A series of articles on the processes involved in responding to a data breach.
Overview
By now, most business owners know that it is not a question of whether, but rather, when, your business will suffer a data breach.
Depending on what laws apply to your business, you may only have a matter of days to notify regulators and affected individuals.
Determining what happened, what regulators need to be notified, and what individuals may need to be notified requires an investigation into the breach by people with expertise in forensics who will be able to determine what types of information or data were exposed or acquired in any breach. If their investigation reveals that any personally identifiable information (PII) or protected health information (PHI) was involved, the entire dataset will need to be analyzed and reviewed by a data breach review team. It is only after all the relevant data is culled and merged that it can be determined by experienced law firms what regulators need to be notified and what individuals need to be notified.
While big firms will likely have general liability policies, cyberinsurance, and lawyers already on-call or in place to assist them in the event of a breach, small firms or solo proprietors are often unprepared and without resources. In a series of posts, The Data Breach Times interviews experts about different phases of breach response and what businesses need to know to comply with obligations to notify individuals and regulators of a breach.
Getting Started on Breach Response
Once a firm suspects it has had a breach or has been directly informed of a breach, if you have a cyber insurance policy, contact your carrier for more information. If you don’t have cyberinsurance, there are two paths you can take.
Contact a Forensics Expert
You can ask your internal IT department for recommendations to attempt to contact one directly. If your IT department does not have a forensics expert contact, you can do a web search for “Data Breach Forensics Companies” in your area. A forensics expert can confirm whether there has been a breach and, if so, the scope of the information compromised. Once they do so, they will undoubtedly refer you to a data breach coach.
Call Your Lawyer
Another approach is to contact an experienced data breach law firm which will then advise you of your compliance obligations and arrange for necessary services that may be covered by attorney-client privilege. It is always better to have the law firm lined up in advance instead of having to find one while in panic mode. Having an experienced law firm involved prior to any breach can also provide your business with helpful advice on how to prevent breaches and what kind of incident response plan to have in place for when something does occur.
Whichever path you choose, the clock may already be ticking on your compliance obligations. The first thing that needs to be determined is what files were involved in the breach and whether there is any PII or PHI in those files. If there is, a data breach review will be required, as discussed in the next post in this series.