You’re going about your business, and something seems off. Files are moved around, and perhaps a .txt file is left somewhere with a mocking title. You open it up, and in broken English is a message that someone got in and mucked around on your machine! What do you do?
[Immediate Actions like calling IT, changing every password you know of for most sensitive data, if someone is actively controlling it, unplugging the machine]
Your first action should be to pick up the phone and call your IT department. If advanced actions are needed, they will be ready to rock and roll to help out. As soon as you tell them what’s going on, chances are here are the steps they’ll tell you to take:
- Disconnect from the internet, either via unplugging the ethernet cable or disabling Wi-Fi, if that’s not possible, the next direction might be to yank the power cord out the back. As an aside, that’s the only time you should unplug a PC without a clean shutdown, emergencies only!
- Make a list of what sensitive information was on that machine, and any accounts that they may have gotten into. For the accounts that may have been compromised, start coming up with a new, unique, complicated password. If you have many accounts, it’s going to be a long day changing all those passwords!
- Other than that, that’s really the only steps you can take. This is a case of ounce of prevention vs. pound of cure. Once a breach happens, that’s it. There’s no counteroffensive to launch, and if possible, a data forensics team can take a look at what happened. At this point, do as your IT department tells you, and think about how to make sure this doesn’t happen again.
If someone got into your network and there is a reasonable chance they had access to personal identifiable information like Social Security numbers and banking information, you will have to inform the appropriate state authorities about what happened.. (Quick reminder AGAIN that we at Systems Supports are not attorneys, and we do not play ones on the internet. For detailed questions about the requirements of data breach laws, please contact your business attorney!!!) According to the Office of Consumer Affairs and Business Regulation, detailed at https://www.mass.gov/service-details/requirements-for-data-breach-notifications, you have to notify them within a reasonable amount of time and include the following information:
- A detailed description of the nature and circumstances of the breach of security or unauthorized acquisition or use of personal information;
- The number of Massachusetts residents affected as of the time of notification;
- The steps already taken relative to the incident;
- Any steps intended to be taken relative to the incident subsequent to notification; and
- Information regarding whether law enforcement is engaged investigating the incident.
A reasonable amount of time is a nebulous term. And reasonable is just that, you don’t have to pick up and dial right away, but don’t drag your feet and speak up 2 years later.
The notification requirements change for different regulated sectors. For example, HIPAA has its own notification laws. On the HHS’ website at https://www.hhs.gov/hipaa/for-professionals/breach-notification/index.html, individual notices to affected parties must be notified within 60 days of the discovery of a breach! And, if the breach affects more than 500 residents of a State or Jurisdiction, you have to contact appropriate media outlets in the affected area!
In closing, there’s not much you can do once it’s happened. You have some immediate steps to get the experts involved and them confessing about what happened. Data breaches are something you take steps to prevent long before it happens, or you think it will happen. And while they are somewhat inevitable, the next best thing is to have your bases covered: documentation on your security measures, and a plan on who to call and how to handle the incident when it happens.