[BreachExchange] 8 steps to take if your company gets hacked
Destry Winant
destry at riskbasedsecurity.com
Fri Dec 7 09:36:05 EST 2018
https://neworleanscitybusiness.com/blog/2018/12/06/8-steps-to-take-if-your-company-gets-hacked/
Over half of U.S. companies will be hacked this year. The best way to
deal with hacking is to take actions to deter and manage it. That
means putting together a team led by management, the chief information
security officer, the IT officer, the head of security, public
relations advisers and outside counsel. This team can forge an
information security plan, including establishing a group to respond
to data security problems and developing and executing procedures to
respond to a data breach.
Here are eight steps to take if your company gets hacked:
Recognize that immediate action makes a difference. You need to have
the team and a response plan in place prior to any hacking incident.
This involves making certain that communications made regarding key
decisions are made subject to the attorney-client privilege, which
means operating through outside counsel. Prior preparation will not
only allow you to respond quicker, but also in a more efficient and
less costly manner.
Train employees so they know their responsibility if a breach occurs.
Breaches may not be discovered immediately. You must train employees
to recognize a breach, to whom to report a breach and the consequences
of not doing so promptly and properly. That requires setting up a
clear procedure for reporting.
Train employees differently based on what they need to know. Not
everyone needs to know everything when a breach occurs. Most have to
secure their own password and secure how they send emails or other
messages to avoid hackers, but not everyone needs to be aware of all
the details of a data breach response plan. Decide what they need to
know and make sure they are trained to take the action they are
required to take.
Train employees to employ the right language in communications.
Depending on the industry, terms like “security” and “breach” may have
a legally defined meaning. Communications that assert a “security
breach” has taken place may come back to haunt you in a legal
proceeding. Qualify the language. For example, talking about a
“potential” breach may have different consequences than declaring that
a breach has occurred.
Contain the damage. Take action to stop more data from being stolen or
damaged. Specific actions depend on your information security plan.
Consult with your IT team on taking the proper steps in the context of
how you have been hacked. Generally, you want to isolate infected
computers, networks, or systems and avoid taking steps that wipe out
forensic data and jeopardize actions to determine the identity of the
attacker, the type of attack and the route into your systems and
networks the attackers exploited.
Separate operational issues from legal issues. To minimize legal
exposure, It is important to make as many things possible subject to
the attorney-client privilege to minimize legal exposure. This need
should be managed and balanced with the reality of operational
necessities.
Document your response actions. Regulators want to know whether
companies they examine have exercised due diligence (reasonable and
adequate steps) to protect data and information. You need to show them
that you understood the problem from the outset, including
anticipating the possibility of a breach, and had put procedures and
processes in place to manage the problem and mitigate the risk and
damage. Regulators will not take your word for it. Show them what you
did.
Stay on top of notice requirements. You may have to notify persons in
all 50 states. Each state has its own breach notification rules.
Consult ahead of time with counsel to understand who you have to
notify of a breach and the timing and content of the notice, including
disclosures on the means and manner of the breach. Make certain you
comply with notice provisions in contracts with third parties.
Sometimes third party vendors promise to handle notification, which
can be risky. You need to stay ahead of the curve and ensure that
notification is properly dealt with.
Taking these steps can save you not only millions of dollars, but also
lost time, damage to reputation, interruption of business operations
and unwanted legal exposure to fines, penalties, attorney fees and
other avoidable headaches.
The key is to work with management, relevant company officials and
counsel on the front end so that if a breach occurs (and recognize
that a breach is likely to occur), you can manage the problem and
minimize the legal exposure and damage.
More information about the BreachExchange
mailing list