This article was written by Megan C. Nicholls, Ronald I. Raether, Jr. AND Mark C. Mao, and originally published on the Troutman Sanders LLP Consumer Financial Services Law Monitor and is republished here with permission.
Secure your operations – This step focuses on preventing further attacks due to the same vulnerabilities.
- Mobilize your breach response team
- Engage a third-party forensics investigator, if appropriate, and legal counsel
- Secure the physical perimeter
- Take affected equipment offline, but leave the equipment turned on so your forensics investigator can evaluate the equipment effectively
- Change usernames and passwords
- Ensure your website is not displaying personal information
- Ensure other websites are not displaying the data exposed during the breach
- Interview witnesses
- Preserve evidence
Fix vulnerabilities – This step focuses on fixing the root cause of the security incident.
- If the breach involved a third-party service provider, determine if you need to change their privileges to limit the personal information they can access
- Determine if your segmentation plan was effective, possibly with the help of your forensics investigator
- Gather facts about the breach
- Create a plan to communicate about the breach to affected audiences (such as employees, consumers, and business partners)
Notify appropriate parties – This step is focused on who needs to be notified that a breach has occurred. The guide provides a model notification letter that may be used in the event of a breach.
- Determine who you are legally required to notify and when you are required to notify such individuals, governmental bodies, or businesses
- Notify your local police department
- If the breach involved electronic health information, make sure to look at the HIPAA Breach Notification Rule and the FTC’s Health Breach Notification Rule
As may be obvious, the key to an effective data breach response is adequate preparation before a breach occurs. Businesses should proactively consider having: (1) a data breach response team informed and ready to respond in case a security incident is discovered; (2) an effective communication plan to involve legal counsel as soon as possible to preserve privilege; and (3) a documented incident response plan to guide the data breach response team and legal department through the steps identified above. Additionally, businesses may find that conducting mock data breach exercises help prepare and build confidence in the individuals that will be required to act quickly and effectively when a breach occurs.
The Cyber Security, Information Governance & Privacy team at Troutman Sanders maintains a 50-state survey on data breach laws, which can be found here. Because of our team’s technical background, we are uniquely positioned to understand your business’s information technology concerns and to help you address any risks from a legal perspective. We advise businesses throughout their data security lifecycle, from developing a pragmatic incident response plan to assisting with data breach identification, response, and recovery efforts.
insideARM Editor's note: All organizations in the ARM industry should be evaluating their policies and procedures to ensure that cyber security is addressed before a breach occurs. Earlier this month, the New York State Department of Financial Services (NYDFS) issued revised proposed Cybersecurity Requirements for Financial Services companies that are Covered Entities. The regulation will be effective March 1, 2017. These requirements can certainly be used as a roadmap, regardless of whether you do business in New York.