[BreachExchange] Dealing with a data breach
Audrey McNeil
audrey at riskbasedsecurity.com
Fri Apr 28 15:34:42 EDT 2017
http://www.nhbr.com/April-28-2017/Dealing-with-a-data-breach/
Most people loathe the annual ritual of filing a tax return. Compounding
that unpleasantness, a number of filers attempting to file a tax return
only are notified by the Internal Revenue Service that someone else has
already filed a return on their behalf and collected the tax refund.
We have fielded several calls from employers who have had multiple
employees report that they were unable to file their tax returns because
someone had stolen their identity. Here are steps commonly undertaken when
a group of employees makes such a report.
Investigate for a breach
The first step is to conduct an internal investigation to determine if the
company is the source of the data leak. Information technology
professionals examine logs searching for malicious patterns. Circumstances
might warrant hiring an outside security consultant to conduct this review.
If there is evidence that the employer’s systems were hacked, the key
questions to answer include:
• How was the system hacked?
• What changes are necessary to stop the attack?
• When did the attack occur?
• How much data was exposed or taken?
• What categories of data (names, address, email address, account numbers,
social security numbers, credit card information, private health
information) were taken?
• How many employees are at risk of identity theft?
Notify law enforcement
It is a good idea to notify the U.S. Secret Service, because that agency
might be able to determine if this particular hack fits into a larger
pattern. Companies should also consider notifying local law enforcement to
file a police report, as this might provide some assistance to employees
who later discover they are victims. Some credit monitoring service
providers offer discounts if a police report has been filed.
File an insurance claim
Companies should also call their insurance company to determine if they
have cyber insurance. The products vary, but they often provide coverage
for, among other things: legal and other costs associated with sending
notices to affected individuals; costs of providing credit monitoring for
employees; and defense and indemnification for liability.
Send the required notices
Almost every state has passed a statute requiring those with knowledge of a
data breach to provide notice to the affected individuals. Unfortunately,
these statutes are not uniform.
Some states’ statutes do not specify the content of the notices, but merely
mandate that notices are sent. Other states’ statutes require several key
pieces of information appear in the notice.
Because of the differences in statutory requirements, it is important to
quickly develop a list of the states in which the affected individuals
reside. Then, notices need to be drafted to meet the specific requirements
of those states. Because most of the statutes include civil or criminal
penalties for noncompliance, some care is required to ensure that the
notices contain all the required information.
A handful of states, including New Hampshire, require that a separate
notice be sent to a public official, frequently that state’s attorney
general. In addition, some states mandate that companies provide notice
directly to the credit bureaus, if there is a significant number of
affected individuals in those states (a common threshold is 500 individuals
in that state).
If law enforcement undertakes an investigation of the data breach, they
might request that the company delay sending notice to the affected
individuals, because public dissemination might hamper the investigation.
Companies should get this request from law enforcement in writing. When the
notices are sent to the affected individuals, it is recommended to state
explicitly that notice was delayed at the request of law enforcement.
It is also prudent to create a record that the notices were received. Some
statutes permit transmission of the notices by electronic means. If email
is used, the company should obtain a read receipt and maintain a record
that each message was read. If traditional mail is used, it is wise to use
registered or certified mail to obtain proof of delivery. Cyber insurance
often covers these expenses.
Although this article framed the tasks in terms of dealing with a breach of
employees’ information, the same concept applies if customers’ financial
data is stolen. Companies are advised to develop a written response plan
even if they have not yet been subject of an attack. Employers should also
investigate cyber insurance just as they consider general liability
insurance, because the benefits of coverage can be substantial.
Finally, all companies should examine their own security protocols and
undertake reasonable measures to protect their information, including
training their employees to prevent against future hacks.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20170428/a05a9bf1/attachment.html>
More information about the BreachExchange
mailing list