It can happen to anyone – you’ve taken steps to limit your exposure to a cyber incident. You’ve purchased and implemented top-of-the-line IT solutions. You’ve carefully thought about security best practices and strived to adhere to them. But somehow, you’ve just become the latest victim of a data breach.
It might have been discretely packaged ransomware hidden in a seemingly innocent application file. Perhaps it was the result of poor password management. Maybe your employees were duped by a convincing phishing e-mail. But at this point, the only question racing through your mind is, “What do I do next?”
Stop The Bleeding: Secure Your Operations
Move quickly to secure your systems and fix vulnerabilities that may have caused the breach. The only thing worse than a data breach is multiple data breaches. Your first priority is to take steps to ensure it doesn’t happen again.
To do this, you will need to assemble a breach response team to conduct a comprehensive review. Depending on the size and nature of your company, they may include forensics, legal, information technology, operations, or other concerned stakeholders. If you do not have an internal response team, you should contact your Managed Service Provider (MSP) immediately. A reliable MSP should be able to diagnose the source of the breach, or work with a digital forensics team to do so.
Be sure to check your network segmentation. When you set up your network, you likely segmented it so that a breach on one server or in one site could not lead to a breach on another server or site. Work with your response team to analyze whether your segmentation plan was effective in containing the breach. If you need to make any changes, now is the time.
Find out if measures such as encryption were enabled when the breach happened. You will also want to analyze backup data to ensure no vulnerabilities remain. Be sure to review logs to determine who had access to the data at the time of the breach. Finally, update credentials and passwords of authorized users. If a hacker stole credentials, your system will remain vulnerable until you change them, even if you’ve removed the hacker’s tools.
Determine Your Legal Exposure
Depending on the nature and location of your business, you may face some legal implications related to a data breach. Most states, the District of Columbia, Puerto Rico, and the Virgin Islands have enacted legislation requiring notification of security breaches involving personal information. In addition, depending on the types of information involved in the breach, there may be other laws or regulations that apply to your situation. Check state and federal laws or regulations for any specific requirements for your business.
The first step in determining your exposure is to verify the types of information compromised, the number of people affected, and whether you have contact information for those people. Once you have gathered this information, report the breach to your local police department immediately. The sooner law enforcement learns about the theft, the more effective they can be in thwarting identity theft. If your local police aren’t familiar with investigating information compromises, contact the local office of the FBI.
If your data breach includes electronic health information, you will have additional considerations to account for. You will need to consult the Health Breach Notification Rule to see if your situation requires compliance, and if so, who you must notify, and when. Additionally, check if you’re included in the HIPAA Breach Notification Rule. If so, you must notify the Secretary of the U.S. Department of Health and Human Services (HHS) and in some cases, the media. HHS’s Breach Notification Rule also explains who you must notify, and when.
Notify, Notify, Notify
While you might want to sweep a data breach under the rug, it is highly inadvisable to do so – both for the above legal requirements, and for the ecosystem of other individuals and entities who depend on your disclosure to stay safe.
You will need to notify individuals whose data was compromised as a result of the breach. If you quickly inform people that their personal data has been compromised, they can take steps to reduce the chance that their information will be misused. For example, criminals who have stolen names and Social Security numbers can use that information not only to sign up for new accounts in the victim’s name, but also to commit tax identity theft. People who are notified early can take steps to limit the damage through identity monitoring, among other measures.
When notifying compromised individuals, the Federal Trade Commission (FTC) suggests that you:
- consult with your law enforcement contact about the timing of the notification so it doesn’t impede the investigation
- designate a point person within your organization for releasing information
- consider offering a year of free credit monitoring or other support such as identity theft protection or identity restoration services
Most states have breach notification laws that tell you what information you must (or must not) provide in your breach notice. Unless your state law says otherwise, you’ll want to clearly describe what you know about the compromise, including how it happened, what information was taken, how the attackers have used the information (if you know), what actions you have taken to remedy the situation, and what actions you are taking to protect individuals and how to reach the relevant contacts in your company.
Learn From Your Mistakes
A comprehensive review of your information systems will eventually reveal the vulnerability that was used to compromise your data. However, in most cases data breaches are statistically caused by two key attack vectors: stolen user credentials and human error.
To ensure that your organization is not breached again, you can get ahead of the hackers by regularly updating passwords and enrolling in a dark web monitoring service. This will ensure that you are alerted any time your credentials are for sale in the marketplaces cybercriminals depend on to gain access to your critical resources.
Lastly, you can take steps to transform your employees into your first and best line of defense. Consider a Security Awareness Training platform to execute simulated phishing campaigns and educate vulnerable users about security best practices. Otherwise, your organization is only one click away from yet another breach.