Data Breach – An Unprepared Company

QUESTION 

We were just hit with a data breach and were completely unprepared for it. Hackers took personal information from our corporate server. We believe that customer information was stolen. The hacker also went after our website, meaning information there may be exposed. 

Our Business Continuity policy is all of two pages. We put it together by pasting it from a few Google searches. You may think we are a small mortgage lender, but we have branches in eight states and originate a large volume of mortgage loans. 

We have already alerted law enforcement. We are working on a quick plan to notify investors and customers. But we have no process to follow for this data breach. We're working without a guide. 

All of us in management know you have written a lot about issues like ours. Please help as soon as possible. 

What should we do immediately if we are hacked? 

ANSWER 

NOTE: This article provides links to subject articles, presentations, and a complimentary Data Breach: Quick Reference Checklist. 

As many of you know, I am like a Mother Hen regarding our clients, always looking to protect them. And through these weekly newsletters, I try to ensure our readers are made aware of regulatory compliance challenges. However, some readers ignore my advice, one of which is the importance of having a policy for Business Continuity. 

Our Business Continuity plan is comprehensive. We believe it meets regulatory scrutiny; however, I don't care if you want ours or another firm's policy. Assuming the policy is reliable, get it and implement it! If you are not operating with a plan, your company is unprepared for a data breach. Also consider our mini-audit, BCP Tune-up, which provides a review of your Business Continuity plan and procedures.

For information about our Business Continuity Plan, click HERE.

For information about our BCP Tune-up, click HERE.

Here are just some articles I have published on Business Continuity: 

·       Disaster Recovery and Business Continuity

·       Cybersecurity Rule – Proposed Updates

·       Ransomware Payments

·       Prohibited Acts and Practices

·       Large Bank Cybersecurity Challenges

·       UDAAP Violations caused by Insufficient Data Protection

·       Mother of All Computer Bugs

·       Phishing Scams

·       Intrusion Detection Terms 

As Falstaff said, "Better three hours too soon than a minute too late." 

Don't delay. Procrastinate at your peril! 

Let's turn to the situation you find yourself in, to wit, a data breach and no plan for Business Continuity, which should include a Disaster Recovery component. 

If your company experiences a data breach, you should notify law enforcement, other affected businesses, and individuals. Since I do not know your company's size, complexity, or risk profile, my remarks are necessarily generic. 

However, I will provide a bulleted outline so you can act promptly. 

Request the complimentary Data Breach: Quick Reference Checklist. 

Evidence

·       Do not destroy evidence.

·       Don't destroy any forensic evidence in the course of your investigation and remediation.

·       Document your investigation. 

Immediate Response

·       Secure physical areas potentially related to the breach. Lock them and change access codes.

·       Mobilize your breach response team right away to prevent additional data loss. The exact steps to take depend on the nature of the breach and the structure of your business.

·       Assemble a team of experts to conduct a comprehensive breach response. Depending on the size and complexity of your company, they may include forensics, legal, information security, information technology, operations, human resources, communications, investor relations, and management.

·       Identify a data forensics team. Consider hiring independent forensic investigators to help you determine the source and scope of the breach. They will capture forensic images of affected systems, collect and analyze evidence, and outline remediation steps.

·       Consult with legal counsel. You may consider hiring counsel with privacy and data security expertise. They can advise you on federal and state laws that a breach may implicate. 

Stop Data Loss

·       Take all affected equipment offline immediately — but don't turn any machines off until the forensic experts arrive.

·       Closely monitor all entry and exit points, especially those involved in the breach.

·       If possible, put clean machines online in place of affected ones.

·       Update credentials and passwords of authorized users. If a hacker stole credentials, your system will remain vulnerable until you change those credentials, even if you've removed the hacker's tools. 

Remove Web Vulnerability

·       Your website – If the data breach involved personal information improperly posted on your website, immediately remove it. Be aware that internet search engines store, or "cache," information for some time. You can contact the search engines to ensure that they don't archive personal information posted in error.

·       Other websites – Search for your company's exposed data to ensure no other websites have saved a copy. If you find any, contact those sites and ask them to remove it. This applies to websites operated by your company's loan officers and agents. 

Interviews

·       People who discovered the breach should be interviewed.

·       Talk with anyone else who may know about it. 

·       If you have a customer service center, ensure the staff knows where to forward information that may aid your investigation of the breach. 

Service Providers

·       If service providers were involved, examine what personal information they can access and decide if you need to change their access privileges.

·       Ensure your service providers take the necessary steps to ensure another breach does not occur.

