The first 24 hours following a data breach are probably the most critical for reducing potential damage, and protecting your brand. Call our 24-hour hotline immediately if you suspect you are experiencing a data breach: 800.816.9596.
Do we have a breach?
A lack of system performance or other abnormalities may be the result of user error, or a system configuration error. Although any anomalous system behaviour should alert you to the prospect of a data breach, and although certainty is not required, there should at least be some confidence that a real incident is underway.
Immediate Action Steps
Once the decision has been made that a data breach has occurred, the following steps should be implemented without delay:
- Engage legal counsel experienced with data breach management
Siskinds acts as the “hub” to manage data breach incidents. We engage experienced service providers directly. The reasons are twofold. First, we engage service providers in whom we have confidence and with whom we have typically worked before. This cuts down considerably on the “time to get going.” Second, and most important, when we engage service providers directly, the reports and information that they produce and provide to us are privileged. This means that those materials are not subject to discovery in the event that litigation over the breach is subsequently commenced.
- Commence record taking
The time and date of all discussions and key decisions should be documented throughout the event. The role of this record keeper should be identified in your Incident Response Plan (“IRP”).
- Activate the Incident Response Team
All members of the Incident Response Team (“IRT”) should be notified using one or more of the contact methods identified in your IRP.
- Engage forensics
The containment, eradication and recovery phases of the incident require the involvement of a skilled forensics team from the outset.
- Secure the premises
If there is a defined area where the data breach occurred, it should be secured to prevent unauthorized access and the loss of any evidence. At the same time, a Command Centre for the IRT should be established and secured.
- Stop additional data loss
Containment of the incident includes such measures as: disabling the network switch port to which a particular system is connected; blocking access to malicious network resources such as IP’s (at the firewall) and domain source specific URLs; temporarily locking a user account under the control of an intruder; disabling system services or software that an adversary is exploiting; and shutting down all Wi-Fi connections. Note that all machines should be left powered on[i], in order to preserve any cached memory.
In certain situations, your forensic advisor may advise that containment be skipped. With sophisticated adversaries, certain containment measures will alert them and cause them to implement new tools, establish secondary backdoors, or move to a destructive phase.
- Continue record-keeping
Secure all logs, audits, notes, documentation and any other evidence that has or is gathered during the incident with appropriate identification marks, securing the chain of custody for future prosecution or litigation. All relevant system security/event/IDS logs should be maintained. Provide notice to your ISP or MSP that they preserve and maintain all logs.
- Interview key persons
As part of the record-keeping process, all parties involved in the incident should be interviewed from time to time to gather their observations and input.
- Consider notification requirements
Provincial and federal laws impose notification obligations to various governmental offices, the affected data subjects, and law enforcement and other agencies. Because of the short notification periods provided for under these laws, your legal obligations to disclose need to be assessed early on, and that assessment should be constantly updated.
- Assess priorities and risks
Based on what you know at this point regarding your systems, the extent of the breach, the nature of the breach and other factors, priorities need to be established and other aspects of your response, including communications, need to be progressed.
- Advise your insurer
If you have cyber insurance coverage, your broker or insurance company representative should be notified at the outset. This ensures that the response is conducted in accordance with the best practices established by the insurer.
- Notify law enforcement
Law enforcement agencies are increasing their level of cooperation and information sharing. This means that information about the particular threat actor may be known to the police, which may assist the forensics team. In some instances, decryption keys for ransomware are known to law enforcement agencies who can then share that information. In the event of a criminal prosecution, law enforcement can insist assist with the preservation and storage of evidence.
[i] If your computer is compromised
- Disconnect it from the wired or wireless network. If using a docking station undock it and then turn off the wireless network as it will auto-switch to wireless when the wired network is no longer available.
- Do not turn off your computer.
- Contact your IT department and let them know the situation.