You are responsible for a data breach that involves your business. If a data breach exposes your passwords, your staff’s personal information, confidential documents or client information, and hackers accessed your systems, you are responsible.
Most business owners, nonprofits and municipal agencies do not want to hear this. They wrongfully believe that the hackers are responsible for any intrusion or breach. Take a look at your state laws, licensing requirements or your cyber security insurance policy. They will all tell you the same thing: You are responsible for a data breach.
Your responsibility arises from the “reasonable safeguards” or “reasonable measures” language that appears in cyber insurance policies, licensing requirements and state legislation, as well as specific responsibilities mandated by government and industry regulators.
What do I do about a data breach?
You must first stop the breach. This means shutting down all access to affected systems for everyone except a single authorized user, who will change passwords and eliminate all database connections and outbound traffic. This may involve temporarily taking data sources or websites offline, then checking to see if unauthorized data transfers continue when you turn them back on.
Next, you need to determine what was accessed. In a data breach, hackers are typically looking for usernames and passwords, but there are some industry-specific risks to weigh as well.
Municipal agencies and hospitals should ensure that critical systems have not been compromised. Hackers may be attempting to open a back door to energy, water, HVAC or communication systems so that they can seize control of them in the future or use them as part of an attack. What looks like an attempted data theft or intrusion could be a distraction from the real attack. If you operate equipment that can be used to harm others or disrupt essential infrastructure, you must conduct a thorough system evaluation after any breach or attempted attack. You need a CISO or Fractional CISO who can help you ensure systems have not been compromised.
Banks, credit unions, real estate agencies law firms and other organizations with access to clients’ bank accounts or financial information need to ensure that none of this information has been compromised. If it has, you must notify clients and the credit reporting bureaus immediately to prevent potentially irreversible monetary theft.
Medical practices, real estate agencies, law firms, nonprofits and counseling services need to ensure that patient and client records have not been compromised. Theft and publication of confidential medical information, settlements, NDAs or donor lists could destroy your reputation and expose you to liability.
You must account for all data that was compromised and immediately inform impacted individuals. Depending on your industry, you may also have an obligation to inform state officials and law enforcement.
What Do I Need to Do to Protect Sensitive Data?
As a rule, you must take steps to ensure that any devices holding sensitive data, including laptops, smart phones and servers, have password protection and multifactor authorization. Two-step authorization is a must for any data stored on cloud services.
If your office uses WiFi, it must be inaccessible to outsiders, including your clients. If you want to provide free WiFi for clients, it should be on a separate device that does not connect to your internal network. Passwords should be strong and should be updated on a regular basis. If possible, employees should have company-issued laptops and smart phones with enhanced security managed by a Chief Information Security Officer. Shared passwords should never be allowed and default passwords on network equipment must be changed before that equipment is put into service.
You Will Be Investigated After a Data Breach
If you have a cyber insurance policy, expect your issuer to conduct a thorough investigation of the breach. If they find that you failed to meet reasonable security requirements, your policy may be invalid. Law enforcement and government agencies may also investigate the circumstances around a breach to determine your level of cyber security.
If the breach impacts a large number of people or involves high-profile individuals, you can expect the media to scrutinize your data security practices as well.
State-sponsored attackers can circumvent hardened systems, but the majority of data breaches involve easy, improperly secured targets, all too often run by people who thought, “This won’t happen to me.” No matter what you do or how small you think your business is, you must expect a data breach and understand that you will be held responsible for it unless you have a high level of security in place.
Protect Now helps nonprofits, municipalities and small businesses get the cyber protection they need. We specialize in public-facing organizations and work with your existing systems, including legacy hardware and software. Contact us to speak to a cyber security expert about your needs.
Written by Robert Siciliano, CEO of Credit Parent, Head of Training & Security Awareness Expert at Protect Now, #1 Best Selling Amazon author, Media Personality & Architect of CSI Protection Certification.