·       If your service providers say they have remedied vulnerabilities, verify that they fixed things.

Network

·       Work with your forensics experts to analyze whether your segmentation plan effectively contained the breach. If you need to make any changes, do so now. This assumes that when you set up your network, you segmented it so that a breach on one server or in one site could not lead to a breach on another server or site. 

Forensic Consultation

·       Find out if measures such as encryption were enabled when the breach happened.

·       Analyze backup or preserved data.

·       Review logs to determine who had access to the data at the time of the breach.

·       Analyze who currently has access, determine whether that access is needed, and restrict access if it is not.

·       Verify the types of information compromised, the number of people affected, and whether you have contact information for those people.

·       Important: Take the recommended remedial measures immediately when you get the forensic reports. 

Communications

·       Create a comprehensive plan that reaches all affected audiences — employees, customers, investors, business partners, and other stakeholders.

·       Don't make misleading statements about the breach.

·       Don't withhold key details that might help consumers protect themselves and their information.

·       Don't publicly share information that might put consumers at further risk.

·       Put top-tier questions and clear, plain-language answers on your website where they are easy to find. 

Notification: Legal, Third Parties, Credit Bureaus

·       Determine your legal requirements.

o   All states, the District of Columbia, Puerto Rico, and the Virgin Islands have enacted legislation requiring notification of security breaches involving personal information.

·       Depending on the types of information involved in the breach, other laws or regulations may apply to your situation. Check state and federal laws or regulations for any specific requirements for your company.

·       Call the local police department immediately.

o   Report your situation and the potential risk for identity theft. The sooner law enforcement learns about the theft, the more effective they can be.

o   Consult with law enforcement about what information to include in your notifications so that such notifications do not hamper the investigation.

·       If your local police aren't familiar with investigating information compromises, contact the local office of the FBI or the U.S. Secret Service.

·       For incidents involving mail theft, contact the U.S. Postal Inspection Service.

·       If account access information — say, credit card or bank account numbers — has been stolen from you, but you don't maintain the accounts, you should notify the institution that does so that it can monitor the accounts for fraudulent activity. If you collect or store personal information on behalf of other businesses, notify them of the data breach.

·       Contact the major credit bureaus for additional information or advice if Social Security numbers have been stolen. If the hack involves a large group of people, advise the credit bureaus if you recommend that people request fraud alerts and credit freezes for their files. Here are contact numbers:

o   Equifax: Equifax Consumer Services Center or 800-685-1111

o   Experian: Experian Help or 888-397-3742

o   TransUnion: Transunion Credit Help or 888-909-8872 

Notification: Individuals 

These are five factors to consider in the notification of individuals:

1.       State laws;

2.       The nature of the compromise;

3.       The type of information taken;

4.       The likelihood of misuse; and

5.       The potential damage if the information is misused.

·       Consult with law enforcement about the timing of the notification so it doesn't impede the investigation.

·       Designate a point person within your organization for releasing information. Give the contact person the latest information about the breach, your response, and how individuals should respond.

·       Use letters, websites, press releases, media notifications, and toll-free numbers to communicate with people whose information may have been compromised.

·       Consider offering at least a year of free credit monitoring or other support, such as identity theft protection or restoration services, particularly if financial information or Social Security numbers were exposed. 

Notifications: State Law 

State breach notification laws typically tell you what information you must, or must not, provide in your breach notice. In general, unless your state law says otherwise, include the following:

·       How it happened?

·       What information was taken?

·       How the thieves have used the data (if you know)?

·       What actions you have taken to remedy the situation?

·       What actions you are taking to protect individuals (i.e., offering free credit monitoring services)?

·       How to reach the relevant contacts in your organization? 

Personal Health Records

·       Did the breach involve electronic personal health records? The nonpublic personal information (NPI) in loan applicants' files may contain health records and information.

o   Check if the Health Breach Notification Rule covers you. If so, you must notify the FTC and, in some cases, the media.

o   Comply with the FTC's Health Breach Notification Rule explains who you must notify and when to do so.

o   Check if the HIPAA Breach Notification Rule covers you. If so, you must notify the Secretary of the U.S. Department of Health and Human Services (HHS) and, in some cases, the media. HHS's Breach Notification Rule explains who you must notify and when to do so. 

Whatever steps you take procedurally, be sure to ask your forensics experts and law enforcement when it is reasonable to resume regular operations. 

Request the complimentary Data Breach: Quick Reference Checklist.

Jonathan Foxx, Ph.D., MBA

Chairman & Managing Director 

Lenders Compliance Group