You’ve Just Been Hacked – Now What?

September 24, 2015  By Alex Chesko

Imagine the following scenario:

It’s 4:30pm on what has been a seriously busy Friday afternoon.  You’re just starting to think about the great tickets you scored to the game this weekend when an incoming call is transferred to your office.  It’s an agent from the Secret Service (yes – that Secret Service) calling to inform you that they have identified a computer on your network which has been communicating with a server linked to a hacking group operating in the Ukraine.

Wait – what?

You learn over the next 10 minutes that the computer in question was compromised by a sophisticated computer virus that came out early last year.  Your computer has been secretly transmitting sensitive data it to an unknown 3rd party FOR AN UNKNOWN PERIOD OF TIME!

You now have the distinct displeasure of joining a rapidly growing list of companies that have experienced a data breach.

Your first thought naturally is – “This is bad – really bad.”  It’s now time to act and you don’t have a contingency plan for this type of event.  Don’t worry – we can break down what happens next and give you a good idea what to expect over the next few months.

Here are the seven basic phases of your typical data breach:

PHASE ONE:  The breach is live.   Somehow, be it through a stolen password, a computer virus, or sensitive files that didn’t quite make it to the shredder – someone has gained access to information they shouldn’t have.  This is the period from when your data is first compromised until someone first detects the unauthorized access or transmission.

PHASE TWO:  The breach is discovered.  In a perfect world the breach is discovered internally because your data security is robust and your team is ever-vigilant.   Unfortunately – this isn’t always the case.   Sometimes a breach is only discovered after a heart-stopping call from a federal agency like the Secret Service or FBI, or the Fraud department of one of the major credit card companies.

The first thing to do is document the date and time of discovery, how the breach was discovered, and exactly when your breach response efforts begin.  From this point forward – you’re going to want to document everything.  Doing so can really save your bacon down the road and mitigate your exposure to additional penalties and legal actions.   It’s important to remember that from this moment forward it’s not just about what happened – but how you respond to the incident.

You’ll then want to take the affected computer or device offline.  If the computer is on – that’s fine, but make sure it can’t connect to your network or the internet.  Don’t go poking around the computer trying to find the problem – leave that to the experts (see Phase 4).  Preserve any evidence you can and limit access to the affected device.

Phase two is also when you assemble your internal Breach Response Team.   Hopefully you’ve already identified the key people that will make up your crisis management team but if not – now is the time to send up the bat signal.  Most often this team is comprised of individuals from company leadership, and the IT, Legal, and HR departments.

PHASE THREE:  Make the call.  Your first call goes to an attorney who specializes in Data Breach response and requirements.  (The Data Breach equivalent of Harvey Keitel’s Mr. Wolf in Pulp Fiction) If you already have a cyber liability policy in place there is probably a new claim number to call.  The claim department would then put you in touch with a breach attorney and several other experts who will each play a role in the response effort.   A good breach attorney will be able to identify your legal obligations in regard to notification and various state & federal entities. They’ll outline what information has to be disclosed, with whom, how it must be sent, and how long you have to give notice.  If the breach involves PCI (payment card industry) data your attorney will also outline any additional requirements you’ll need to meet.
mrwolfPHASE FOUR:  Forensics.  Once you’ve spoken to your breach attorney you’ll be bringing in an outside firm that specializes in computer forensics.  Your attorney or insurance carrier often has a short list of recommended forensic firms.  Think of them as your own private, incredibly expensive CSI unit.  They arrive at your electronic crime scene to identify how the breach occurred, eliminate the threat, and most importantly – determine what data was compromised.  The length of this investigation can vary from a few days to several weeks.  This team will work with your IT department but it’s important to note that the investigation must be done by an outside firm to remain impartial.  If your breach involves a large number of credit cards you may also be required to bring in a second forensic team which investigates on behalf of the card company.

PHASE FIVE:  Public Relations.  You’re going to need to hire a skilled PR expert who can help you prepare for going public with a data breach.  They’ll walk you through the ins and outs of dealing with the media and the public, preparing press releases, monitoring social media, etc.   They can also make sure your employees know how to respond to the inquiries they are likely to receive.   In phase five you’ll also be selecting additional services to help with the public side of a breach.  Credit and identity theft monitoring services are often retained, along with call center services for larger breaches.  A mailing service may also be used if you’re required to send out a large number of notifications.

PHASE SIX: Notification.  This is the part that will really keep you up at night.  You’re required to notify anyone whose information may have been compromised.  This is done in under the careful guidance of your legal counsel, and can include formal notice to state or federal entities when required.  Remember how you started documenting everything back in phase two?  You’ll be glad you did because now the circumstances of the breach along with your response efforts will be subject to intense public scrutiny.  You can expect to hear from irate customers, news outlets, and bloggers writing from their mom’s basement on a regular basis.  If you’ve done your due diligence and hired the appropriate experts you’re on the right track.  The key here is to be as open and forthright as possible, and focus on what you are doing to increase data security and restore your customer’s faith in the company.

PHASE SEVEN: Aftermath.  Once the required notifications have been made and the initial frenzy of attention has subsided you will enter the final stage of a breach event.  You’ll still be handling inquiries and mending fences though on a gradually lessening basis.  Here you will see any fines levied against the company by state or federal agencies.   If your breach involved a large number of payment cards you’ll probably see an assessment from a payment card company.  These assessments are often levied against your bank, which then promptly passes the cost on to you.  Settlement or defense of any lawsuits filed against the company fall under phase seven, and can take several years to resolve.

The Moral of the Story:

Large corporations tend to survive even the worst of data breaches.  Their sheer size and revenue stream offers them some protection.  Most people aren’t going to stop shopping at Target or change their health insurance provider because it was hacked.  A breach is a much greater threat to the livelihood of small and mid-size businesses.  They can’t easily absorb the unplanned expenses, significant downtime, or lost sales that follow a breach.

So what are the two most important things you can do to give your business a fighting chance at surviving a data breach event?

        1. Have a solid response plan in place before a breach occurs.
        2. Secure a Cyber Liability policy that can help absorb the unexpected costs of a breach and keep your business afloat.

For more information, or to request a quote on a Cyber Liability policy for your business please contact Pittsford Insurance Agency via email or by phone at 585.389.4150