How to Recover from a Data Breach

You’ve Been Breached—Now What?

The number of breaches and their costs have been increasing in the past couple of years due to the rise in online payments and other digital interactions. Because more of these activities are occurring digitally, it’s become more difficult for organizations to adequately protect the ever-growing amount of sensitive customer data entering their environments. As a result, businesses are paying the price.

According to IBM’s latest “Cost of a Data Breach” report, data breaches are costing companies an average of $4.24 million per incident. That’s a 10 percent increase compared to last year, which the report attributes to incidents becoming “more costly and harder to contain due to drastic operational shifts during the pandemic.”

The growing frequency and financial consequences of breaches can cause several problems with security and privacy for many companies all over the world. Knowing what to do next after a data breach occurs can be challenging, but you must have a plan of attack ready, or it could be impossible for your business to recover.

Discovering a Data Breach 

After finding out your company has been breached, you will need to assess what happened and what data, if any, was exposed. Being able to identify the problem of who and what was compromised will make it easier when notifying individuals, businesses, and law enforcement of the situation.

To determine what legal requirements you need to satisfy in your response, you should speak with your internal security and legal teams. Your company’s location and industry will affect the specific laws you have to follow when notifying. Therefore, it’s important for your company to have a response plan that goes over how you will recover from any major security issues like a breach. Having this information available will allow your company to have the proper procedures in place to quickly take the next steps in this process.

Sending a Data Breach Notification 

Before delivering a breach alert, your company must have up-to-date contact information for each party that’s involved. Knowing how they prefer to receive notifications and where they reside will affect how quickly they can receive notice.

Breach notifications are usually done in a written statement through the mail, but if customers have requested to receive only emails, then you will need to send it electronically to those specific individuals. If you lack the necessary data to contact your clients directly, you must provide a notice of the breach on your company’s website. See below for a general overview of common breach notification requirements.

Icon-GDPR

Notifications must be issued within 72 hours of discovering the breach and include:

  • The nature of the personal data breach including, where possible, the categories and approximate number of data subjects concerned and the categories and approximate number of personal data records concerned

  • The name and contact details of the data protection officer or other contact points where more information can be obtained

  • The likely consequences of the personal data breach

  • The measures taken or proposed to be taken by the controller to address the personal data breach, including, where appropriate, measures to mitigate its possible adverse effects 

Icon-CCPA

“Immediately following discovery” of a breach, notifications must be issued “in the most expedient time possible and without unreasonable delay.” Necessary information includes:

  • Name and contact information of the one issuing the notice

  • List of the types of personal information involved in the breach

  • Key dates involving the breach

  • Whether a delay in providing the notice is attributable to an investigation by law enforcement

  • A general description of the breach

  • The contact information of major credit reporting agencies if the breach exposed a Social Security number or a driver’s license or California identification card number

  • An offer to provide appropriate identity theft prevention and mitigation services if the one providing the notice was the source of the breach


Icon-LGDP

Notifications must be issued in a “reasonable” period of time and include the following:

  • Description of the nature of the affected personal data

  • Information regarding the data subjects involved

  • Indication of the security measures used

  • The risks generated by the incident

  • The reasons for the delay in communication (if any)

  • The measures that were or will be adopted

Icon-NACHA

Notifications must be issued “as soon as reasonably possible” and include:

  • The approximate cause(s) of the breach incident

  • The approximate date of the breach incident

  • The approximate size of the affected population (victims)

  • The type of data exposed

  • The routing and transit numbers (“RTN”s) of the affected RDFI accounts

  • The ODFI’s designated security contact for inquiries from RDFIs

  • Organizations that are involved in the breach


Icon-HIPAA

Notifications must be issued electronically within 60 days of the discovery of the breach if more than 500 individuals are affected or within 60 days of the end of the calendar year if fewer than 500.

If you are in the U.S., additional notification requirements vary by state. The table below is based on an IAPP.org resource and shows the timeliness requirements for each statute.

