Response

Determine if the event is a real incident; implement your Incident Response Plan.
🔲 This is one of the most important aspects of handling any incident. The Incident Response Team must know if this is truly a computer security incident, as opposed to a user error or a system configuration error.

🔲 You may want to contact a third-party security expert from our resources list in this portal. Our Breach Coach® service may also be able to offer some guidance or suggestions.

🔲 You may also want to refer to one or more of the following breach response guides: Incident Response Plan (provided by ID Experts), Data Breach Response Guide (provided by Experian Data Breach Resolution), A Guide to Data Breach Incident Response Planning (provided by Immersion, Ltd.), and Data Breach Incident Response Workbook (provided by AllClear ID).

Law Enforcement

🔲 If the event is real, consider contacting law enforcement.

Regional FBI Contact Map

Note: If management has decided that it wants to pursue and prosecute the network attacker, law enforcement must be notified as soon as it is verified that the incident is real. In most cases, law enforcement agencies will not step in and take over the incident. However, they will work with the team to ensure that its actions stay within the law and do not violate any individual rights. They will assist the team in properly documenting and storing evidence to protect the chain of custody that is necessary for evidence to be used in court. This step is especially important if the incident involves extortion.

Breach Notice Laws

🔲 Contact Legal Counsel who specializes in data breaches. This is especially important if customer information was accessed and various state laws were triggered requiring a customer notification. Counsel can help in (a) interpreting the various state regulations; (b) your responsibilities under the law (if any) and (c) assisting in crafting the customer notice letter.

🔲 You may want to refer to Security Breach Notification Laws by the National Conference of State Legislatures.

Forensics & Breach Investigation

🔲 Following a network/data breach event, a company often chooses to engage third-party experts to assist with investigation and remediation, such as determining the facts around the data breach incident and understanding the extent of the event.

🔲 Document the time in man-hours, as well as the cost of handling the incident/remediation, providing itemization. The cost might be part of the claim either for inside staff or outside vendors and experts.

🔲 Secure all logs, audits, notes, documentation and any other evidence that was gathered during the incident with appropriate identification marks, securing the chain of custody for future prosecution. Save all relevant system security/event/IDS Logs. If a DoS attack, ask your ISP for their logs showing a spike in bandwidth.

🔲 You may want to refer to Cyber Forensics by the Department of Homeland Security.

🔲 You may want to refer to Forensic Cyber Communications by the Federal Bureau of Investigation (FBI).

Credit Monitoring Services

🔲 Many organizations that have suffered a data breach or leak incident offer customers credit monitoring services.

🔲 You may want to refer to Identity Theft Protection Services by the Federal Trade Commission (FTC).

🔲 You may want to refer to Credit Monitoring FAQs by the Federal Deposit Insurance Corporation (FDIC).

Lawyers / Legal Help

🔲 You may wish to engage a lawyer with experience in security and privacy compliance issues to assist in your defense and the interpretation of various state and federal regulations that may have been triggered following a data breach event. If your organization may face litigation, you may also want to engage a lawyer with experience in e-discovery rules and litigation-hold matters.

🔲 You may want to consult with John Mullen, our lead breach coach and partner at Mullen & Coughlin, one of the leading legal firms dedicated exclusively to cybersecurity. As a client, your first call or email is free.

Insurance Claim

🔲 Notify your broker or your insurance company Claims Representative as soon as possible. You should be sure to have your IT staff gather and document facts surrounding the incident. Network security event logs are often vital in helping verify the date, time and machine involved in an incident. Your company should save these logs.

🔲 You may want to consult with Alexandra Bretschneider, our cyber insurance coach and Cyber Practice Leader at Johnson, Kendall & Johnson. As a client, your first call or email is free.

Public Relations

🔲 You may need to engage a skilled public relations specialist to help communicate publicly about any breach and deal with the press.

🔲 You may want to refer to Crisis Communication Plan by Ready.gov, an official website of the United States government.