Nothing is more disheartening than walking into work only to discover your business is amidst a data breach. Your stomach drops and anxiety peaks as your brain enters survival mode. The news hits especially hard when you know you had proper security measures in place. So, how could this happen?

Corporate giants like Target, HomeDepot, Facebook, and Twitter learned the hard way that even the most up-to-date cybersecurity doesn’t 100% guarantee your safety. While you should do everything you can to protect your company including employee training, regularly updating servers and devices, and monitoring your environment, breaches can happen. 

And when they occur, you can’t improvise. 

Take it from Uber’s former Chief Securities officer, Joseph Sullivan, who has recently been charged with obstruction of justice and misprision of a felony, that the actions after a breach are just as important as the steps taken to prevent one.

What Not To Do

In 2016, Sullivan was contacted by two hackers who had successfully accessed and downloaded an Uber database that contained sensitive information of approximately 57 million Uber drivers and users. The breached database held the driver’s license numbers of about 600,000 drivers.

The cyber criminals saw an opportunity to make a quick buck, so they demanded a 6-figures range worth of Bitcoin in exchange for their silence--an offer that should have been denied and brought to the authorities. 

Instead, Sullivan secretly worked to funnel the money through an existing “Bug Bounty” program, where the company pays white hat hackers for finding vulnerabilities in their systems. 

News later leaked about the breach, and on Thursday, August 20, 2020, Joseph Sullivan received a criminal complaint about his involvement in hiding the actions of malicious hackers. The FBI stated that the actions of Sullivan prevented the FBI and FTC from being able to properly investigate and catch the criminals, putting other companies, and countless consumers at risk. 

The U.S. Attorney Anderson commented, “Silicon Valley is not the Wild West. We expect good corporate citizenship.  We expect prompt reporting of criminal conduct.  We expect cooperation with our investigations.  We will not tolerate corporate cover-ups.  We will not tolerate illegal hush money payments.”

What This Means For You

Desperation can influence people to act without thinking. However, covering up evidence or neglecting to tell your consumers of the threat is wrong. 

So, what should you do after a breach?

What To Do 

Have a plan in place

Dealing with a breach can be a nightmare, and can easily become overwhelming if you aren’t prepared. By having an updated, easily accessible plan, you can be confident you aren’t missing any steps in handling this often complex situation. Your plan should include:

  • What your company’s definition of a breach is
  •  A list of the members of your company’s response team
  • The action steps that you and your response team need to take
  • A list of any agencies that need to be notified (this may change depending on the industry that you are in)
  • The follow-up procedure to make sure that the issues that lead to the breach are fixed

Have a forensics team on speed dial

The Federal Trade Commission, or FTC, recommends that one of your first moves after discovering a breach is to consult an independent forensics team that can make sure that you get a good picture of the scene, much like the short-lived CSI episode. With their help, you will be able to gather all relevant information before securing your environment. This significantly reduces your risk of accidentally destroying evidence that could be used to catch any wrong-doers. You may even need the data to prove your innocence and that you were not engaged in similar actions such as those of Joseph Sullivan.

Shut it down 

To avoid a larger breach or spread of sensitive information, be sure to take all affected equipment offline immediately. However, it is important to not turn any machines off until forensic experts arrive as mentioned above. Additionally, be sure to change all passwords and credentials to prevent your system from being hacked again.

Contact your lawyer

The Federal Trade Commission also recommends looping in your legal counsel as soon as possible. This is important because whether or not criminal charges happen, you may see civil issues arise after a breach. The sooner you notify your council of the expected damages, the sooner they can prepare in your defense. 

Work with law enforcement

While your local sheriff’s office will be of little help in this situation, you should make sure to contact the local FBI office and give them a heads up of the situation. If you think mail fraud or theft has led to the breach, it would be a good idea to inform the US Postal Inspection Service, the Post Office’s investigation service.

Know who to notify

Most states, and US territories, have legislation that requires a company to notify the appropriate parties within a defined time limit. Depending on the type of information that has been put at risk, other agencies may need to be notified too. Do your research and make sure this information is included in your emergency plan.

Have a communications plan.

Breaches are bound to affect multiple individuals including your customers, employees, investors, partners, or stakeholders. You will need a plan in place on how you will notify the appropriate parties. Be sure to gather all the details and avoid sharing any information that may put any party at further risk. Be honest and don’t add any misleading statements about the situation. 

If need be, adding a landing page of anticipated frequently asked questions can be a great resource to your customers. 

Closing

Preparation is key. When it comes to cybersecurity, we believe in being proactive instead of reactive. Proactive action includes protecting your business with efficient cybersecurity, purchasing cyber liability insurance, and having a current emergency plan on hand if all else fails.