A data breach is a security incident which leads to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to sensitive, personal, and protected information. The data breach is followed by a data breach response which includes several steps. The most important among them is compliance with Federal, State, and International data breach regulations.
The part I of the blog covered “What not to do after the data breach incident” and part Ii is about the key steps organizations must take immediately after the breach.
Security breach notification laws or data breach notification laws require the organization affected by the data breach, to notify their impacted parties about the breach and take specific steps to remedy the situation based on the state legislature. Federal, State, and International laws contain provisions for breach notification and timelines. Failing to do so can result in heavy fines and penalties and an investigation by the legal authorities.
It’s necessary for an organization to have Breach Notification Policy and Procedures in place to manage the breach management process. The costs associated with the breaches are very high, and small to medium size organizations may even go bankrupt in the process.
The Federal Trade Commission (FTC) and PC Business have great guidance and articles on the subject. The best practices list the following steps the organizations could follow after the breach though there could difference of opinion on what will be the first step.
- Notify Appropriate Parties or Communication with affected individuals, employees, third parties, law enforcement authorities, etc.
- Secure Your Operations (stop additional data loss)
- Fix Vulnerabilities (have a plan in place and not to overreact or take any irrational decision)
- Implement and Enforce Policies
Notify Appropriate Parties or Communication with Affected Individuals
The most important thing to remember while being proactive about notifying the public about the breach mean:
- Not issuing wild statements and announcements,
- Be accurate and honest when addressing the public,
- Educate employees on what to do or say if they asked about the breach
- Do not label or describe the breach as terrorism act, super sophisticated attack, massive, etc. without proper knowledge
- Community frequently with customer, vendors, and employees,
- Communicate what the organization did to access and remedy the situation,
- Communicate actions taken and planned to ensure no similar attacks occur in the future, and
- Communicate with employees about the breach event, actions taken, and plans on a regular basis through the breach managing process.
Notification to Law Enforcement
The U.S. state breach notification laws generally define a security breach as an incident involving the ‘unauthorized acquisition of’ or ‘access to’ or ‘a reasonable belief of unauthorized acquisition electronic data that compromises the security, confidentiality, or integrity of personally identifiable information maintained by the business.
All 50 states, the District of Columbia, Guam, Puerto Rico, and the Virgin Islands have enacted security breach notification laws that require businesses or governments to notify consumers or citizens if their personal information is breached. GDPR, GLBA, HITECH, HIPAA, CCPA and various other laws have sector-specific breach notification requirements.
In blog III we will discuss the next best practice “Secure Your Operations” in breach management. The steps you should take after a data breach often depends on the category of the breached organization, the industry it belongs to, and the type of information revealed. The blog IV on the subject discusses the breach notification steps to be taken for the different types of data breaches listed below:
- Healthcare data breach
- Financial data breach
- Government data breach
- Education data breach
- Entertainment data breach
- Other industries