Five steps you should take after a major data breach

September 09, 2019

If your organization suffers a data breach, these steps should be among the first you take.


In this age of cyber threats and large-scale data theft, it’s often a matter of “when,” not “if” an organization will be targeted. As we have seen from previous high-profile data breaches, some companies are better equipped to deal with the fallout than others.

Let’s say that day has come for your organization – you discover that you’ve been attacked by cybercriminals. You’re not sure how much data was compromised or where it’s been moved to, but the organization’s reputation and business strategy depends on a swift response. Ideally, you already have a response plan in place to execute. But even if you don’t, having clear accountability, responsibility and assigned roles will help produce an effective response.

Here are the first steps you should take to limit any long-term damage.


1. Assemble your crisis response team

Gather all relevant team members into a crisis response unit, including representatives from forensics, legal, information security, information technology, operations, human resources, communications, investor relations and management.

Place this team’s priority on identifying the source of the breach, stopping any further loss of data, and determining what data was compromised. While the immediate actions involve stemming the tide of data loss, this response team will monitor for compromised data showing up elsewhere outside of your organization’s network.


2. Plug the leaks

Wherever data breaches have occurred, you must disconnect any affected equipment. The Federal Trade Commission (FTC) recommends disconnecting physical resources from your network, rather than a complete shutdown, since data forensics teams will eventually need to analyze the affected equipment.

For digital or virtualized resources, work with the hosted vendor to isolate and/or remove affected applications from your online infrastructure. Most financial and healthcare-related data must be stored in a private cloud setting, so if anything shows up on a public cloud environment (e.g., Google, Amazon, Dropbox), it should be quarantined by the provided host.

Above all, don’t destroy or remove any piece of evidence from your premises or virtualized infrastructure.


3. Contact law enforcement

File reports with your local law enforcement and consumer protection agencies. Some states require this by law, but it’s still a good practice even if it’s not legally required. Law enforcement can provide additional forensic and investigative tools beyond your organization’s capabilities.

Large-scale data breaches could also require intervention from federal agencies, like the Federal Bureau of Investigation or the Consumer Financial Protection Bureau. If health data was among the compromised assets, notify the Department of Health and Human Services for potential violations of the Health Insurance Portability and Accountability Act.


4. Investigate the breach

Now you need to figure out how the cybercriminals gained access to your organization’s data. Perhaps they acquired physical access from an on-premises server or computer. Or, they exploited a loophole in your organization’s digital infrastructure. Regardless, you need to identify any methods used in the breach and implement measures to remediate the weakness in security.

Cybersecurity firms specialize in this type of investigation, generally collecting as much physical and digital evidence as possible. Everything from workstations, servers, call logs, mobile devices, fax machines, audio tapes, closed-captioned TV footage, virtual and cloud-based environments, and access logs should be documented and analyzed for vulnerabilities.


5. Communicate the breach

Once your crisis team has assessed the breach and implemented its response plan, it’s time to inform your employees, customers, business partners, and the public of what occurred. Communicate the data breach openly and honestly once it’s safe to do so. The reputation of your organization might be jeopardized by the breach, but it will suffer far worse if the public (or your shareholders) finds out about it from outside sources.

The FTC recommends setting up a special phone line, website or direct contact to respond to questions or concerns. Expect to receive many inquiries, and provide enough trained staff to adequately handle the reaction.

These tips can help your organization respond effectively to an already-occurred breach. These aren’t the only steps to take after a breach, but they are an important part of a proactive and comprehensive data breach response plan. The FTC’s Start with Security Business Guide is a good resource for getting started on a plan.

Related content

Avoiding the pitfalls of warehouse lending

Proactive ways to fight vendor fraud

Cybersecurity – Protecting client data through industry best practices

Webinar: How to stay safe from cyberfraud

The cyber insurance question: Additional protection beyond prevention

Higher education strategies for e-payment migration, fighting fraud

The mobile app to download before summer vacation

5 Ways to protect your government agency from payment fraud

Authenticating cardholder data reduce e-commerce fraud

Insource or outsource? 10 considerations

4 strategies for coping with market volatility

Risk management strategies for foreign exchange hedging

Automate accounts payable to optimize revenue and payments

Protecting cash balances with sweep vehicles

3 tips to maintain flexibility in supply chain management

How to avoid being the victim of a digital payments scam

Cybercrisis management: Are you ready to respond?

Dear Money Mentor: What is cryptocurrency?

How to keep your assets safe

Learn to spot and protect yourself from common student scams

Cryptocurrency custody 6 frequently asked questions

How to spot an online scam

Small business growth: 6 strategies for scaling your business

Manufacturing: 6 supply chain optimization strategies

Healthcare marketing: How to promote your medical practice

Liquidity management: A renewed focus for European funds

5 questions you should ask your custodian about outsourcing

Webinar: Approaching international payment strategies in today’s unpredictable markets.

10 ways a global custodian can support your growth

Webinar: Mobile banking tips for smarter and safer online banking

How to choose the right custodian for your managed assets

Webinar: How to fight off fraud

Webinar: Protect yourself or your loved ones from elder fraud

Increase working capital with Commercial Card Optimization

Fraud prevention checklist

4 ways to outsmart your smart device

Money muling 101: Recognizing and avoiding this increasingly common scam

What you need to know about financial fraud

How you can prevent identity theft

Alternative investments: How to track returns and meet your goals

Hospitals face cybersecurity risks in surprising new ways

Webinar: Cash management strategies for higher education

5 steps you should take after a major data breach

Why KYC — for organizations

Post-pandemic fraud prevention lessons for local governments

BEC: Recognize a scam

Fight the battle against payments fraud

The latest on cybersecurity: Vulnerability testing and third-party software

The password: Enhancing security and usability

3 timeless tips to reduce corporate payments fraud

The surprising truth about corporate cards

White Castle optimizes payment transactions

4 tips for protecting your business against Coronavirus-related scams

The latest on cybersecurity: Mobile fraud and privacy concerns

How to improve your business network security

The benefits of a full-service warehouse custodian

Webinar: A closer look at U.S. Bank AP Optimizer

The future of financial leadership: More strategy, fewer spreadsheets

How to improve digital payments security for your health system

Enhancing liquidity management: 4 benefits of visibility

Webinar: Fraud prevention and mitigation for government agencies

Webinar: CRE Digital Transformation – Balancing Digitization with cybersecurity risk

Webinar: Robotic process automation

Start of disclosure content

Loan approval is subject to credit approval and program guidelines. Not all loan programs are available in all states for all loan amounts. Interest rate and program terms are subject to change without notice. Mortgage, home equity and credit products are offered by U.S. Bank National Association. Deposit products are offered by U.S. Bank National Association. Member FDIC.