 

State-Data-Breach-Notification-Chart

 

State Timeframe of Notification to Individuals
Alabama As expeditiously as possible and without
unreasonable delay, no more than 45 days
Alaska As expeditiously as possible and without
unreasonable delay
Arizona 45 days
Arkansas As expeditiously as possible and without
unreasonable delay
California As expeditiously as possible and without
unreasonable delay
Colorado As expeditiously as possible and without
unreasonable delay, no more than 30 days
Connecticut As expeditiously as possible and without
unreasonable delay but no more than 90 days
Delaware As expeditiously as possible and without
unreasonable delay, no more than 60 days
District of Columbia As expeditiously as possible and without
unreasonable delay
Florida As expeditiously as practicable and without
reasonable delay, 30 days unless good cause enables
you to wait 15 additional days
Georgia As expeditiously as possible and without
unreasonable delay
Hawaii As expeditiously as possible and without
unreasonable delay
Idaho As expeditiously as possible and without
unreasonable delay
Illinois As expeditiously as possible and without
unreasonable delay
Indiana As expeditiously as possible and without
unreasonable delay
Iowa As expeditiously as possible and without
unreasonable delay
Kansas As expeditiously as possible and without
unreasonable delay
Kentucky As expeditiously as possible and without
unreasonable delay
Louisiana As expeditiously as possible and without
unreasonable delay but no more than 60 days
Maine As expeditiously as possible and without
unreasonable delay, no more than 30 days
Maryland As soon as reasonably practicable but not more
than 45 days after conclusion of investigation
Massachusetts As expeditiously as possible and without
unreasonable delay
Michigan As expeditiously as possible and without
unreasonable delay
Minnesota As expeditiously as possible and without
unreasonable delay
Mississippi As expeditiously as possible and without
unreasonable delay
Missouri As expeditiously as possible and without
unreasonable delay
Montana As expeditiously as possible and without
unreasonable delay
Nebraska As expeditiously as possible and without
unreasonable delay
Nevada As expeditiously as possible and without
unreasonable delay
New Hampshire As soon as possible
New Jersey As expeditiously as possible and without
unreasonable delay
New Mexico Most expedient time possible but no more than
45 days
New York As expeditiously as possible and without
unreasonable delay
North Carolina As expeditiously as possible and without
unreasonable delay
North Dakota As expeditiously as possible and without
unreasonable delay
Ohio Most expedient time possible but no more than
45 days
Oklahoma As expeditiously as possible and without
unreasonable delay
Oregon As expeditiously as possible and without
unreasonable delay, no more than 45 days
Pennsylvania As expeditiously as possible and without
unreasonable delay
Rhode Island Most expedient time possible but no more than
45 days
South Carolina As expeditiously as possible and without
unreasonable delay
South Dakota Within 60 days
Tennessee Immediately but no longer than 45 days
Texas As expeditiously as possible and without
unreasonable delay, no more than 60 days
Utah As expeditiously as possible and without
unreasonable delay
Vermont As expeditiously as possible and without
unreasonable delay but no more than 45 days
Virginia As expeditiously as possible and without
unreasonable delay
Washington As expeditiously as possible and without
unreasonable delay but no more than 30 days
West Virginia As expeditiously as possible and without
unreasonable delay
Wisconsin Within a reasonable time not to exceed 45 days
Wyoming As expeditiously as possible and without
unreasonable delay
Guam As expeditiously as possible and without
unreasonable delay
Puerto Rico As expeditiously as possible
U.S. Virgin Islands As expeditiously as possible and without
unreasonable delay

Source: State Data Breach Notification Chart (iapp.org)

Usually, when a company is compromised, the best time to deliver a breach notification is as soon as possible. Because a breach can affect a company’s reputation greatly, it’s crucial to react quickly and follow the specific requirements outlined in the applicable regulations.

Recovering from a Data Breach 

Your customers will likely be wondering how they should respond after they learn of a data breach of your company. Actions they need to take will depend on what information was compromised, but in general, customers should update their login credentials, card numbers, etc., to make sure they are secure. Also, they should both watch and report any suspicious activity they see for their accounts in the future.

To make customers feel safe moving forward, your company should aim to comply with all applicable laws and standards for the safe use of personal and payment data. 

In the aftermath of a breach, you can’t go back in time and prevent it from happening, but you can analyze why and how it occurred, learn from it, and make the necessary corrections to prevent it from happening again. Simply satisfying compliance obligations doesn’t always result in acceptable privacy and security measures being formed, but it could help your company to prioritize improved security standards and better knowledge of new regulations to come. 

Additionally, data protection technologies such as tokenization can be effective security measures for minimizing the impact of a breach. Although tokenization can’t prevent your systems from being compromised, it can limit the exposure of sensitive data. By removing this data from your environment, you can protect it in the event of a breach, allowing you to issue a notification that reassures your customers that their personal information is safe. As a result, you can potentially avoid additional fines and penalties and help restore consumer confidence in your brand.

Topic(s): compliance

Keep Up With Our PCI & Privacy Blog