What to do when data leaked?

Leaking sensitive information in business is unavoidable, even big names like Bank of America, LexisNexis, Time Warner, DSW Shoe Warehouse, T-Mobile, University of California, Berkeley have all recently been data infringement.

In fact there are hundreds and thousands of companies with sensitive personal data that have been hacked but are not well known to the public.

Diana McKenzie, President of Neal's IT department, Gerber & Eisenberg, a law firm in Chicago, said: " There is a hospital that accidentally tells about some AIDS patients, or has a bank that accidentally revealed it. with the sender all the information about someone's financial situation. There are tons of such examples . "

For IT Managers (CIOs), you need to understand two things: The problem is no longer whether your company can leak data but when it will be. Therefore, you need to know how to handle it before unfortunately your company is in a 10% scandal spread around the country in the media.

A new reality

Scott Sobel, Vice President of Levick Strategic Communications, said that in the past, you blamed it on an objective accident but now people will believe that the incident is caused by someone negligent or deliberately sabotaging.

Therefore, you need a solution to the incident immediately. But if you rely solely on the treatment that you have used to deal with traditional threats such as viruses or hackers, it is not enough, because today risks can arise from Very diverse sources.

Rich Baich, CEO of PricewaterhouseCoopers, formerly an information security specialist for ChoicePoint Company, said: "Companies failures in troubleshooting last year force them to redesign how to deal with similar situations in the future ". Earlier this year, it was discovered that ChoicePoint disclosed fake information as legitimate businesses.

According to Baich, companies need to create a centralized and popular mechanism for employees or the public to report risks of data infringement, including those that do not require high technology. Similar to hot phone lines for customers, each company must have a well-trained quick response team, act on a scheme that determines the hierarchical tree shape and makes appropriate decisions depending on the version. substance of the problem.

Based on the characteristics of each organization, a specific troubleshooting convention is established. You can choose to report the incident directly to the general counselor, or the IT Security Manager (CSO), or company president. Whichever way you choose, the reporting process must be defined and agreed first.

" Focusing on the handling of a problem will help avoid the common habit of overlooking reports of incidents, " McKenzie said. "I don't remember how many times I saw employees forget to ask for their phone number or even the name of the person who called."

Team spirit / cooperation

At the time when the troubleshooting of the information security incident alone, the IT IT department is now over. Today, the legal and PR department needs to join as quickly as possible, even if you are still considering the extent of the problem. McKenzie said: "As you begin to repair, acknowledge and understand the problem, there must be a lawyer immediately embarking on a reduction in risk and the PR department prepares a speech job with the outside."

For example, in a company that provides Vanguard Managed Solutions, when a security incident is considered serious, the marketing, legal and IT departments must work together to identify the case to the customer. goods like.

Information disclosure must also comply with the law. Baich advises: "If the police ask you to keep your mouth closed for fear that disclosure to the public will interfere with the investigation, get that request in writing to avoid future problems."

Some experts believe that companies need to develop uniform measures to respond faster. "The disclosure of information sometimes needs to be done quickly, and it wouldn't be good to start with a blank piece of paper," said Peter Gregory, security strategist for VantagePoint Security LLC.

Speed ​​calculated

But don't rush. " You may not want to wait two days, but you can wait 20 minutes," Gregory advised. "You need to follow the sequence of procedures in an emergency so that before the PR manager is in front of the microphone, the information flow has flowed right from the leak detection point to the IT department and dropped by the PR department. and legal ".

McKenzie also commented that we should react with caution. Although the delay is very dangerous, it must also be considered reasonable because the whole country will know about this incident.

In order to avoid accusing you that you did not act quickly enough to solve the problem, McKenzie suggested hiring an IT investigation consultant - even if you think your IT team is capable of analyzing logs. web and other data effectively. This will prove you are seriously considering the issue. If someone sues you for damage, the PR staff also offers a good argument that you hired someone immediately. "We hired this assassin to help solve the problem quickly."

You should keep a log to keep track of any actions the security team takes and any person who contacts them. " When all is recorded in the diary, it will be easier when someone asks what happened, " Baich said.

Finally, when it comes time to tell customers or the public about the incident, show sympathy and reassure people. Those who suffer from these incidents often feel lack of empathy in their situation. If you do not have a good attitude of care, the ability to sue is very high.

An information security incident will make many people doubt whether the company's ability to continue to function well. Therefore, you must think carefully before speaking to make the media and customers believe you are in control of the situation and are resolving the case.