Data breaches happen daily. Are you prepared to respond if someone hacks into your company’s records? According to BreachLevelIndex.com, 4,014,175 records are lost or stolen every day, with 2,788 records stolen per minute. While data from 2016 has not been fully collected, within the first half of this past year there were 974 reported breaches. 29 of the breaches were instances that compromised over 1 million records.
How do you even start to be prepared if this happens to you? Before your company experiences any cyber security threats, brush up on your state’s local laws to learn what you are required to disclose if a data breach does occur. All states (except Alabama, North Dakota and New Mexico) now require notification when information commonly maintained by employers, such as Social Security numbers and driver’s license numbers, is compromised.
There has been recent amendments in Illinois, Tennessee, California and Nebraska to reinforce their data breach notification statues in 2016. For multistate employers, these local state amendments will increase the complexity of your security incident response. These amendments have increased the number of circumstances in which employers must inform employees, customers or other state residents whose personal information has been compromised in a data breach. In some states, the attorney general must be informed.
Stay prepared by creating a crisis management plan, equipped with an identified task force to help you execute the plan if a situation arrises. Experts from CIO magazine share five steps that will help your business stay prepared:
- Select a task force to implement your response protocol
When your company’s data has been compromised, there is no time to sit around shifting blame. Creating a predetermined response protocol is key for clear thinking and swift action in this high pressure situation. Having the right team on the job is critical.
Appoint one leader who will have overall responsibility for responding to the breach. This leader should have a direct reporting line into top level management so decisions can be made quickly. Also include representatives from all relevant areas, including IT and corporate affairs. Don’t forget to include your chief privacy officer (if applicable) and your legal department to deal with regulators and advise on potential exposure to liability.
Once a task force is identified, the next step in your data breach protocol should be to identify the cause of the breach and ensure that it is contained. Steps may include installing patches that will resolve the viruses and technology flaws, resetting passwords for user accounts that may have been compromised, disabling network access for computers known to be infected by the malware, and recalling or deleting information that may have been sent or posted from the virus.
- Assessing the extent and severity of the breach
The result of this assessment will dictate the subsequent steps of your response. A thorough assessment involves identifying who and what has been affected, assessing how the data could be used against the victims (can the information be used for identity theft or other criminal activity, or sensitive information such as medical records?), and considering the context of the breach (was this a case of deliberate hacking or an inadvertent breach of security?).
After you have assessed the extent of the situation, it is time to determine how to let your employees or your customers know what happened. Inform everyone who has been affected and who is required to know by your state law. Let the victims know as soon as possible so that they can protect themselves by changing their passwords, canceling credit cards and monitoring bank statements. Notices should be practical, suggesting steps that recipients can take to protect themselves.
Other third parties may need to be notified as well. For example, if financial information is compromised, you might notify relevant financial institutions so that they can watch for suspicious transactions.
- Actions to prevent further breaches
After addressing the immediate threat, prevention is the final step. Carry out a thorough post-breach audit to determine where your security practices should be improved. This could include hiring a data security consultant to give you a fresh perspective on your existing practices, or implementing training to relevant personnel to ensure that everyone is up to speed on the latest practices.
Employee & Family Resources is offering a new service within its EAP for identity theft. While the service excludes corporate breach incidents leading to identity theft of employees, our services assist employees and their eligible family members undergoing a fraud-related emergency. In the event of an identity theft, Fraud Resolution Specialists provide both affordable and expedient assistance, including a free consultation to help with emergency response, assistance in restoring identity and good credit, advice on how to communicate with creditors and collection agencies, and so much more!
To learn more about EFR’s ID Theft Resolution service, contact your EAP account manager today!