently reported the breach had affected 383 million records -- duplicates reduced the number -- and disclosed the breached data included 5 million unencrypted passport numbers, something it had not previously disclosed.

Underestimating the magnitude of a breach: MarineMax

Yacht retailer MarineMax reported a cybersecurity incident to the SEC on March 12, 2024, for an incident that occurred earlier the month. The company indicated it did not maintain sensitive data in the environment affected by the breach. Then, on April 1, MarineMax amended its SEC filing to indicate financial and personally identifiable information (PII) data had been compromised and reported that data affecting more than 123,000 customers and employees had been exposed during the cyberattack. The promptness of this disclosure could be due to the new SEC rule, which was already in effect.

In the case of Marriott International, the initial breach record count was reduced, but the company subsequently disclosed that passport numbers were included in the breached data. In the case of MarineMax, the company initially thought no sensitive data was compromised but subsequently had to disclose that financial data and PII for more than 100,000 people was compromised. The way these cases played out, both companies had to make multiple disclosures over time.

While I have no inside knowledge of either breach, my observation is that quickly conducting the most accurate inventory of where your sensitive data is located and what types of sensitive data are inside your data stores can minimize the reputational damage and compliance risk resulting from a breach.

Data discovery and classification dynamics

In the heat of the moment in a data breach, analysis and reporting missteps can happen. The consequences of not knowing where your data is located and what it contains makes a bad situation even worse when analyzing and reporting on the breach.

While you might have an internally developed tool to identify your data stores and categorize the data inside, the tool can be brittle and miss sensitive data. Internal tools frequently don't locate shadow data outside the control and oversight of IT and IT security teams. Maintaining a homegrown tool can also divert scarce resources from more impactful projects.

DSPM technologies are relatively new and are designed to discover, classify and monitor data stores at scale. Constituents I have spoken with typically uncover previously undiscovered sensitive data when they test a DSPM tool and compare it to their existing, homegrown or legacy tool for data discovery and classification.

While DSPM technology can help to accurately assess the magnitude of a breach, its major value is to help prevent a breach in the first place -- the posture management in data security posture management. Such tools also contribute to improving data governance and regulatory compliance. Understanding what sensitive data you have, where it is located and who is accessing it enables you to take action to mitigate risk and better secure the data. Remediation actions can take many forms, from encrypting or masking the data to revoking outdated access to sensitive data to decommissioning unneeded or deprecated data.

Getting ahead of the problem: Locate and categorize sensitive data stores

You can't secure and report on something you don't know exists. In the same way you might scan a network to understand what devices exist and their security posture, you need to scan for sensitive data repositories and understand what is inside of them.

Your data is dynamic. Lines of business and staff create, update or combine existing data stores. Some of this might be sanctioned, with IT having visibility to the data store; however, some might be unsanctioned, with someone taking the initiative to use data without the IT and IT security team having visibility to the new repository -- the shadow data problem. This data is ever changing and moving, and it requires continually rediscovering and reclassifying sensitive data across your environment, both on premises and in the cloud. Accommodating this data dynamism is where DSPM products shine and homegrown options frequently stumble. As I learned in scouting, the bottom line is to be prepared. Locating your sensitive data stores and categorizing the data inside them on an ongoing basis will enable you to better secure that data, recover it in the event of a ransomware attack and recover more quickly should a breach occur.

Todd Thiemann is a senior analyst covering Identity Access Management (IAM) & Data Security for TechTarget's Enterprise Research Group. He has more than 20 years of experience in cybersecurity marketing and strategy.

Enterprise Strategy Group is a division of TechTarget. Its analysts have business relationships with technology vendors.