I am a big adherent of Gibb’s Rule 13, “Never, ever involve lawyers.” Unfortunately, if your business suffers a data breach, Rule 13 goes out the window. You will be sued. Count on it.
But here are some things that you should do to protect yourself and your business from the worst legal repercussions:
- Have a plan – If you have a response plan prepared before your first breach occurs, this will help you act quickly to avert the worst of the damage, and will help you show that you have performed your due diligence.
- Train – Your staff needs to understand what the risks are, and how to be alert for them, and what to do when the inevitable happens.
- Email – The single biggest threat to your network integrity is the phishing or spearphishing email. Teaching good email practices are key to your success. Have a procedure for employees to follow if they get a suspicious email, and what to do after they click on the link or open the attachment. The last thing you want is for them to hide the mistake, make it easy for them to report incidents to you.
- Go public – As the best defense is may be a good offense, plan to blow the whistle on yourself. You need to tell your stakeholders about the breach yourself. Waiting for the media to break the story will just help you look your worst. Be direct with those who were affected by the data loss, and help them understand their exposure and your plans for remediation.
- Big things first – The first thing to do is stop the damage from expanding. Take the compromised system offline, save it for forensic examination, report the breach to the police, and the FBI’s Internet Crime Complaint Center.
- Play it straight – This may drive your attorney crazy, but being open and honest about the situation will prevent you from looking like part of the problem. Tell people what you plan to do about it, then do it.
- Document it – Keep meticulous records of everything you do, everything you try, what you say, and who you say it to. Later on, during the trial, these records will pay big dividends by showing that you were on top of the situation and did your best to remediate it.
- Compliance – If you are regulated under PCI-DSS, HIPAA, GLBA, or other laws, make sure you follow the regulations during your emergency.
Solid preparation and written cybersecurity policies and incident response plans will be your best investment to help you prevent a breach from happening, or recovering successfully from one that does happen. This is not something you want to put off another year. By then it may be a moot point.