Here’s a hypothetical: Today, you were informed of a cyber incident. Luckily, it appears minor and that no data was exfiltrated. After your brief panic subsides, you figure “Great! I’m all in the clear.” In the words of the great Lee Corso, “Not so fast, my friend.” When you are the steward of proprietary information, PII or other protected data, it is always in your best interest to take a maximalist approach to what constitutes a breach or stolen data.
If you think that just because your data isn't ‘gone’ that it's not 'lost' and you haven't really suffered a breach, then we have some bad news for you...
The reality is that if ransomware has touched that file at all or your data has ever been held hostage, then you have been breached, and your data and IP should be considered potentially compromised. Likewise, if a virus successfully infects your system, that is also considered a breach and a loss of data because you don't know what that virus touched, so you should assume that it has affected that data.
Regulations are increasingly loosening up their definition of what constitutes a data breach, which has enormous implications for you and your business. So, the unfortunate rule of thumb should always be that if your systems have had any unauthorized access—whether that's a Trojan, a virus, or malware of any kind (including ransomware)—you should consider yourself breached and your data 'lost,' even if it remains on your servers.
We cover various compliance issues with frameworks like CMMC here.
If you either don't recognize the seriousness of a cyber incident or worse yet try to sweep it under the rug as a minor incident because your data wasn't deleted, it's going to come back and bite you. Random or routine compliance audits unearth past breaches whether you consider them a breach or not. You may have forgotten about the incident, but your CEO won’t after a litany of bad press and substantial fines.
There are also legal trolls. Just in the way that there are patent trolls—lawyers and law firms who specialize in nuisance lawsuits litigating patent rights—there is a class of lawyers who are self-appointed compliance enforcers around regulations like GDPR and CCPA. If they start sniffing around and find out about a breach that you haven't reported or done your due diligence about, you're facing lawsuits, expensive legal defences, and more bad press.
So the best strategy, albeit uncomfortable, is to take a maximalist view of what constitutes a breach and loss of data, own up to it, and make the changes necessary to ensure that you minimize your vulnerabilities to future breaches.
Follow all of the necessary regulations about notification: notify all the third-party bodies and notify the local information compliance officer (ICO). For regulations like GDPR, you have a narrow 72-hour window for reporting incidents, so don't dilly dally.
Be proactive. Inform your users and customers of the breach and how they may or may not have been affected by it. The worst place for people to hear that their personal information might have been stolen is on the news. Get out in front of notification, and it will help smooth the process of winning back trust.
Because all you have to do is ask companies like Facebook—who have had several instances in recent years where they've left user data unsecured and vulnerable to hackers—about the legal, financial, and reputational costs of not doing so. While you're at it, see what Yahoo, Amazon, eBay, and Home Depot think, too.
Facebook wasn't breached, but how much do you think these incidents have cost them? While there may not have been a data breach, there certainly was a breach of trust. And that sort of rupture can be far longer-lasting and harder to repair.
If you do suffer data loss, the best way to begin rebuilding customer trust is to take steps to ensure breaches don't happen again.
ActZero's managed detection and response (MDR) service will proactively harden your defenses against threats, detect when you are breached, and respond to it to minimize the impact. Leverage our virtual CISO (vCISO) service to help set security priorities, reduce your risk, and guide your organization on improving your prevention posture as you grow.
To see our service in action, request a demo today.