How to Respond to a Data Breach
Here are three do's and two don'ts for responding to a data breach.
No one is immune to major data breaches these days -- from major retailers and tech firms to lesser-known businesses and even government entities. It has been shown that a series of recent high-profile hacks are related to a single group's crime spree. If your organization lacks a data breach response plan, it is time -- no, it is past time -- to get one.
Below is a list of some do's -- and don'ts -- for your organization to follow if you are the victim of a data breach.
Do Get a Security Audit
If you suspect your organization has suffered a data breach, your first step is to determine the damage. You need to confirm -- and understand -- what happened, how it happened and why it happened.
Alia Luria, an associate attorney with Miami-based law firm Akerman LLP, urges data breach sufferers to "get an audit by a security firm to conclusively establish the extent of the breach, where it occurred (i.e., on your system, in transit between your system and another system, or through an access code provided to a customer or vendor) and a list of users impacted."
Extensive log reviews are a must. Most enterprise systems log all network activity. These logs can give administrators important clues when it comes to investigating a data breach. The slightest deviation from ordinary system usage detected in system logs can provide the clever administrator with a roadmap of the who, what, when, where, why and how of a system intrusion.
"It's impossible to overstate the importance of logging," say Vassilis Prevelakis and Diomidis Spinellis for IEEE Spectrum. Prevelakis and Spinellis offer the example of the "Cuckoo's Egg" hacker, a 1986 case in which a single network administrator's careful review of thousands of pages of logs was instrumental in catching a German programmer who stole and sold U.S. nuclear secrets to the Soviets. Log reviews also helped uncover an extensive hack of Vodafone's system some seven-plus years ago that compromised the phone conversations of high-level government officials in Athens.
Don't Let It Happen Again
Luria suggests that you associate yourself with an independent security firm before a breach ever takes place. "Keep an emergency contact list. Don't wait until a breach has happened to build a relationship with an audit group and legal counsel." A proactive approach is key to data security, Luria says.
"Forming a privacy task force before a breach makes response quicker. Compose it of technical [staff] plus decision-makers and compliance folks. Meet at least quarterly and implement a response policy," she advises. "Train your employees to recognize potential breach issues as well, such as lost laptops or hacking incidents, and make sure there is a security officer they can report to."
Do Document Everything
Luria recommends that data-breached organizations document each of their steps to remediation, including:
- Date(s) of the breach
- How the breach was detected, and who detected it
- Dates counsel was notified
- Dates security audits were ordered
- Due dates under law for required notifications
- Actual dates of notifications
- All other steps taken after the breach was detected to remediate the breach
One can be judicious about this. "You might not need a separate set of full-scale documentation for every time an employee loses their iPhone," Luria points out. "But if there is a penetration to the network or a large-scale theft of equipment or other significant breach, documentation becomes more important."
Still, documenting these items is important for creating a paper trail demonstrating that you've done your best to do what you're supposed to have done. This is especially useful in case of a government investigation down the line – or, worse, if legal action gets taken against you.
Don't Cover It Up
Target's recent data breach -- affecting over 100 million credit cards in a less than a two-and-a-half-week period of time -- was bad enough. Making matters worse for the retail giant from a customer relations standpoint was the fact that it took far too long for the company to tell anyone about it -- if not legally, then at least in the court of public opinion. Now, the company's public approval has plummeted because of its response to the breach, making Target the villain in its own fable.
Besides considerations of customer relationship management, notice to data breach victims, affected users and/or government agencies (depending upon the situation and implicated laws) -- especially in the case of a breach of personally identifiable information -- is usually legally required in cases of data breach. "The notification must be in compliance with the state of residence of the affected person," notes Luria. "[My] primary advice is to make sure you hit deadlines for notification and involve legal counsel and an auditor if needed."
Do Consult with Data Privacy Counsel
Data privacy law, especially when it comes to data breaches, can be quite complex. In addition to multiple federal rubrics, 46 states, the District of Columbia, and three U.S. territories each have enacted their own data privacy and data breach notification laws -- all different, and all with different definitions of key terms. While certain general rules commonly apply, what satisfies data breach remediation requirements in one state may not satisfy remediation requirements in another.
Additional areas of state law may apply, depending upon the situation, including consumer protection laws, contract law, negligence and even product liability. For instance, according to Luria, if your data encryption was not sufficiently protected, "[t]he FTC would likely investigate whether your treatment of the data was reasonable."
Furthermore, you could be on the hook for a third party's expenses if your data breach impacts their users. Thus, it is imperative that you rely on the advice and guidance of a qualified data privacy attorney if you suffer a data breach.