Post-Breach Notification Guide

Secure your business with CyberHoot Today!!!

Sign Up Now

Co-Authored by Craig Taylor

In an ever-changing online world, data breaches continue to increase in frequency and impact. Cybersecurity threats come in various forms, including social engineering, credential theft, phishing attacks, and even web application attacks. If your organization experiences a cybersecurity incident, our Cybersecurity Incident Guide will help walk you through the steps you need to take to respond to the incident. 

This article assumes you have confirmed a significant data breach has occurred, and that you have engaged with law enforcement because of evidence showing significant data compromise. Given such a scenario, CyberHoot will go into the proper post-breach notification processes. Following this guide helps companies work through a cybersecurity incident’s notification processes efficiently, legally, and effectively. 

Breach Notification Starting Point

When your business experiences a data breach, you should notify law enforcement first. If they get involved because of the size or scope of a breach, they will dictate some of the timing and restrictions on the notification you can make to affected businesses and individuals. Always follow law enforcement requirements during an active investigation.

Secondly, you should determine your legal requirements. All states, the District of Columbia, Puerto Rico, and the Virgin Islands have enacted legislation requiring notification of security breaches involving Non-Public Personal Information (NPPI). In addition, depending on the types of information involved in the breach, there may be other laws or regulations that apply to your situation. Check specific state and federal laws or regulations for any specific requirements for your business.

Engaging a lawyer in your breach response, provides some important attorney-client privileges that can protect you from harm.  During investigation, the sooner a lawyer participates in the investigation, evidence collection, and discussions surrounding a potential breach, the better your narrative on the breach.  The balance here, is that you also need to protect the businesses and individuals impacted by a breach.  You do not want to hide behind attorney-client privilege, as that is wrong. However, you do want to control the narrative around what happened, when, why, and how to protect your business and those exposed from additional harm. A lawyer can provide important guidance and protection in doing that.

What must be communicated in your Breach Notification

Your state breach notification laws generally tell you what information you must, or must not, provide in your breach notice. In general, unless your state law says otherwise, you’ll want to clearly describe what you know about the compromise by including:

• • How it happened.
  • What information was taken. 
  • How the thieves have used the information (if you know). 
  • What actions you have taken to remedy the situation. 
  • What actions you are taking to protect individuals, such as offering free credit monitoring services. (CyberHoot recommends freezing credit to prevent identity theft situations)
  • How to reach the relevant contacts in your organization.

Additional Considerations

If the breach involved more than 500 electronic personal health records, then you’re obligated under the Health Breach Notification Rule to notify the Department of Health and Human Services (DHHS) here. You may also have to notify the FTC and, in some cases, the media. Before you engage with the media on a major news-worthy breach, you will want to consult a public relations firm.

Depending upon what data was exposed or stolen, you may have specific obligations to notify your clients. Some Master Service Agreement’s (MSAs) require breach notification in a specific time frame, so the clock may be ticking on your legal obligation to notify certain parties. If HIPAA data was breached or Non-Public Personal Information, there are legislative reporting requirements here. Consult your privacy expert, HIPAA expert, legal, and contract teams to ensure you deal with the compliance and contractual obligations at this point.

Helpful Information To Send Notified Parties

It’s important to tell people what steps they can take, given the type of information exposed, and provide relevant contact information. For example, people whose Social Security numbers have been stolen should contact the credit bureaus to ask that fraud alerts or credit freezes be placed on their credit reports. See IdentityTheft.gov/databreach for information on appropriate follow-up steps after a compromise, depending on the type of personal information that was exposed. Consider adding this information as an attachment to your breach notification letter.

Information to Include

1. Include current information about how to recover from identity theft. For a list of recovery steps, refer consumers to IdentityTheft.gov.
2. Consider providing information about the law enforcement agency working on the case, if the law enforcement agency agrees that would help. Identity theft victims often can provide important information to law enforcement.
3. Encourage people who discover that their information has been misused to report it to the FTC, using IdentityTheft.gov. IdentityTheft.gov will create an individualized recovery plan, based on the type of information exposed. And, each report is entered into the Consumer Sentinel Network, a secure, online database available to civil and criminal law enforcement agencies.
4. Describe how you’ll contact consumers in the future. For example, if you’ll only contact consumers by mail, then say so. If you won’t ever call them about the breach, then let them know. This information may help victims avoid phishing scams tied to the breach, while also helping to protect your company’s reputation. Some organizations tell consumers that updates will be posted on their website. This gives consumers a place they can go at any time to see the latest information.

Breach Notification Conclusions

The best time to prepare your breach notification response processes is before a breach happens. A solid Cybersecurity Incident Handling Process (CIMP) can help you identify, contain, eradicate, and limit the damage from a breach more quickly if you have this process in place as well.

Next, be sure to practice both the incident management and breach notification processes. Having your team assembled to review all 5 steps of a security incident is critical to long-term success. Then you’ll be able to move effectively through Identification, Containment, Eradication, Recovery, and Revision.

Don’t skimp on lessons learned either. You have valuable information that you can learn from at the ready following any incident. Following these measures and steps can ensure the long-term viability of your company.

Sources:

FTC.Gov

Security Scorecard

Additional Readings:

Managing a Cybersecurity Incident 

CyberHoot’s 3-2-1 Backup Guide

Preventing Identity Theft