New Perils in a Connected World – I have just been hacked! Now what do I do?

New Perils in a Connected World – by Stew Nelson

Let me start by saying that if the first time you think about what you are going to do after you have been hacked, had data stolen or lost a laptop with Private Information on it you are already in hot water!

If you are storing or transmitting Private Information, PI, such as credit card information, social security numbers, driver’s licenses and/or Protected Health Information, PHI, etc. you should just accept as a given that you will lose data at some point and you need to be prepared or be prepared to pay! Keep in mind that the laws also include paper as will as digital files and that most losses are not from sophisticated hacker attacks but by stolen lap tops and carried out the door by disgruntled or careless employees.

OK – Where should I begin?

I recommend that you familiarize yourself with the basics of all Federal Acts such as HIPAA, HITECH, Graham-Leach-Bliley, GLBA, and Federal Trade Commission (FTC) – Red Flag Rule and then pertinent state laws that cover the storage and transmission of PI or PHI. With a basic understanding of the laws you will have an idea of whether you have the energy and resources to handle a breach internally.  If you are like most of us you will need help from some outside sources.  I will list some additional resources in my next post.

To help you get started, I found excellent free information online concerning data breaches and losses in HIPAA and HITECH regulations in “The HITECH Survival Guide” from Deborah L. Leyva’s Online Store.  Debra covers the basics of the federal laws but if you want to dig deeper you will need to pay up.  The FTC and Health & Human Service Dept, HHS also have some free background information on their web sites.  For State laws it is a bit harder to find any free information but a good place to start is a list of all the URL’s for state laws found at the web site of the North American Professional Liability Insurance Agency, LLC, NAPLIA.  I have to warn you  that reading the actual law can put you easily to sleep.  Also, I do have a bit of bad news – if you do have a data loss you will need to comply with the state laws of all the home states in which your record holders are located!

“WISP”er  to me!

Next I would put together a Written Information Security Program, WISP.  What is a WISP and why should I bother?  Massachusetts was the first state to require a WISP and two other states, Maryland and Nevada followed suit and I suspect most other states will eventually follow because it is an easy way to prepare your organization for a breach.  The WISP can be as detailed or as simple as you feel you need.  The guidance for the Massachusetts WISP is available on the state web site.  Basically the WISP outlines who is in charge of data security in your organization, how you currently protect your data and what you intend to do after a breach.  You could put one together in an hour that would work or pirate one from the internet in 5 minutes.    The penalty for not having one can be up to $50,000.  So if you are ever asked if you have a WISP….the answer is yes!

Top 10 (simple) things you should do after a security breach

  1. Stop the breach.
  2. Do not announce or discuss anything until you speak to your attorney…especially the media!
  3. Call your insurance agent to report the breach.
  4. Notify local authorities, i.e. police or FBI as appropriate.
  5. Assemble all responsible parties (HR, IT, Operations, Senior Management, legal, Security, financial auditor) and appoint a Computer Incident Response Team leader, CIRT.
  6. Collect and preserve all evidence. (Technical documents, artifacts left by intruders and computer logs etc.)
  7. Determine whether you need outside help with computer forensics, damage assessment, repairs, mitigation and notification to governing states, federal agencies and/or individuals.
  8. Team decides proper steps to take to comply with all relevant laws and outline steps and procedures for prevention of a similar incident.  What is your incident response plan?
  9. Implement Response Plan. Send notification letters and offer credit monitoring if needed etc.
  10. Work with PR experts to mitigate or contain damage to your reputation.

(My list leaned heavily on material provided by McDonald Hopkins PLC.)

Even my simple list of things to do after a breach will give you and idea of how expensive this process can be and how this can damage your balance sheet.  Remember – A good insurance plan in conjunction with adequate security precautions can cost effectively protect you from even the most damaging circumstances.

I promised you a list of outside resources you can use to help prepare yourself for a serious data breach.   I will make that available in my next post and try to update it periodically.