You have been hacked. Those are four words no business owner wants to hear. Whether hackers stole personal information from a server, an employee copied information from a drive, or customer information was inadvertently exposed on the internet, you need to know how to respond to the data breach—fast.
Unfortunately, hackings and data breaches continue to become more and more common. In 2021, the Identity Theft Research Center reported a 68% increase in data breaches over the previous year.
As the first in a series of articles about data breaches, we will explain what a data breach is and what it is not. We will discuss how to identify it and what your basic reporting requirements might be. We will delve into the specifics of data breach reporting and other technical topics in later updates.
What Was Breached?
The first step is to determine the extent of the breach. How you proceed will depend in part on the kind of data that was leaked or stolen. If the breach occurred through a computer that has access to your network, the question is how much access the owner of the computer had and whether the attacker spent time in your system. It may be possible for your IT provider to determine what was downloaded and what was looked at. Also, it is imperative to determine whether data-gathering software was left in your system.
How Can You Tell You Have Been Hacked?
You are not alone if you were not instantly aware that you were hacked. One study estimates that it takes U.S. companies an average of 197 days to realize that they have been hacked. Here are a few ways that companies can identify evidence of hacking.
File Modification
If you observe any changes in the content or position of your important files, it could indicate that a cybercriminal has unauthorized access to your system.
Phishing
Phishing attacks happen when you click an infected link in an email or on a website. A malicious bot collects sensitive information without your knowledge. It can take hours to weeks for the effects of phishing to fully infiltrate your systems. However, like any infection, the malicious software may be active even though you are not seeing overt evidence of the infection.
Ransomware and DoS Attacks
Ransomware is a type of malware that can take control of a system, steal your data, or make it unavailable through encryption. A “Denial of Service” (DoS) attack is an attempt to overwhelm a system or website server by flooding the target with requests. In either case, these attacks represent more than an attempt to surreptitiously steal data and require professional help to remedy.
What Are the Requirements for Notification of a Breach?
Once you are aware of a breach of your systems where personal or sensitive data of employees, customers, contacts, or other third parties may have left your control, you have an obligation to notify the people whose data was stolen. In some cases, receiving such notice may enable people to protect themselves by changing passwords, canceling credit cards, etc. All 50 states, the District of Columbia, Puerto Rico, and the Virgin Islands have enacted some form of legislation requiring notification of security breaches involving personal information. In many cases, you will not be able to ascertain where the affected people live. As a result, you will want to comply with the legislation in all applicable jurisdictions. Fortunately, most of this legislation is substantially similar. We note that other countries may have higher or different standards for notification.
A common provision in state legislation is the following:
An entity that maintains, stores or manages computerized data that includes personal information shall provide notice of any breach of the security of the system following the discovery of the breach of the security of the system to any resident of this [state/commonwealth] whose unencrypted and unredacted personal information was or is reasonably believed to have been accessed and acquired by an unauthorized person….
We highlighted the words “reasonably believed” because, often, whether to disclose a breach is a matter of judgment. You may not know for certain that there was a breach or what data was compromised. In these cases, you may still be legally obligated to notify people of the potential theft of information.
Depending on the type of information involved in a breach, the care standard may differ. Personal medical or health information receives greater protection, and you are generally held to a higher standard of care. If your data breach involves information covered by the Health Breach Notification Rule, you must notify the affected persons, the Federal Trade Commission (FTC), and, in some cases, the media. Depending on the information that was exposed, you may be covered by the HIPAA Breach Notification Rule. If so, you must notify the Secretary of the U.S. Department of Health and Human Services (HHS) and, in some cases, the media. HHS’s Health Breach Notification Rule explains whom you must notify and when.
Public Companies
If you are a reporting company under the Securities Exchange Act of 1934, you may need to file a report on Form 8-K disclosing the information prescribed by the Form and the applicable instructions. We will cover these kinds of public disclosures in a later article.
Talk to Counsel
Last but not least, if you suspect a hacking incident, communicate with your counsel. When you hear the words “You have been hacked,” make sure your first instinct is to reach out for help, not try to handle the problem on your own.