So You Had a Security Breach – Now What Do You Do?

A great way to start out the New Year is to review your company policies and procedures in the event of a security breach. Following is a checklist to help you get started:

  1. Document company policy, plans and procedures.
  2. Make sure the plans and procedures are fully tested well before a breach occurs so that everyone involved knows what to do.
  3. Identify who has the responsibility to determine when a security incident, or suspected security incident, is in fact a breach.

Things to Keep in Mind

There are legal requirements dictating how quickly various people and/or agencies need to be notified once a breach has been identified. Controlling who can declare that a breach has occurred well ahead of time makes it clear when that timer starts ticking.

Note that many companies may also have various contracts that specify how quickly other business associates, partners, or customers need to be notified. These often stipulate a shorter time period than regulatory requirements.

Companies should not rely on IT technologists to declare when an incident is a breach. The person or persons that make the determination should be fully aware of the regulatory and contractual implications. Ideally, legal counsel should make the determination, after receiving a report prepared by technologists, and business owners about what information was disclosed, the cause of the disclosure, and the people impacted by the disclosure.

There will be times when a company’s own internal staff cannot fully report such information in a timely manner. In these cases, the information that is available should be presented to the decision maker as quickly as practical.

In my experience, the basic information can be gathered, presented, and a decision made in less than two business days. Most companies I have worked with have been able to complete this phase in one business day.

What to do if there’s been a Security Breach

Once a breach determination is made, there are several things that should be addressed in parallel. These include:

  • Determine if a computer forensics company should be engaged
  • Determine if any law enforcement agency need to be contacted
  • Determine if the company will likely pursue prosecution
  • Determine what other evidence needs to be gathered and investigated
  • Draft and review any press release
  • Determine what should be communicated to employees and at what time. This will often include a reminder that only designated employees may speak to the press or other third parties about the incident.
  • Draft and review any notification to be sent to any other companies
  • Draft and review any notification to be sent to any impacted individuals
  • Determine if the company will pay for identity theft protection or credit security freezes. If so, determine how much will be paid.

If it has been decided that the company might need to preserve evidence, it is best to have internal staff stop investigating and gathering evidence. Instead engage a qualified, certified forensics team.

A trained, certified team will be best prepared to preserve evidence while investigating instead of accidentally destroying or contaminating evidence. Also, a certified team should be able to establish and preserve the chain of evidence so that it can be used in legal proceedings, serve as expert witnesses, and liaison with law enforcement.