The following is a checklist of some of the activities that may be appropriate for your business to undertake in the event of a data breach.

The activities described below do not represent an exclusive list and are not intended to describe a strict chronological order as these activities often overlap and typically happen simultaneously within the organization.

Steal data concept illustration. Criminal and thief hacking computer and stealing data and money. Vector in a flat style
Response

Determine if the event is a real incident; implement your Incident Response Plan. This is one of the most important aspects of handling any incident. The Incident Response Team must know if this is truly a cyber security incident, as opposed to a user error or a system configuration error. You may want to contact your third-party security expert. You will need to “activate” your established Incident Response Plan.

Law Enforcement

Note: If senior management and the incident response team has decided that it wants to pursue and prosecute the network attacker, law enforcement (FBI) must be notified as soon as it is verified that the incident is real. In most cases, law enforcement agencies will not step in and take over the incident. However, they will work with the team to ensure that its actions stay within the law and do not violate any individual rights. They will assist the team in properly documenting and storing evidence to protect the chain of custody that is necessary for evidence to be used in court. This step is especially important if the incident involves extortion.

Breach Notice Laws

Contact your cyber legal counsel. This is especially important if customer information was accessed and various state laws were triggered requiring a customer notification. The cyber legal counsel should already be a part of your incident response team. The Counsel can help in (a) interpreting the various state regulations; (b) your responsibilities under the law (if any) and (c) assisting in crafting the customer notice letter. He or she can also assist in your defense and the interpretation of various state and federal regulations that may have been triggered following a data breach event. If your organization may face litigation, be sure that your cyber lawyer has experience in e-discovery rules and litigation-hold matters.

Forensics & Breach Investigation

Following a network/data breach event, a company often chooses to engage third-party experts to assist with investigation and remediation, such as determining the facts around the data breach incident and understanding the extent of the event. The third-party experts and your established incident response team should work together.

Document the time in man-hours, as well as the cost of handling the incident/remediation, providing itemization. The cost might be part of the claim either for inside staff or outside vendors and experts.
Secure all logs, audits, notes, documentation and any other evidence that was gathered during the incident with appropriate identification marks, securing the chain of custody for future prosecution. Save all relevant system security/event/IDS Logs. If a DoS attack, ask your ISP for their logs showing a spike in bandwidth.

Credit Monitoring Services

Many organizations that have suffered a data breach or leak incident will offer affected customers credit monitoring services. After consultation with senior management, the incident response team including your cyber legal counsel can engage these services via the pre-approved vendor list in your cyber incident plan.

Insurance Claim

Notify your broker or your insurance company Claims Representative as soon as possible. You should be sure to have your IT staff gather and document facts surrounding the incident. Network security event logs are often vital in helping verify the date, time and machine involved in an incident. Your company should save these logs.

Public Relations

You may need to engage a skilled public relations specialist to help communicate publicly about any breach and deal with the press. This person or company should be well vetted and listed in your vendor support list included in the cyber incident response plan.

The loss prevention information and advice presented in this document is intended only to advise our clients, customers and business partners of a variety of methods and strategies based on generally accepted safe practices, for controlling potentially loss producing situations commonly occurring in business premises and/or operations. They are not intended to warrant that all potential hazards or conditions have been evaluated or can be controlled. They are not intended as an offer to provide insurance coverage for such conditions or exposures, or to imply that UNITEL Insurance or UNICO Group will provide such coverage. The liability of UNITEL Insurance or UNICO Group is limited to the specific terms, limits and conditions of the insurance policies issued, if any.