Co-Authored by Craig Taylor
In an ever-changing online world, data breaches continue to increase in frequency and impact. Cybersecurity threats come in various forms, including social engineering, credential theft, phishing attacks, and even web application attacks. If your organization experiences a cybersecurity incident, our Cybersecurity Incident Guide will help walk you through the steps you need to take to respond to the incident.
This article assumes you have confirmed a significant data breach has occurred, and that you have engaged with law enforcement because of evidence showing significant data compromise. Given such a scenario, CyberHoot will go into the proper post-breach notification processes. Following this guide helps companies work through a cybersecurity incident’s notification processes efficiently, legally, and effectively.
When your business experiences a data breach, you should notify law enforcement first. If they get involved because of the size or scope of a breach, they will dictate some of the timing and restrictions on the notification you can make to affected businesses and individuals. Always follow law enforcement requirements during an active investigation.
Secondly, you should determine your legal requirements. All states, the District of Columbia, Puerto Rico, and the Virgin Islands have enacted legislation requiring notification of security breaches involving Non-Public Personal Information (NPPI). In addition, depending on the types of information involved in the breach, there may be other laws or regulations that apply to your situation. Check specific state and federal laws or regulations for any specific requirements for your business.
Engaging a lawyer in your breach response, provides some important attorney-client privileges that can protect you from harm. During investigation, the sooner a lawyer participates in the investigation, evidence collection, and discussions surrounding a potential breach, the better your narrative on the breach. The balance here, is that you also need to protect the businesses and individuals impacted by a breach. You do not want to hide behind attorney-client privilege, as that is wrong. However, you do want to control the narrative around what happened, when, why, and how to protect your business and those exposed from additional harm. A lawyer can provide important guidance and protection in doing that.
Your state breach notification laws generally tell you what information you must, or must not, provide in your breach notice. In general, unless your state law says otherwise, you’ll want to clearly describe what you know about the compromise by including:
If the breach involved more than 500 electronic personal health records, then you’re obligated under the Health Breach Notification Rule to notify the Department of Health and Human Services (DHHS) here. You may also have to notify the FTC and, in some cases, the media. Before you engage with the media on a major news-worthy breach, you will want to consult a public relations firm.
Depending upon what data was exposed or stolen, you may have specific obligations to notify your clients. Some Master Service Agreement’s (MSAs) require breach notification in a specific time frame, so the clock may be ticking on your legal obligation to notify certain parties. If HIPAA data was breached or Non-Public Personal Information, there are legislative reporting requirements here. Consult your privacy expert, HIPAA expert, legal, and contract teams to ensure you deal with the compliance and contractual obligations at this point.
It’s important to tell people what steps they can take, given the type of information exposed, and provide relevant contact information. For example, people whose Social Security numbers have been stolen should contact the credit bureaus to ask that fraud alerts or credit freezes be placed on their credit reports. See IdentityTheft.gov/
The best time to prepare your breach notification response processes is before a breach happens. A solid Cybersecurity Incident Handling Process (CIMP) can help you identify, contain, eradicate, and limit the damage from a breach more quickly if you have this process in place as well.
Next, be sure to practice both the incident management and breach notification processes. Having your team assembled to review all 5 steps of a security incident is critical to long-term success. Then you’ll be able to move effectively through Identification, Containment, Eradication, Recovery, and Revision.
Don’t skimp on lessons learned either. You have valuable information that you can learn from at the ready following any incident. Following these measures and steps can ensure the long-term viability of your company.
Sources:
Additional Readings:
Managing a Cybersecurity Incident
Discover and share the latest cybersecurity trends, tips and best practices – alongside new threats to watch out for.
Stop tricking employees. Start training them. Take Control of Your Security Awareness Training with a Platform...
Read moreA recent discovery by cybersecurity firm Oligo Security has unveiled a series of critical vulnerabilities in...
Read moreGet sharper eyes on human risks, with the positive approach that beats traditional phish testing.