How to Survive a Compliance Incident
A well-prepared cybersecurity program can minimize threats; however, a company can never eliminate risk due to the human factor. For example, the CIOX incident from July 2021 was from a single email account and yet affected thousands of individuals. Cyber threats have evolved to become more organized and sophisticated, so what happens after a large-scale incident is reported?
Activate the Incident Response Plan
The incident response plan outlines the steps and phases of what to do when a breach has occurred. It also establishes a communication channel so the organization knows who to notify in the event of a violation. A well-established plan should include performing mock sessions and reviewing the plan annually. One of the first steps in any incident response plan will consist of updating the team with as much information about the breach as possible, including:
How was the threat discovered?
What areas does this impact?
Who discovered it?
When was it first noticed?
Isolation and Eradication
During this time, the team will collect any available data from applications and interview anyone involved with the breach. The team will identify the threat and contain it to prevent further damage. Depending on the nature of the breach, this could include short-term and longer-term containment strategies. Once the team removes the threat, the team will identify the root cause to prevent similar attacks in the future (e.g., patching a system, resetting passwords, or removing malware). Depending on the nature of the episode, you may need to consider engaging with a forensic firm that can identify all areas impacted. For example, a breach of an email account could have further repercussions because a hacker could have spoofed and sent emails to other individuals gaining access to additional accounts.
Analysis of legal requirements
Once the team eradicates the threat, the team needs to review legal and regulatory requirements. Whether there are legal requirements is likely dependent on the type of data exposed and accessed (e.g., Did this involve PHI? Was client data accessed?). Review your contract matrix to determine the notification period and contact details. Identify what regulations you might need to follow (e.g., Do you need to report this to a government entity?). If the analysis concludes the external individuals are affected, you should seek legal counsel. Additionally, depending on the extent of the breach, you may need to notify your cyber liability insurance carrier.
You will need to start informing victims and relevant government entities at this stage. If the breach is extensive and includes PHI, you might be obligated to report it to the media to comply with HIPAA regulations. You may consider hiring a PR firm to orchestrate the messaging and your legal team. If you are a business associate, you should be prepared to provide enough information to the covered entity to identify all individuals impacted by the incident. Before sending notifications, prepare statements that address frequently asked questions (e.g., Why did this happen? What is the company doing to ensure this does not happen again? Who was involved?). The organization needs to identify which employees can answer questions about the breach and whether they are confidential or still under development. If multiple individuals are involved, you may want to consider setting up a call center that is prepared to answer frequently asked questions. A breach notification can also lead to an external audit. You will want to secure all evidence gathered related to the breach and ensure your policies and procedures are up to date.
The incident response team will want to regroup and minimize future threats. Determine the root cause of the breach, identify the risk to eliminate through policy changes, updates, or purchasing cyber security tools, and perform an internal audit to identify additional risks. Need assistance creating an incident response plan or organizing your policies? Contact PolicyCo for help.