In our last two articles, we discussed how to protect your business against a phishing attack and five ways to avoid a data breach. But what do you do if you unfortunately experience this type of crisis? The following guidance from the Federal Trade Commission’s East Central Region (FTC) can help you make smart, sound decisions.
Here are three important steps to take following a data breach at your company:
Post-Data Breach Step No. 1: Secure Your Operations
Once you are the victim of a data breach, you want to work quickly to prevent any further compromise of your company’s information. In order to do so, we recommend taking the following actions to secure your operations.
Assemble a team of experts. This could include independent forensic investigators to determine the source and scope of the breach and legal counsel with expertise in privacy and data security.
Secure physical areas. Take steps like locking compromised areas and changing access codes.
Stop additional data loss. Take affected equipment offline immediately, but don’t turn the machines off until the forensic experts arrive. If possible, put clean machines online in place of affected ones. Also, update credentials and passwords of authorized users.
Remove improperly posted information. If the breach involved anything improper posted on your website, remove it. Contact search engines to ensure that they do not archive personal information posted in error. Also, search for your company’s exposed data and contact any websites that have saved a copy of it and request its removal.
Interview people who discovered the breach. Talk to anyone else who may know about it.
Do not destroy any forensic evidence. Keep all evidence from your investigation or remediation.
Post-Data Breach Step No. 2: Fix Vulnerabilities
It’s necessary to have a long-term plan when it comes to preventing another data crisis. Take a look at all areas of your business and determine where there are vulnerabilities that could lead to further breaches.
Think about service providers. If service providers were involved, examine if they need the access that they currently have. Also, make sure they are taking the steps they need to prevent another breach.
Check your network segmentation. Analyze how effective your segmentation plan was and whether you need to make any changes.
Work with your forensic experts. Your forensic experts will help you review and analyze data and determine issues like if encryptions were enabled, who had access to certain data, what types of information were compromised and the number of people affected. Use the forensic reports and take the recommended remedial measures as soon as possible.
Have a communications plan. Create a comprehensive plan that reaches all affected audiences — employees, customers, investors, business partners and other stakeholders. Don’t make misleading statements about the breach, withhold key details that might help people protect themselves and their information or publicly share information that might put them at further risk. Be sure to put clear answers to the most important questions in an easy-to-find spot on your website.
Post-Data Breach Step No. 3: Notify Appropriate Parties
Following a data breach, it’s imperative that your company maintains good communication, with the constituents whose information may have been compromised, as well as appropriate outside groups and law enforcement. Know which parties you are responsible for communicating with an the laws surrounding these notifications.
Determine your legal requirements. Ohio Revised Code Section 1349.19 requires expeditious notification of security breaches involving computerized personal information data that could reasonably put a person at risk of identity theft or fraud. Check other state and federal laws or regulations for any requirements that are specific to your business or the types of information compromised.
Notify law enforcement. Call your local police department immediately to report the situation and the potential risk for identity theft, and you can also contact your local FBI or U.S. Secret Service office for more assistance. For incidents involving mail theft, contact the U.S. Postal Inspection Service.
Determine if the breach involved electronic health information. If so, check if you’re covered by the Health Breach Notification Rule. If you are, you must notify the FTC and in some cases, the media. Also, check if you’re covered by the HIPAA Breach Notification Rule. If so, you must notify the Secretary of the U.S. Department of Health and Human Services (HHS) and in some cases, the media. HHS’s Breach Notification Rule explains who you must notify, and when.
Notify affected business. If account access information, like credit card or bank account numbers, has been stolen, but you don’t maintain the accounts, notify the institution that does. If you collect or store personal information on behalf of other businesses, notify them of the data breach. If names and Social Security numbers have been stolen, contact the major credit bureaus for additional information or advice. If the compromise may involve a large group of people, advise the credit bureaus if you are recommending that people request fraud alerts and credit freezes for their files.
Notify individuals. Quickly notify individuals that their personal information has been compromised so they can take steps to reduce the chance that their information will be misused. In deciding who to notify, and how, consider state laws, the nature of the compromise, the type of information taken, the likelihood of misuse and the potential damage if the information is misused. For example, Ohio law specifies that if disclosure is required, written and telephonic notice are always permitted, but other methods of communication may also be permitted under certain circumstances. When notifying individuals, the FTC recommends you:
• Consult with your law enforcement contact about the timing of the notification so it doesn’t impede the investigation;
• Designate a point person within your organization for releasing information. Consider using letters, websites, and toll-free numbers to communicate with potentially affected persons. If you don’t have contact information for all of the affected individuals, you can use press releases or other news media notification; and
• Consider offering at least one year of free credit monitoring or other support, like identity theft protection or identity restoration services, particularly if financial information or Social Security numbers were exposed.
Ohio law does not prescribe what information must, or must not, be provided in your breach notice, but other state laws may. In general, unless your state law says otherwise, you’ll want to do the following things.
• Clearly describe what you know about the compromise, including: how it happened; what information was taken; how the information has been used (if you know); what actions you have taken to remedy the situation; what actions you are taking to protect individuals, such as offering free credit monitoring services; and how to reach the relevant contacts in your organization.
• Tell people what steps they can take, given the type of information exposed, and provide relevant contact information. For example, people whose Social Security numbers have been stolen should contact the credit bureaus and the IRS Identity Protection Specialized Unit at 1-800-908-4490. See IdentityTheft.gov/databreach for information on appropriate follow-up steps after a compromise, depending on the type of information that was exposed. Consider adding this information as an attachment to your breach notification letter.
• Include current information about how to recover from identity theft. Refer people to IdentityTheft.gov for a list of steps.
• Consider providing information about the law enforcement agency working on the case, if the agency thinks it would be helpful.
• Encourage people who discover that their information has been misused to file a complaint with the FTC, using IdentityTheft.gov. This information is entered into the Consumer Sentinel Network, a secure, online database.
• Describe how you’ll contact people affected by the breach in the future. For example, if they know that you will only contact them by mail and won’t ever call them, this information may help victims avoid phishing scams tied to the breach. Consider telling them that you will post the latest information on your website.
Consult with your law enforcement contact about what information to include so your notice doesn’t hamper the investigation.
The FTC works to prevent fraudulent, deceptive and unfair business practices in the marketplace and to provide information to help consumers spot, stop and avoid them. You can file a complaint online at www.ftc.gov/complaint or by telephone at 1-877-FTC-HELP (1-877-382-4357).