How Will Your Business Respond to a Data Breach?
When your business suspects that there may have been a data breach, it’s important to promptly implement your Incident Response Plan. This typically includes notifying the IT department and involving leadership. This may be the time to notify the legal team as well. It’s important to document all steps that are taken in response to the suspected incident. Levin Ginsburg recommends these minimum steps be included within your own customized incident response plan.
Work with your IT department to contain the incident
Affected systems should be isolated, while ensuring that forensic evidence is preserved. For example, turning off affected computers may result in the loss of important evidence stored in that computer’s active memory. IT should take the lead on what steps to take and when.
Next, assess what information was affected. In Illinois, Personal Information (PI) is defined as an individual’s name plus specific unencrypted data elements. These can include social security numbers, driver’s license numbers, financial account information with access credentials, or medical or health insurance information. Illinois also separately recognizes that biometric identifiers, such as fingerprints, facial scans, or iris scans, require written consent before collection and retention.
Act Quickly if Personal Information (PI) is Compromised
If any of the affected data is PI, and it was not encrypted, then stricter reporting requirements are likely to apply. If the affected data was encrypted, then there may not be any reporting requirements. In Illinois, if consumers are required to be notified, it should be done in the most expedient time possible and without unreasonable delay. These notifications typically include a description of the breach, the type of PI that was compromised, what steps individuals can take, and provide fraud alert and security resources. If over 500 Illinois residents are affected, a business must also notify the Illinois Attorney General within 5 business days of notifying the affected residents.
If the breach occurred under the control of a vendor that maintains PI on your behalf, the vendor should notify you immediately following discovery. The vendor should provide as much information as possible and cooperate with any required notifications or remediation steps.
Take Remediation Steps Once Appropriate
Remediation steps should be taken once IT determines it is appropriate. If a vulnerability was exploited, then patch any open ones. Resetting all passwords, if compromised, may be needed across all systems. If safeguards were bypassed, determine how that occurred and strengthen them going forward. If any malware was installed, remove it. It may be necessary to restore your data from backups.
Continue to document all actions taken, and preserve all evidence. This may include any forensic findings, notifications that were sent, security improvements that were made, and communications made with any regulators. Finally, conduct a post-incident review. Evaluate what occurred and how the systems performed. Consider whether policy or training updates are needed and whether there are any gaps with vendors.
If you need assistance with a data breach, or in preparing an incident response plan to be ready for one, please reach out to Levin Ginsburg for assistance. Each situation is fact specific, so for questions about your specific circumstances, please contact Kevin Thompson through our website.
