Is your organization hit by a data breach? That’s a bad thing. Reading this article cannot make the breach undone, but it will help you to mitigate the damage as much as possible…
The correct response to a data breach is reminiscent to how you should act when you get involved in a traffic accident. So, for now don’t worry on how it happened, you can take care of that later. The most important thing to do right now is to limit the adverse consequences of the event as much as possible. In a traffic accident, you should call the police and an ambulance, give first aid to the injured and set-up a warning triangle to avoid collisions. Let’s look at the equivalent of those actions in case of a data breach…
WITHIN 3 HRS
The very first thing you should do when you find out your organisation is facing a data breach, is note the present date and time. Also write down the name and contact information of the person who informed you about the breach. From that moment on, keep a document on which you write down in detail – timestamps included – all actions you perform to minimize the consequences of the data breach. Keep in mind that this document might acquit you and/or your organization – in whole or in part – in case of prosecution by the government or third parties.
If your organization has an Incident Management Team (IMT), inform the responsible contact person(s) immediately. Ideally, you should have a specific contact list at hand with all contact details, including phone numbers to reach the responsible contact persons 24/7. Also inform the management team.
Larger organisations often have an Incident Response Plan (IRP) in place for emergency situations. If your organisation’s IRP includes a plan for data breaches, now is the time to bring it on the table. Simply put, the IRP is supposed to act as a road map for incidents and to give guidance to the IMT.
WITHIN 12 HRS
Call in the experts
If your company has an insurance that covers data breaches, you have to inform the insurance company as soon as possible. Use the same approach for your lawyer. In the best case, you have an agreement with a lawyer who specializes in this matter. If not, just call the lawyer your organization works with (internal or external).
Even though you shouldn’t wait too long to inform the outside world about the data breach – more about that later on –, it can in fact be equally harmful to communicate too soon. In any case, make sure that no information about the breach leaks to the outside world before the IMT is in place or before the management team is informed and you consulted your lawyer.
It’s recommended to hire a specialized company to help you find and close the leak. It might seem logical to rely on your own IT-people to get the job done, but detecting and stopping hacks is specialist work, and is no part of the normal knowledge and duties of the IT staff. It’s best to look for a specialized company before you are confronted with a data breach, but it’s not insurmountable if you didn’t. The only problem is that you don’t have much time to decide which company offers the best conditions when you’re in the middle of a crisis.
WITHIN 24 HRS
Fix the breach
Now that all the experts are in place, it’s time to start the digging work. Your main goal is of course to find the leak and close it. The technical details are beyond the scope of this article, but in any case, you’ll want to examine error messages that appear in your systems, as well as log files. Closing the leak often involves the use of filters, altering routing or even bringing (parts of) your systems offline. Also keep in mind that a data breach often is not a static thing. The intrusion might have started weeks or months before it is detected, and maybe you only spotted one leak so far, while in fact there are several.
In any case, it’s important to get a clear view on the scope and impact of the breach. You need to know how the attackers got access to your systems and how they got the data out.
Elimity’s Insights tool can prove to be very valuable here, as it can present you – in a matter of seconds – a list of all accounts that have access to specific data. This enables you to narrow your search in case you know which data has been stolen. On the other hand, if you are aware of irregularities that are linked to one or more accounts – such as phishing attempts or a lost laptop –, the tool can immediately show you what data the suspicious account has access to. The Insights tool delivers immediate results without the need for an army consultants to help you understand the tool and its results.
Don’t forget to scan all systems for malware and disable accounts that have been compromised. Last but not least: update all passwords!
WITHIN 24 HRS
There is no fixed moment in time on which you have to inform the outside world about the breach, but you should at least wait until you have consulted with IMT, the management team, your insurance company (if applicable) and your lawyer. It can take several days or weeks before you have every last bit of information about the data breach on the table, but you obviously cannot wait that long before you spread the word.
First of all, you have to inform the customers of whom data is leaked. It’s crucial to keep in mind that those customers are victims of the data breach. This means they have the right to be informed as soon as possible. It also means they will expect you to take the right steps to stop the breach and if needed, you have to install (or hire) a call centre to answer your consumers’ questions.
You also have to inform the press – a press release is the right medium to do so – especially if your company is known by the general public and/or if the company is listed on the stock exchange market.
WITHIN 72 HOURS
Take care of legal compliance
Depending on the continent, state or country your organisation is situated (and/or active), certain laws regarding data breaches will apply. In the US for instance, according to the Health Breach Notification Rule (HBNR), you have to notify the media if any health data is leaked. Furthermore, you also need to check whether you are subject to the HIPAA (Health Insurance Portability and Accountability Act) breach notification rule.
In Europe, if you face a data breach and personal data may have been stolen in the process, article 33 of the GDPR regulation obliges you to inform the authorities as well as all individuals affected by the breach within 72 hours after the discovery of the breach. That’s quite a daunting task in itself, but there’s more: you also need to communicate specific information regarding the breach to the authorities, such as the likely impact and consequences of the breach and the measures to be taken by the data controller to address the breach and mitigate its adverse effects.
f you’re not sure about the legal obligations your company must comply to, don’t hesitate to contact your lawyer.
WITHIN 1 WEEK
Focus on your customers
As said before, customers from whom personal data is stolen are victims. And as your organisation is held responsible to guard their data, you have to provide some sort of remedy. It’s hard to say how such a remedy should look like, as it depends on different factors, such as the nature of the personal data – financial data, health data, … – that has leaked, and so on.
Anyway, it’s recommended to keep your customers in mind when you make decisions following a breach. If you don’t know where to get started, imagine you are one of the victims yourself. This way, you’ll realise that you would foremost want that the leak gets sealed. You also want to be kept informed about the developments regarding the data breach and you probably also expect to hear apologies. And when you have questions, you want those to be answered swiftly.
Bottom line is that you should try to minimize the bad vibes that are caused by the data breach as much as you can. Try to restore customer confidence to prevent customers abandoning you. The sooner you can rebuild reputation and trust, the fewer customers will leave.
It’s okay not to have a solid remedy for your customers in place during the first 24 hrs after a data breach. However, you have to make sure that you communicate to your customers within this period. Think of this communication as the very first step to regain trust. It’s also recommended to mention that you are working on a solution and that you will present this solution in the course of – for example – next week.
AFTER 2 WEEKS
Many of the actions we mentioned earlier are also – partially – aimed at restoring confidence. However, regaining trust is a long-term affair. You must therefore continue your efforts long after the initial crisis has been contained.
So, if your company makes investments in processes, people or technology to reduce the risks for future data breaches, it’s important to communicate this information to your customers, as well as to shareholders and the press.
The core message that you want to communicate is the following: “This company was hit by a data breach on (date). We apologise for any inconvenience this may have caused. The leak is closed, and we are in the process of fortifying our defence systems, in order to avoid future data leaks or similar issues. If you have any questions, please contact us on (contact details).”
AFTER 4 WEEKS
Now that your company is back in calmer waters, it’s time to invite everyone who played a role in controlling the data breach back to the table.
The thing is: however frustrating, harmful and expensive a data breach may be, it’s also an opportunity to learn. It would be a shame to let that opportunity go unused, especially since the fact that your company was hit by a data breach in no way means that it won’t happen again.
Make a detailed report of the data breach and focus on elements that could be improved.
Think of technical and organisational measures that reduce the chance of a data breach, but also make sure that you are (better) prepared in case you might have to deal with a new data breach somewhere in the future. This includes setting up an Incident Management Team, making a detailed data breaches roadmap, and so on.
Please also read ‘How to prevent a data breach?’, in which we take a close look at what you can do to lower the risk for a data breach as much as possible