[BreachExchange] What to do if a hacker steals your company’s data

Audrey McNeil audrey at riskbasedsecurity.com
Thu May 24 20:03:54 EDT 2018


When Sony Pictures and Equifax got hacked, it cost them tens of millions.
Sadly, studies indicate over half of companies can expect to be hacked.
There is no fool-proof way to stop an incident breach. So what should you
do if your company is attacked? You need to be ready on the front end, so
that you can respond when the attack occurs.

Here are eight broad action steps:

Consult your information security plan. Companies should have in place an
information security plan to identify, prevent, detect, respond and recover
from hacking attacks. This plan should outline your company’s defenses
against hackers and provide a blueprint for what to do when you are hacked.

Implement incident response procedures per your information security plan.
You need to assemble an incident breach response team before a breach
occurs. The team should include key management; your chief security
information officer (CISO); IT department heads; physical security
department head; public relations experts; and both in-house and outside
counsel. Often outside counsel lead the effort in dealing with incident
breaches to ensure compliance with governing law and to establish attorney
client privilege for the company’s response efforts. The faster you act,
the better your chances of limiting loss, damage, and legal exposure.

Consult with legal counsel to cover all obligations. Identify your legal
and contractual obligations. Depending on what industry you are in, these
vary. Regulators often require that you notify them and affected customers
on a particular timeline. You face severe penalties for failure to comply.

Determine insurance coverage and contract providers. Meet with your
insurance broker and both in-house and outside legal counsel to determine
what coverage you have in place and who you have to notify about what.
Cyber insurance policies can vary considerably. You need to understand your
rights and obligations, including what time limits for discovering an
incident apply and how they are triggered. Policies may limit your freedom
to select your own attorney, your public relations team, and what insurance
will pay for in notifying affected customers and taking remedial steps.

Engage professional forensic investigators to work closely with your IT
team. This will enable you to help determine the scope of the breach, the
lines of attack and what data was affected. Your IT experts need to move
fast when an incident occurs. The ability to figure out how a breach
occurred lessens by the minute. You must isolate, preserve and document
compromised computer systems and networks to contain the damage.

Notify affected individuals as required by law. Notification can get
complicated because you need to have your counsel check the law of each
state in which an affected customer resides. Each state has its own law you
must comply with and states are not consistent, so be careful.
There is a key exception that can be found in some laws: You may not need
to notify if, after a reasonable investigation, you determine there is not
a reasonable likelihood of harm to a customer. If you do have to notify,
the law prescribes various methods of notification. You must notify in the
most expedient time possible and without unreasonable delay.

Engage communications and public relations personnel. They can craft
communications and public messaging, and counsel needs to review the
messaging and press releases to ensure that these comply with each state
law. Federal laws that govern the health care, financial services and other
industries may have their own requirements, including notification to
regulators. You need to coordinate closely with counsel in addressing these

Review the information security plan and identify lessons from the breach.
The information security plan should always be reviewed after the company
has been hacked. You need to make certain that your information security
plan enables you to act quickly, limit damage and provide lessons learned
from the attack that will produce a stronger security plan in the future.
Make certain – especially where ransomware is involved – that you have a
plan for resiliency so that an attacker does not shut you down. Hackers are
increasingly infiltrating computer systems and networks, injecting malware
and encrypting your data unless you pay a ransom. One of the best ways to
thwart somebody who holds you ransom is to store a duplicate set of data in
a separate, secure location so that you can shut down the system that is
being held for ransom and keep operations going by using back up duplicate
data. The threat of cyberattack cannot be eliminated. Being ready for when
one does occur can save you a great deal of money.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20180524/280f2e82/attachment.html>

More information about the BreachExchange mailing list