Cyberattacks and Data Breaches
Crisis Management Resource Center
This links to the home page
Checklists

Cyberattacks and Data Breaches


Before Attack/Breach
1. Form an Incident Response Team. You should have a team in place and notify them immediately when a security breach occurs. The team should include people inside and outside of your company, as well as law enforcement officials and regulators.
2. Review insurance policy. If your company has insurance that may cover the data breach, you should include a point person from the insurance company in the response team, as some insurers expect their consent to be sought before any response costs are incurred.
3. Prepare for a breach. Your best defense is to anticipate problems and potential litigation through pre-planning. This includes: 
a) Have a basic response kit ready at all times, including a notice letter, a FAQ sheet and a press release.
b) Verifying security systems and backup/archives periodically.
c) Review privacy policies to ensure compliance.
d) Companies should also seek out SAFETY Act protections which offers liability protection following certain cyberattacks.
e) Provide convenient access to critical cybersecurity documents and insurance policies to executive team.
f) Test and drill with your team.

After Attack/Breach
1. Notify internally.
a) Decide how to handle the communication to various constituents about the breach, and consider notification to your insurers.
b) Determine with your IT professionals and consultants whether, and to what extent, to shut down your system, and preserve the system image and logs. Engage a forensic consultant to preserve evidence of the event.
c) Analyze each system, determine the nature and scope of the data breach, and document the sequence of intrusion and the remedial steps taken.
d) Be sure to restrict access until the investigation is complete. Remember that timing is critical.
 
2. Notify externally. Depending on the state, you may need to provide notice to consumers that a security breach occurred. Additional notices to regulatory agencies may be required, as well as notice to consumer reporting agencies. You should address the following questions in a consumer notification.
a) What information was involved?
b) Was data improperly accessed, acquired or disclosed?
c) Likelihood of misuse?
d) Was data encrypted or otherwise protected (e.g., passwords, redaction)?
e) Where do individuals reside?
f) Are credit cards involved?
g) Do we have contact information (mailing address) for all involved?
h) If this was a cyberattack, has the malware been identified and isolated?

3. Conduct a Post-mortem review. After the breach, be sure to test the restored system and consider HR training or additional screening procedures. You should also review and revise vendor contracts, policies, basic documentation and a written response plan. In addition, plan to evaluate your overall response effort, which includes feedback from those who were affected, as well as press coverage.