Surviving a Data Breach
About 4 years back, when I had an office, I maintained an open door policy. As the Dir of Operations, I felt it was important that staff could see that they had access. When I need to be heads down, the door closed with an “If it ain’t on fire or bleeding it can wait” message taped to the outside. And when a conversation needed to be private, the door would close. But for the most part, my door remained open.
One day our Dir of Finance and Accounting came to my office, closed the door behind him, and started talking before sitting down. None of those actions are a good sign. What did he need to talk about? That he was pretty sure all our employee salary data had been hacked.
We used a well respected PEO (Professional Employer Organization) for all our HR needs so how could this happen? It happened because the person in the office who oversaw our HR issues was socially hacked and tricked into sharing the data: not with our CEO who she thought made the request, but with someone who sent a phishing email.
An article on the 5 most common ways hackers get your passwords came across my email today and reminded me of this event. Though the article does not provide detailed information on how hacks work, how to protect yourself or what to do if you are hacked, it does provide a good overview and links for more information on each type of hack. But it is a very good introduction of what you AND YOUR STAFF should be aware of. You can read the entire, article HERE.
In case you find yourself the victim of a similar hack, perhaps the model we followed will be of help in managing the crisis. (Legalese – The steps below are not a legal recommendation, they are the steps that my took and are provided as a reference.)
First, we limited communication about the event to ONLY the internal people who needed to know, meaning our PEO representative, our Executive team, and our attorney. Since our internal HR person was the one who got hacked and brought to our attention, they already knew. And though it was assumed that everyone knew, we continued to reiterate the point that everyone was to remain silent about the hack until we had one unified message to share with whatever details we could share and instructions on what to do.
In case you are wonderign why IT is not listed above, we did not include our IT team in the initial discussions as the hack did not involve any systems, web properties or client data. Had those items been hacked they would have beein involved from the get go.
Second, we called our attorney to determine what specific language we should use and should not use when we talk to the entire team; and to find out if there were any other related legal issues we should also be addressing. We then prepared a formal statement of what happened, what we were doing to mitigate the issue, and steps each staff member should take; i.e. call credit bureaus, etc. We also prepared a written copy and had each staff member sign confirming that they received a copy.
For ease, in case you need, the contact information for the 3 main credit bureaus and the IRS is:
· Experian - https://www.experian.com/freeze/center.html
· TansUnion - https://www.transunion.com/credit-freeze
· Equifax - https://www.equifax.com/personal/credit-report-services/credit-freeze/
· IRS - 800-908-4490 (FYI, I was amazed at how efficient the IRS fraud hotline worked
and how quickly and efficiently they were able to put locks in place for my tax
records. If only the rest of the government worked this well.)
Third, or as part of item 2, we researched credit monitoring options and purchased a corporate account to provide monitoring for a year for the entire staff. Lifelock, (www.lifelock.com) is the most well known monitoring service, and was the one that we selected, but it is not the only highly rated game in town. Other highly rated services are:
· Identity Guard – www.identityguard.com
· Identity IQ – www.identityiq.com
Forth, we called an all hands on deck meeting to share the news with the team. During this meeting we informed everyone about what happened, the steps we were taking to address it, and the steps that each staff member was recommended to take, i.e. call the credit bureaus, call for credit monitoring using our newly established account number, etc.
The one thing we did not address in this meeting was who fell pray to the hack. In addition to potential reasons to not share a name, we felt that putting a name to the event would cause people to focus on blame as opposed to working on remediation.
Fifth, we decided what to do with regard to the person who fell pray to the hack. Though this did give us cause to terminate them, for other reasons and after much deliberation, we opted not to do so.
Sixth, we scheduled Security Training for the entire staff. This was mandatory for everyone from the CEO down, and the curriculum was also added to the employee handbook. As an aside, in addition to scores of firms that specialize in security training, this may be a something that your MSP or your PEO offers, so you may want to start a search for content with them.
All data breaches are serious, and a breach that puts your personal financial information at risk is especially troublesome. But a breach does not have to be the end of the world. Granted many do suffer real consequences and spend months or longer fixing them, so please do not think I am suggesting minimize the risk. Also, I appriciate that a breach is something you HAVE to address and that will take time and may very well be a giant pain in the ass while you are addressing it.
However, from personal experience I can attest to the fact that if you act fast and remain diligent going forward about monitoring your credit; outside of the initial fear and frustration, and the time needed to put credit locks in place and contact banks, credit cards, etc: it is possible to minimize the impact of a hack.
Our epilogue – Every staff member took the recommended monitoring steps and during the year that followed the hack no staff members reported any issues. The company was sold about a year after the hack. I have remined in touch with many old colleagues and have inquired from time to time if anyone ran into any issues from the hack. The reports are still that no issues have arisen.