What to Do After a Data Breach: Security Part III

Over the last two months we’ve written a short series of articles about data security for small and mid-sized businesses. In Part I we talked about physical security and in Part II about software security. Today we finish the series with a brief discussion about what to do when your security measures fail and a data breach actually occurs. While data breaches often make headlines, California’s recent update to the State’s data breach notification requirements make this a particularly pertinent time to have this discussion.

What is a breach?

When most consumers hear the term ‘data breach’ discussed in the media they probably think of a database hack, but malicious entry into company servers is only one of many possible ways a company can expose sensitive data to unintended (and sometimes unknown) parties. For example, a lost USB drive, stolen laptop or phone, mistakenly sent email, ill-considered social media post, and even a seemingly innocent word of mouth discloser all potentially implicate a loss of important information.

In essence, a breach is any disclosure of sensitive data. Under a new California law, “data” now includes “user credentials” meaning a username and password or the security questions used to circumvent a password.

Close the gap

After a breach, the first step is to close the hole. This means that when a security failing has allowed sensitive data to pass out of company control the failing must be immediately remedied. This might mean changing a compromised password, firing an offending employee, or resolving a security weakness in the network firewall. Whatever the case, a forensic security analysis is often required. In addition, steps should be taken to understand how the breach occurred from a developmental perspective and practices put in place to prevent future breaches of this type.

Mitigate the damage

After a security loophole has been closed, steps should be taken to mitigate the resulting damage. For example, if a selection of user passwords were stolen or otherwise compromised, it is imperative that affected users be notified (and provided with instructions about how to proceed) and their accounts suspended or monitored as necessary to prevent any further unauthorized access.

The more critical the data, the more extensive this effort may need to be. If the stolen data represents only a few email addresses, setting up spam filtering or even just monitoring the accounts may be sufficient. If, however, a database containing several million customer credit card numbers, names, and addresses was hacked, the response should scale up dramatically.

Notification

One of the most complex parts of any data breach response, at least from a legal perspective, is the notification requirement. Most states, the Federal Government, and a number of private contracts explicitly require that affected parties be notified of certain breaches. Unfortunately, no central database exists to describe exactly what these notification requirements are in each situation and state laws often vary widely depending on the scope of the breach and the type of data at stake.

HIPAA & PCI

Under the Federal regulatory scheme, health and financial information breaches take top priority. Typically, breaches over a certain size must be reported directly to the overseeing agency and sometimes even to the media. In addition, notification must be given to affected consumers or other parties. An official investigation may ensue and the agency might demand a reporting from the offending company detailing the response effort. Non-compliance with these regulations can lead to severe penalties and even criminal charges. For more information, please visit the HIPAA and PCI sites directly.

State Law

Many states have enacted their own notification requirements. In California, Governor Brown signed new legislation last month dramatically expanding the scope of the State’s mandatory disclosure law by redefining what constituted a triggering breach. Under the new law, which goes into effect on January 1, 2014, any breach that includes inadvertent disclosure of user credentials must now be disclosed to affected persons. This is in addition to the previous trigger conditions such as a loss of health or financial information.

Of note, currently the new law does not distinguish between encrypted and unencrypted information; both must be reported if breached.

Reputation Management

Along with the technical and regulatory considerations, companies which have experienced a major breach must also take their reputation into account. Today’s consumers are increasingly privacy aware and often do not take kindly to a company that exposes them to privacy or financial harm. Every part of the response process plays into reputation management from how quickly the breach is reported, to how much information is disclosed (and how accurate or helpful that information proves).

Companies are strongly advised to prepare and maintain a breach recovery plan, one that includes media messaging, well in advance of any breach. In the disaster atmosphere of a post breach war-room, poor decisions are often made that have far reaching financial and brand implications.

For more information

The Online Trust Alliance has prepared a handy workbook to help guide businesses through data breach preparation and management. It can be found on their website.

Editor

Kjeld Lindsted Kjeld Lindsted
Content Architecture, Copywriting, and Editing
Full Bio >


Recent Articles

Did the “PC” Really Die?

Who Needs Net Neutrality Anyway?

Rise of the Visual Web

Microsoft Is Retiring Windows XP This Year

Email Marketing Part V: Back to basics

Mobile Is King: But you knew that already

Website v. Web Presence

Password Strength and Quality: How to build, and use, a password that holds


Tools



Topics

Security
Marketing
Coding and Design
e-Commerce, Privacy, and Legal
Hosting and Technology
OC Updates and Announcements
New Projects