The best time to figure out what you should do if you have a data breach (also commonly referred to as a security breach) is long before it ever occurs. Ideally, you will have a breach response plan or breach incident plan in place and can simply follow the steps listed.
However, we understand that most small and medium businesses do not have such a plan in place. Not to worry! Here are the necessary steps you should be taking if you end up saying, “Help, I’ve been hacked!”
First and foremost, stop the breach from continuing. Depending on what systems are compromised, this can be taking computers off the network or changing passwords. No matter what it is, it is vital to do whatever you can to stop the bad guys from further damage. Now, to ensure you stop the breach entirely, you need to identify the compromised systems and make sure they are all accounted for. Thoroughly assess your systems, top to bottom, to make sure you have found all those affected. You don’t want to go to all the effort of cleaning everything up to discover that you missed something, and it happens again. It is important to note that your IT department or your external IT provider must maintain as much evidence as possible while stopping the breach. You will need this evidence later.
Hopefully, you have a cyber liability policy. If so, call your agent to let them know that you’ve had a breach and will need to use the policy. It may dictate things like which lawyers to use and which forensics companies to call.If you don’t have a cyber liability policy, you definitely need to call your lawyer. All 50 states now have data breach reporting laws, so you need to determine what reporting requirements you will have to follow. Even if you have a cyber policy, it’s a good idea to call your lawyer to inform them of the situation and that you are talking to your insurance to determine legal representation.For a related post about data theft – this one being about cyber liability insurance -- see “Who Pays for Your Data Breach?”
Next, you must investigate the cause and extent of the breach. This is where preserving the evidence in step 1 becomes important. We strongly recommend using an outside firm to conduct this investigation, different from your IT company, if you outsource these services. You want to make sure that the investigation is thorough and devoid of any indications of cover-ups.In this step, you must look for what systems were affected as well as what data was compromised. You need to know whose data, and what type of data -- such as your employees’ driver license numbers -- was compromised so you continue on to the next step.
Depending on what data was breached, this step may not be necessary, but you should rely upon legal counsel to make this determination. Your lawyers will advise you on whether you need to notify your state attorney general or other branches of the federal government, as well as notify anyone whose sensitive information was compromised. Not reporting in the event of a breach can land you in some serious legal troubles.
The last step is ensuring all your systems are cleaned up and you have addressed any shortcomings in your security. This will ensure that unsolved issues don’t lead to another security incident.
Hopefully, you are reading this because you are getting your incident response plan in place BEFORE you have a breach, in which case we support your proactivity. A full incident response plan includes more information than is listed here, but the steps will be the same. At Sawyer Solutions, we can help you get a response plan in place and implement reasonable security measures to help prevent a breach. If you’ve found yourself at the wrong end of a data breach, feel free to reach out to us, and we’ll connect you to the resources you need to move forward.