To properly answer this question, we need to start from the beginning.  Long before you experience potential breach activity, you should have an incident response (IR) plan in place.  This plan will clearly outline the steps that you need to take and the order of operations for those activities so you are not trying to figure it out during one of the potentially most stressful times in your organizational existence.  The information in this post will help you build or improve that plan assuming that you are not in the middle of a cyber event right now.

A ”breach” will start with the observation of some suspicious activity.  Perhaps you are asked for your login information in a place where you do not expect it, know that you clicked on a link to an unusual website and “weird” things start happening, or you are told that people are receiving emails from you that you know you did not send.  At this point, you need to confirm whether or not you have actually been breached.

It’s crucial to respond promptly and effectively to mitigate the damage and prevent further compromise. Here’s a general outline of whom you should contact first:

  1. Internal IT or Security Team: If you have an internal IT or security team, notify them immediately. They can help assess the situation, contain the breach, and initiate the appropriate response procedures from your Incident Response Plan.
  2. Senior Management: Inform senior management or company leadership about the breach. They need to be aware of the situation and may need to make decisions regarding public relations, legal actions, or further investigation.
  3. Cyber Insurance Carrier: Many cyber insurance carriers want to be notified prior to taking any remediation activities as they will want to preserve the evidence of the breach.  They can usually help you find a forensic analysis firm to help retain that evidence BEFORE you start remediating the problem.  They may also have recommendations for others in the contact list such as legal counsel, public relations firms, etc.
  4. Legal Counsel: Contact your organization’s legal counsel or legal department. They can provide guidance on legal obligations, such as reporting requirements, compliance with data protection laws, and potential liabilities.
  5. Law Enforcement: Depending on the nature and severity of the breach, you may need to contact law enforcement authorities, such as the local police department or a specialized cybercrime unit such as the FBI. They can assist with investigations and may be able to provide resources to mitigate the breach.  The FBI asks that while they will not be able to investigate each and every breach that occurs, they be notified so they can look for patterns as they may be working on other cases with similar attributes and can add your information to the investigation.
  6. Affected Customers or Users: If the breach involves sensitive information belonging to customers or users, you should notify them as soon as possible. Be transparent about what happened, what information was compromised, and what steps you’re taking to address the situation.  Many organizations offer identity monitoring services to affected parties for a period of time as a consolation to the fact that they have lost your information during a breach.
  7. Regulatory Agencies: If your organization is subject to regulatory requirements, such as GDPR, HIPAA, or PCI DSS, you may have legal obligations to report the breach to relevant regulatory agencies or data protection authorities. Contact them as soon as possible to comply with reporting requirements.  You may also be required to report the breach to the state Attorney General.
  8. Third-party Vendors or Partners: If the breach involves systems or data managed by third-party vendors or partners, notify them promptly. They may need to take actions on their end to prevent further compromise or assess their own security posture.
  9. Public Relations (PR) or Communications Team: Work closely with your PR or communications team to manage the public fallout of the breach. They can help craft messaging to communicate with customers, stakeholders, and the media effectively.  It is important that this messaging happen quickly, clearly and consistently.  Having a single point of information flow is critical for this step.

Every organization’s response to a security breach may vary depending on factors such as the nature of the breach, industry regulations, and internal policies. It’s essential to have a well-defined incident response plan in place beforehand to ensure a coordinated and effective response when a breach occurs.