Regardless of the robustness of the security apparatus in place, breaches invariably occur. A determined cyber criminal may exploit careless users, vulnerabilities in software code, carry out zero day attacks, impersonate, or undertake any other methods, any of them outside the direct control of the company. Companies require a proper policy that not only tries to preempt such attacks, but also outline a clear plan of action when cyber criminals breach network security and violate customer’s privacy rights.
Federal and state laws require companies to notify the government and the affected customers when hackers compromise the network and steal customer’s private data.
The Gramm-Leach-Bliley Act (“GLBA”) applicable to financial institutions, and the American Recovery and Reinvestment Act (ARRA), widely known as the economic stimulus act of 2009 have clauses concerning customer privacy rights. GLB covers non-public personal information, including any personally identifiable information.
The GLBA require covered establishments such as financial institutions, health care providers, businesses that provide services to health care providers, and others to have a policy in place to protect private information they collect from foreseeable threats in security and data integrity. It also requires providing customers with a privacy notice that explains the nature of private information collected, the persons or agencies having access to such information, and methods adopted to safeguard such information. Companies also need to maintain a written security plan, entrusting at least one employee to manage the safeguard and review the plans periodically. In the event there is a breach the security of the personal information that they maintain, the company has to notify the affected patients and the government
Apart from the federal laws, almost all state and territories have “data breach notification” statutes that require businesses collecting and storing personal information of their customers to notify such people an unauthorized person acquires such information, in any manner.
Apart from regulatory considerations, organizations need to take effective countermeasures. The legal consequences aside, breach of private data entrusted with the company is serious loss of credibility and reputation for any business, and almost invariably results in loss of patronage.
Immediately on discovering the breach:
- Shut down the network to prevent further intrusions and data-loss. Keeping the network live run the risk of further attacks and additional data loss
- Take the help of forensics specialists to collect evidence of the breach. Very often hackers erase log files to remove traces of hacking. Forensics specialists collect network-based evidence by reconstructing transferred files, parsing human communication such as emails or chat sessions, and other methods to collect evidence of the breach.
- File a formal complaint, and report the crime. The Internet Crime Complaint Center (IC3.gov), a partnership between the Federal Bureau of Investigation, the National White Collar Crime Center, and the Bureau of Justice Assistance allows for a convenient mechanism to report cyber crimes. Also notify the appropriate federal, state, or local agencies as applicable, depending on the nature of data stolen and the nature of intrusion
- Conduct a thorough audit of the corporate network and resources to identify how the breach occurred, and other vulnerabilities, which may cause breaches. Notify the appropriate vendors if the breach happened owing to vulnerabilities in such software
- Reinforce the audit with an internal investigation of how the breach happened. Consider angles such as collusion by an internal employee
- Invest in securing the network by additional perimeter fencing, stringent policies, and controls, encryption, split storage, updating the software for missing patches, and any other measure. Large networks may also warrant deploying a real-time system monitoring to detect intrusions in real time
- Test the robustness of network security by attempting to breach and steal data yourselves. Conduct such tests periodically, and update patches as soon as they become available.
- File a lawsuit or act appropriately against the perpetrators of the attacks. This could include firing or censoring an internal employee whose carelessness or omissions caused the breach, and claiming damages from a third-party vendor whose software caused the breach.
Customer data may be the most valuable asset of an enterprise, and the breach of such data may have serious implications, including damaging lawsuits, loss of competitive advantages, and erosion of customer base owing to loss of credibility. As such, companies should take all possible measures to preempt violation of customer’s privacy rights, and consider plans on what to do after a breach occurs only as an emergency backup if the inevitable occurs. Such plans nevertheless remain as important as a disaster management plan, fire rescue plan, or any other plan for natural or man-made calamities.
Internet Crime Complaint Center. http://www.ic3.gov/default.aspx
Covering Business Credit. “Your Customer’s Privacy Rights: Whose Financial Information is it Anyway?.” http://www.coveringcredit.com/business_credit_articles/Laws_and_Regulations/art149.shtml. retrieved August 07, 2011.