What to do if You've Been Hacked

Hackers, competitors, crime syndicates, and nation states all want your data. It is important to have security safeguards and controls but what do you do if you've been hacked?

Incident Response Plan

Every organization should have a formal Incident Response Policy and an Incident Response Plan. These documents provide a managed approach to responding to a security incident. In addition to other relevant factors, ensure your Incident Response Plan includes:

• Identifying the primary systems involved
• Determining how the attack was carried out
• Researching the steps needed to mitigate or remedy the situation
• Determining if a suspect exists (e.g. employee, contractor, outside entity)
• Collecting and preserving evidence including log files and physical evidence

During the process staff should document decisions and actions taken including:

• Incident: notification, classification, and declaration (a formal Incident is declared)
• Incident response: alert, triage, response, recovery, and maintenance

The Incident Response Plan should include steps to determine if the security breach did, or will in the future, result in harm to the individuals whose information was breached. Situations where there is a presumption that no reasonable risks exist include: the breached data was rendered unusable, unreadable, or indecipherable through a security technology (e.g. encryption) or methodology generally accepted in the information security industry.

Notifications

In some instances notice about the breach is required to be made to various individuals, organizations, and agencies:

• Customers. Notify customers of the security breach within 30 days of its discovery. Such notice may be provided by telephone, in writing, or via e-mail (if the individual consented to receive such notice via e-mail). Customer breach notification must include a description of the type of breach, a toll-free number that individuals may use to contact the company, and contact information for the major credit reporting agencies and the Federal Trade Commission (FTC).
• States. Each state has data security/breach notification laws. Determine if state Attorney General Offices need to be notified.
• Media. Provide notice to the media in any state where more than 5,000 residents were the subject of the breach. Note that state laws may vary.
• Department of Homeland Security. Determine if the incident must also provide breach notification to the Department of Homeland Security.
• Federal Trade Commission. If the organization is exempted from notification requirements, an organization using the risk assessment exemption must notify the FTC of its exemption along with the results of the risk assessment performed.

Steps Consumers Can Take

If your data breach included consumer information, individuals can take these steps to minimize their future risks:

• Ensure each account has a unique password
• Where possible, activate multi-factor authentication (e.g. text message or phone call with code) on logon screens
• Delete e-mails that may have messages from financial institutions, service providers, etc.
• Be wary of phone calls or e-mail messages that request sensitive information

Additional Resources
Additional information on identity theft, security safeguards, and templates:

• Identity Theft - Protect Customer Information (for organizations)
• Identity Theft - Protect Your Information (for individuals)
• Policies, Incident Response Plan, Forms and other security related documents in template form

All it takes is one security breach to compromise your data. Network security audits help organizations identify, manage, and reduce their risks of a data breach by ensuring the proper security controls are in place.