You’ve had a data breach. Now what?

You’ve worried about it for a long time, and now it’s happened: your data (e.g. client contact info, credit card numbers, employee social security numbers) has somehow jumped the firewall. Your first instinct is to panic, but then you remember that you’ve got a plan in place to deal with this. (You do have a plan, don’t you? If not, read this post on how to do it.)Data Breach - Dynamic Quest

Once you’ve discovered the breach, your actions in the first day will greatly affect how effective your efforts are to contain the damage. Imagine a team of firefighters flying down the pole and leaping into their trucks. (You probably don’t have a pole, but you should have that sense of urgency.)

Isolate and Alert

Start by alerting everybody on your response team, including outside resources. You’ll want to cordon off the area where the breach occurred, just to keep things from getting any worse, and to preserve evidence in case there are legal repercussions.

Quarantine and Interview

Take the affected machines offline and replace them with clean ones. (Keep the affected machines on and ready for inspection by your IT team.) Interview whoever discovered the breach, as well as anybody else who might know how it happened. Talk to your legal counsel and, if advised to do so, contact law enforcement.

With those responses launched, you can move to the next phase, in which you can more closely inspect the issues that caused the breach and begin notifying affected parties.

Document

As you deal with the situation, be sure to document the process. Having a record of your response helps in a number of ways. First, it can aid your legal team in case there is litigation. In addition, it can help you improve your response plan in light of the experience you gained in the heat of the incident.

NotifY

The greater effort you put into notifying affected parties, the better off you’ll be. Notification is required by law in North Carolina, and in many other states. Your attorneys can guide you as to methods and timing. Usually, a notification must be written in language understandable to non-technical people; it must offer a phone number and web page with information for those who want to know more; and offer advice on how affected individuals can regain their security.

If your company is in the healthcare industry (and therefore bound by HIPAA regulations), your response to a breach is even more consequential than it is for other businesses. The rules surrounding Protected Health Information (PHI) were recently strengthened. Now, healthcare providers can be liable even if a leak of PHI would not significantly harm the affected individuals. So having a robust plan and executing it skillfully is essential to protecting your firm from disastrous liability.

We hope you’re not reading this post in the anxiety-ridden aftermath of a breach. Our fondest wish is that you were just interested in the topic, and that in the course of reading the post you have decided that it’s time to conduct an audit of your plan, or get a plan in the first place. Of course we can help you with either of those activities, but regardless, it’s something you should really do today. We don’t like sounding like scolds, but you may someday be glad you heard us.