Question: My IT director just notified me that my company’s network has been hacked. After some investigation, it appears that a variety of personnel information, including employee names and Social Security numbers, have been compromised. What should I do now, and how can I prevent this from happening again in the future?
Answer: Best practices dictate disclosure of a breach whenever personal information may be in jeopardy. Under California law, a person or business that conducts business in California, and that owns or licenses computerized data that includes personal information, is required to disclose a breach of the security of its systems whenever an individual’s name, plus one or more of the following is compromised — social security number, driver’s license or California identification card number, financial account numbers, medical information, health insurance information, information collected through an automated license plate recognition system, or user ID and password, or other specified credentials permitting access to online accounts. Because your data breach compromised employee names and social security numbers, California law requires you to give notice of the breach to all California residents whose unencrypted personal information was, or is reasonably believed to have been, acquired by an unauthorized person. This notice must contain specific information including, but not limited to, a general description of the breach incident and the information involved.
Because individuals receiving notice of the breach will probably expect the worst, you might consider providing your employees with something like a year of free credit monitoring, credit-restoration services or a LifeLock subscription. These gestures can go a long way when it comes to quelling fear and restoring goodwill. While data breaches can be scary, if handled properly, you can minimize the impact they have on your business.
Once you have dealt with the breach at hand, preventing future breaches should be at the top of your to-do list. According to the Identity Theft Resource Center, over 169 million personal records were exposed in 2015, stemming from 781 publicized breaches across the financial, business, education, government and healthcare sectors. While IT support can help ensure that your firewall, malware, antivirus, email spam and phishing protection software are all up to date, employees are often the weak link when it comes to cyber security, opening attachments or sharing documents that they shouldn’t. When it comes to cyber defense, training your employees to recognize security threats, and implementing policies that promote a culture of security are just as important as state-of-the-art software and strong IT support.
Specifically, employees should be trained to detect phishing attempts, and to watch out for irregularities in e-mail addresses, strange wording, or requests that are unusual. When a phishing attempt has been detected, all employees should be notified so that they do not fall prey to the attempt, and so that they can be on the lookout for similar attempts. In addition, whenever an employee receives a request for personal information about a co-worker, customer, or other individual, he or she should be required to confirm that the request is legitimate, either by calling the person asking for the information or by some other method. Developing strong passwords, precluding or limiting storage of company data on personal devices or at home, using encryption, and implementing mobile device safeguards that enable you to locate and remotely lock a stolen or lost device, can also go a long way in guarding your company’s private information.