A Data Breach! Now What?

Your organization may go to great lengths to defend itself from data breaches. Unfortunately, no matter how many security controls you’ve implemented or information security certifications you’ve secured, cyber incidents can still happen. If a data breach does happen, every moment counts. To minimize the damage, you must act fast to contain the threat and communicate with key stakeholders. So, what exactly should organizations do after a data breach? Here are some steps an organization can take immediately after a breach is discovered, focusing on three critical stages: containment, damage assessment, and notification.

Containment: Stop the Breach in Its Tracks

Priority number one after discovering a breach is to stop the bad actors from getting further into your organization and prevent the loss of additional data.

1. Isolate affected systems: Disconnect compromised servers, workstations, or networks from the internet and internal systems to prevent the attacker from moving laterally and accessing more data.
2. Change access credentials: Reset passwords, revoke tokens, and update API keys for all affected user and service accounts.
3. Engage your incident response team: Activate your organization’s response plan, which should include IT security, legal, communications, and executive leadership. If you lack internal expertise, have a cybersecurity firm investigate and help with containment.
4. Preserve evidence: Avoid wiping or reimaging systems until forensic experts collect evidence that can reveal how the breach occurred.

Damage Assessment: Understand the Scope and Impact

Once the breach is contained, the next step is to understand exactly what data was compromised and how the breach occurred. A thorough assessment informs both your recovery efforts and your notification obligations.

1. Determine what data was exposed: Identify whether personal information, financial data, intellectual property, or other sensitive material was affected.
2. Evaluate who is impacted: Determine how many individuals, clients, or partners are affected, and whether any are subject to specific regulatory protections (such as HIPAA, GDPR, or state privacy laws).
3. Analyze the attack: Review logs and forensic data to determine if the cause of the breach was a phishing attack, an unpatched vulnerability, a third-party vendor, an insider threat, or something else.
4. Assess operational impact: Consider whether critical business functions, availability, or reputation are affected, and whether temporary measures or backup systems need to be activated.

Notification: Communicate Transparently and Compliantly

Most privacy and data protection laws require organizations to notify affected individuals and regulators within a specific timeframe. Even if not required by law, transparency helps maintain trust.

1. Follow legal requirements: Identify applicable notification obligations under federal, state, or international laws. For example, the GDPR generally requires notification within 72 hours. HIPAA has specific requirements in the Breach Notification Rule.
2. Craft your notifications: Provide the people potentially impacted with clear information about what happened, what data was compromised, and what steps they can take to protect themselves. Offer credit monitoring or identity theft protection if appropriate.
3. Inform regulators and partners: Report to supervisory authorities, law enforcement, and relevant business partners as required. Under FISMA, incidents must be reported to the United States Computer Emergency Readiness Team (US-CERT).
4. Manage public communication: Prepare press releases or media responses that are transparent and aligned with your legal obligations. Avoid technical jargon in public communication.

Have an Incident Response Plan

To be able to respond quickly after a data breach, organizations need to have an incident response plan in place. A comprehensive incident response plan includes procedures for detecting, analyzing, containing, eradicating, and recovering from security incidents. NIST 800-61 Rev 2, also known as the Computer Security Incident Handling Guide, provides highly regarded guidance for incident response, including:

• Incident response life cycle model
  • Preparation
  • Detection and analysis
  • Containment, eradication, and recovery
  • Post-incident activity
• Incident response roles and responsibilities
• Incident response policies and procedures

CompliancePoint can help organizations with all aspects of cybersecurity, including breach readiness assessments, incident response plans, and recovery from a data breach. Reach out to us at connect@compliancepoint.com to learn more about our suite of services.