3 Stages, 14 Steps for an Effective Response to Privacy Breaches
Despite your best efforts to secure your data, you just discovered that your security defenses have been compromised. You’ve experienced a data breach. No security strategy is 100% foolproof. If it were, there would be no burglaries, shoplifting, car theft…
What’s important is what you do next. How do you limit any damage that the data breach might cause? Who should you contact about the breach?
The Federal Trade Commission (FTC) has produced a guide to data breach response best practices, specifically for businesses. Here’s a summary of the guide, to help you should the need occur.
Key steps for organizations responding to privacy breaches
A data breach could occur because of inside players (employee data theft is one of the top 10 data protection risks), external hackers, or because of inadequate software and hardware, among other risks. Whatever the cause, you should implement the following response path.
Stage #1: Secure your systems
Swift action is necessary to fix the breach before it evolves into much worse:
Step #1: Locate the source of the breach
Was the breach caused by human error, inadequate security defenses, or a malicious attack? Knowing where the breach occurred is the first step to securing your systems from further attack and responding appropriately to what has happened.
You should then secure physical areas that may be related to the breach, restricting access to them, and only resume operations when it is reasonable to do so.
Step #2: Assemble an expert team for a comprehensive breach response
The size of the team needed will depend upon the severity of the breach, but should include:
A data forensics team to help determine the scope of the breach, collect and analyze evidence, and produce a list of steps required to remediate the breach.
A legal counsel, who will advise on the legal aspects of the data breach, and what your responsibilities are regarding these.
You may also need to add IT specialists, members from your operations, HR, investor relations, and senior management.
Step #3: Conduct and document interviews with those who discovered the breach
It’s crucial to understand how the breach occurred, and knowing how it was discovered is key to this. Whether these are internal or external, be available to interview them as soon as possible – and document your findings.
Step #4: Never destroy evidence
Keep every shred of evidence. If you destroy any evidence, at best it will hamper your response. At worst, it could be viewed as a deliberate attempt to hide non-compliance issues from regulatory bodies.
Step #5: Gather threat intelligence to better understand how the system was compromised
Threat intelligence is the knowledge you need to make informed decisions about your response to the data breach and should be conducted by an external data security specialist.
Stage #2: Fix vulnerabilities
Working with your forensics team, you’ll need to learn about the vulnerabilities that allowed the breach event to occur. You should analyze all your data (including backups), review access logs, and verify what information has been compromised and who has been affected. During this process, you should:
Step #6: Consider service providers when evaluating potential vulnerabilities
Were any of your service providers involved in the breach? Third-party risks should always be considered. Therefore, look at the data to which they have access, review their access privileges – and verify that their systems are secure.
Step #7: Analyze your network segmentation plan
It’s probable that your network was segmented to prevent a breach between servers or internal networks. But over time, these segmentations can become blurred. Therefore, you should assess whether your existing segmentation has contained the data breach – and make immediate changes if needed.
Stage #3: Notify stakeholders
It is necessary to contain the breach, but you should not be tempted to keep it from those who may be affected. Communication of the breach will help to protect all those potentially affected, and protect your reputation. It will also give opportunities for connected parties to take steps to ensure they are protected against any ill effects of your data breach, as well as highlighting if they have some responsibility in it.
Step #8: Determine your legal requirements
Your legal counsel should make you aware of your obligations under federal, state, and, if necessary, international laws. Specific notification obligations are likely to be affected according to the severity of the breach and the information that has been accessed.
Step #9: Report to law enforcement
Report the breach to the Information Commissioner’s Office or other regulatory authority. Breaches must be reported within 72 hours in compliance with the GDPR.
Step #10: Have a communication plan
With an understanding of your legal requirements and the appropriate law enforcement authorities informed, work fast to detail a communication plan. You’ll need to plan how you detail the breach, and how you communicate it to affected parties that including:
Step #11: Anticipate questions that people will ask
As you develop your communication plan and what must be communicated, you should anticipate the questions that you may be asked by affected parties. This will help you to include all necessary details in your communication and prepare your communications team for responses and queries they may receive. Consulting with an experienced, external data security team can help with this process.
Step #12: Contact the major credit bureaus
If the breach has compromised personal financial details, such as social security numbers, you should contact all major credit agencies. You’ll need to let them know if you are advising that affected people should request fraud alerts or credit freezes.
Step #13: Inform affected businesses
You should inform all affected businesses, notifying them of the breach and of the data that has been compromised. This notification should also include all businesses that maintain accounts on which the data you hold has been accessed.
Step #14: Inform affected individuals
The faster you get to this step, the greater the capability for individuals to take the steps they need to protect themselves against misuse of personal information. This is also crucial to protect your business against potential class-action lawsuits.
To decide who you must notify, you should consider:
The nature of the data breach, and the information that has been compromised
The likelihood that the information could be misused, and the potential damage if it is
The federal and state laws applicable to the data breach
You’ll need to declare:
What happened and how
How compromised information has been (or may be) used
What steps you have taken to remedy the breach and protect against further breaches
How to contact your business to discuss the issue
It’s good practice to appoint a point of contact to coordinate and release information about the breach, your response, and what individuals should do – and to make an offer of free identity theft support or credit monitoring for 12 months.
Where can you get more information about data breach response best practices?
You can obtain more information about how to respond to a data breach by contacting the FTC at 1-877-ID-THEFT (877-438-4338).
Alternatively, we would be happy to share our expertise with you, and help you develop a unique and personalized data response plan that is fully compliant and will help to protect your business, your vendors, and your customers from the damaging consequences of security breaches now and in the future.
For more information, contact Millennium Tech today.