How to Handle a Data Breach

When a breach happens, how you proceed and the actions you take will help mitigate the impact to your bottom line. The type of information stolen generally dictates the seriousness of the entire situation.

Back everything up fresh. Treat it like a police crime scene and preserve the evidence. Logfiles, configuration files, and affected data. This will also allow you to plug the hole prior to your post-mortem review.

Determine the source of the breach. Was it a bad password someone guessed, or the latest WordPress exploit that let them in? Correct the issue to stop any further loss.

Determine what the intruder touched. Assume worst case until proven otherwise. This will clue you in on the impact and help guide your response. There is a difference between losing the lunchroom schedule and losing a database full of social security numbers.

Do not assume the entry method was the only thing done by the intruder. Seek out any backdoors or other goodies left by the attacker. Be prepared to lose some data by restoring to a known pre-hack backup if necessary. Backup early, and backup often!

Determine your course of action to repair the affected systems, as well as what will be done to (hopefully) prevent future recurrence of the problem. Do not put it back online until you are confident it is clean, no surprises. Announcing you fixed a hack only to get immediately hacked again will do you no favors.

Involve law enforcement. This is especially true if the compromise could result in harm to a person or business. Report what happened and the potential risk for identity theft.

Contact impacted businesses. A stolen list of credit card numbers means contacting banks. Identity information may warrant a call to the credit bureaus for additional guidance.

Inform the direct victims.

There is no need to put your company on the front page if the affected group was small or it was not sensitive information. Notifying the individuals directly via email or company blog posting may suffice in these situations.

For larger companies with name recognition, a decent sized customer base; your marketing team should go into overdrive on all media forms available. Dragging your feet here or trying to minimize info released will only wind up making things worse. By getting out in front of it, you can at least control the message and provide honest, immediate service to those most affected.

Helpful links:

https://www.ftc.gov/tips-advice/business-center/guidance/data-breach-response-guide-business

Publication 4600, Safeguarding Taxpayer Information: Quick Reference Guide for Business: https://www.irs.gov/pub/irs-pdf/p4600.pdf

Publication 4557, A Guide for Your Business: https://www.irs.gov/pub/irs-pdf/p4557.pdf

https://www.irs.gov/uac/taxpayer-guide-to-identity-theft

https://www.ftc.gov/tips-advice/business-center/guidance/complying-ftcs-health-breach-notification-rule