Four steps to take after a data breach happensPosted On: Nov. 6, 2017 12:00 AM CST
When dealing with a cyber breach, Jeffrey Dennis, managing partner and cyber security practice lead with Newmeyer & Dillion L.L.P. in Newport Beach, California, recommends a four-step approach.
1. Do initial assessment: Identify what damage has occurred and what the risk is — what type of attack it was, what data has been compromised — and that will dictate the next steps. “When you know what you’re dealing with, you know what path to go down in your incident response plan,” he said.
2. Take steps to minimize any further damage: Reroute traffic within your operating systems or set up a web filtering system or isolate parts of your network. “It’s akin to stopping the bleeding,” Mr. Dennis said. “If you’ve got a problem, you’ve got to plug the hole and make sure you’re not being continuously breached.”
3. Record and collect the data related to the type of breach: Image your impacted system in a forensically acceptable manner so you can preserve the data and can figure out — once you stop the bleeding — what happened, how it happened and who’s responsible. “You don’t have the time to do that during the breach, because you’ve got to do all these other things,” Mr. Dennis said.
4. Notify: This is one of the most challenging steps, Mr. Dennis said, as notification laws vary from state to state. How do you notify your employees? When do you reach out to law enforcement, whether it’s the FBI, the Secret Service, the U.S. Department of Homeland Security or local authorities? And what do you tell your customers?
“You can see why it’s so important to have a plan in place, because you don’t want to get breached and at that point have to figure out where your customers reside and then figure out what law applies to those customers,” Mr. Dennis said.