No matter how well your business is prepared, there is always a risk of being hacked or experiencing unintentional information disclosure. While you can’t eliminate all risk, a business can implement policies, procedures and plans to mitigate potentially disruptive security events. In this whitepaper, we’ll briefly list what to do if your company has been hacked in California. Listed are recommendations made by the California Office of Privacy Protection that include updated definitions of California’s Amended Data Breach Law.
California has four definitions that define at-risk data — Unencrypted, computerized information, specifically:
- First name or initial and last name, plus any of the following:
- Social Security number.
- Driver’s license number or California Identification Card number.
- Financial account number, in combination with any required code or password permitting access to an individual’s financial account.
Once you have determined your data has been compromised, follow these “Best Practices” guidelines, part of an overall, pre-defined Information Security Plan. First, take necessary steps to contain and control the affected systems. Shut down all access points and isolate the system. Contact Corporate Legal to inform them of the breach. Next, conduct a preliminary investigation of the breach. Utilize outside parties if necessary to ensure impartially and efficiency in conducting the assessment. Regardless, be sure to document all activities as you do. If the breach affects over 500 people’s personal information, notify Corporate Legal, who should then notify the CA State Attorney General at: http://oag.ca.gov/ecrime/databreach/reporting.
From there, implement a notification plan if compromised information contains personal data. This includes a username or email address that, in combination with a password or security question and answer, would permit access to an online account, medical information or health insurance information. Be sure to inform all stakeholders, including customers, partners, vendors and such. Contact law enforcement of suspected illegal activities and notify affected individuals within 10 days of the event, unless law enforcement directs otherwise. Be sure to contact individuals whose information is also on paper-records or computer print data in your possession. If you cannot identify which particular individuals may have been affected, notify the entire contact group to cover your bases. Document the notification and identification process as well for the investigators and Corporate Legal. Next, be sure to alert the credit reporting agencies of the breach and arrange for quality credit monitoring service for users are consumer information is involved.
There are two kinds of organizations; those that know they’ve been hacked and those that don’t know they’ve been hacked. As important as it is to work on preventing such attacks, how a company responds in such an incident is equally as important. This is not only to preserve the trust with customers, partners and vendors, but also in following the letter of California law.
By Cameron Matthews is the CTO of Sentek Global, a San Diego-based provider of cyber security and technology solutions for corporations and government agencies.