Responding to a Company-Wide PII Data Breach (article)
No company, big or small, is immune to a data breach. Many small employers falsely believe they can elude the attention of a hacker, yet studies have shown the opposite is true; a growing number of companies with fewer than 100 employees are reporting data breaches every year.
Most cyberattacks are motivated by financial gain. Information stored electronically, particularly employee and customer personally identifiable information (PII), have proven to be prime targets for cyber criminals, as this is data that can be sold.
In 2018, data breach response policies are essential for organizations of any size. Many companies are investing in security measures intended to prevent attacks, but few have shifted their mindset to accept that data breaches in today’s society are inevitable. A response policy should outline how your company will respond in the event of a data breach and lay out an action plan to investigate potential breaches and mitigate damage should a breach occur.
Company historical, financial, operational and performance data may be a target, but PII is most commonly sought and nearly always vacuumed up regardless of the original target. You will want to have a game plan specific to the breach of PII. The following should be addressed in your plan.
Defining a PII Data Breach
A first step should be identifying the PII data that your company maintains and that may have been accessed. This will be important in determining the scope of your notification responsibilities. Some examples of PII include social security numbers, credit card information, payroll information and medical information. (Check with your state for exact PII qualifications.)
Internal Responsibilities upon Learning of a Breach
A breach or a suspected breach of PII must be immediately investigated. To ensure confidentiality is maintained, your investigative team should include only those in your organization who regularly manage and protect your data. Management should receive a report that includes the date and time of breach, how the breach happened, the type of PII that may have been compromised and the number of affected organizations/individuals.
Once basic information about the breach has been established, management should make a record of events and people involved, as well as any discoveries made over the course of the investigation to determine whether or not a breach has occurred.
Once a breach has been verified, perform a risk assessment that rates the:
- Sensitivity of the PII lost (customer contact information alone may present much less of a threat than financial information).
- Amount of the PII lost and the number of individuals affected.
- Likelihood PII is usable or may cause harm.
- Likelihood the PII was intentionally targeted.
- Strength and effectiveness of security techniques protecting PII (e.g., encrypted PII on a stolen laptop, which is technically stolen PII, will be much more difficult for a criminal to access).
- Ability of company to mitigate the risk of harm.
No matter what was accessed, companies will likely need to distribute information about the breach. It is also rare to find a breach that does not involve additional regulatory requirements related to disseminating information about what happened. There aren’t many federal regulations regarding cybersecurity, and the few that exist largely cover specific industries. The 1996 Health Insurance Portability and Accountability Act (HIPAA), the 1999 Gramm-Leach-Bliley (GLB) Act and the 2002 Homeland Security Act, which includes the Federal Information Security Management Act (FISMA), mandate that health care organizations, financial institutions and federal agencies, respectively, protect their computer systems and information. The language is generally vague, so individual states have attempted to create more targeted laws regarding cybersecurity.
All 50 states and the District of Columbia have data breach notification laws in place. While notification laws vary from state to state, most breach notifications follow a simplistic format that includes a brief description of the incident, the types of PII involved, how the company plans to prevent future incidents and steps the individual can take to mitigate any potential effects of the breach. Check with your attorney for a state-compliant letter.
Your PII Breach Notification Responsibilities
Responsibility to notify is based both on the number of individuals affected and the nature of the PII that was accessed. Any information found in the initial risk assessment should be turned over to the legal counsel of your company who will review the situation to determine if, and to what extent, notification is required. Notification should occur in a manner that ensures the affected individuals will receive actual notice of the incident. Notification should be made in a timely manner, but make sure the facts of the breach are well established before proceeding.
Some tips for making a notification include: Only those who are legally required to be notified should be informed of the breach. Notifying a broad base when it is not required could raise unnecessary concern among those who were not affected or do not need to know. A physical copy should always be mailed to the affected parties no matter what other notification methods are used (e.g., phone or email). A help line should be established as a resource for those who have additional questions about how the breach will affect them.
The notification letter should include:
- A brief description of the incident, the nature of the breach and the approximate date it occurred.
- A description of the types of PII that were involved in the breach (the general type, not the specifics).
- Explanation of what the company is doing to investigate the breach, mitigate the negative effects and prevent future incidents.
- Steps the individual can take to mitigate any potential side effects of the breach.
- Contact information for a representative from your company who can answer additional questions.
Further Notification Requirements
For compromised financial records, companies generally will be required to provide a service to monitor credit reports and other information related to financial security for the individuals affected by the breach. This service would have to be provided for one to two years, depending on the severity of the incident.
If credit card information was part of the breach, the company will have to notify cardholders and provide them with a service to monitor credit reports. The company will also be subject to payment card industry data security standard (PCI DSS) oversight.
PCI DSS has four tiers of monitoring, with the first being the most stringent. Companies subject to Tier 1 PCI DSS monitoring will have to provide due diligence to demonstrate that the environment around the credit card information is secure. A company that has credit card data that have been breached is automatically held to the highest tier (Tier 1) requirements.
Compromised health care records will have to follow HIPAA regulations for breach notification. Compromised entities must notify the affected individuals and the Secretary of Health within 60 days of the breach. The organization may also have to notify media outlets, depending on the type of breach.
Further Actions – Repair and Controls
Once the primary vulnerabilities and risks have been ranked, companies need to implement robust control activities to ensure that the organization operates as it should and high-value data are protected. Your response should prioritize fixing the problems that led to the breach; however, changes should not stop with the immediate problem that needs to be addressed. While this article focuses on responding to PII data breach, recovery from cyber intrusion will require broader pre-planning and prescribed course of action. Cybersecurity is an ongoing process.
For guidance on risk management issues in banking, including cybersecurity, securing cyber liability coverage and developing internal controls, contact Kris St. Martin, Vice President, CBIZ Insurance – Bank Director Program (763-549-2267) or Chris Roach, Managing Director, CBIZ Risk & Advisory Services ((713) 871-1118).