What to do When Data gets Breached? | DCR Workforce Blog

What to do When Data gets Breached?

data breach

Disastrous events are a part of life and all one can do in such circumstances is to try and work for stability and to regain balance. In a recent post, we talked about how to take the necessary steps to prevent one’s Vendor Management System (VMS) data from being hacked into. Today, let us look at a situation where all the precautions put in place to secure the data fail to prevail, and a breach occurs.

Unauthorized access to data (hacking) is not a game – it’s a serious crime that has numerous simultaneous victims. Breach of data often results in the perpetration of financial crimes, identity thefts and other fraudulent activities. Anyone who has been the victim of identity theft as a result of a data breach can tell you that – even with full cooperation from banks, credit card companies and government agencies – it takes months, perhaps years, to get back to normal.

Employees and customers trust that any information provided in the conduct of business will be treated confidentially and kept secure. When that trust is broken, the company’s brand also suffers. What should a business do, in the event of a data breach?

  • Quickly inform the affected individuals, local authorities, state consumer protection agencies, attorneys general and major credit bureaus (Equifax, Experian, and TransUnion). Explain how the breach occurred set up a fraud alert.
  • Notices may be sent through mail or email (provided prior consent was obtained for sending such communication electronically) and also through public notices through news media and websites.
  • Understand and comply with legal requirements when data pertaining to persons in various geographical locations and jurisdictions gets compromised.
  • Ensure compliance with any additional remedies and notifications imposed by any active collective bargaining agreements, employee contracts, or nondisclosure agreements with employees or vendors.
  • Describe the steps you have taken to plug the gaps and vulnerabilities in your process and the steps initiated to secure the data from future attacks.
  • Clearly describe the type of information or data obtained by the hackers and the possible threats and repercussions in having such information in the wrong hands.
  • Provide clear-cut steps on how to ensure that one’s data is not misused. Advise the affected individuals and groups to change passwords/PIN numbers, and consider freezing accounts, blocking debit/credit cards and obtaining replacement cards, obtaining and reviewing one’s credit reports and ensuring that no new credit requests are filed by fraudulent characters.
  • Mention any data points which are still secure and not accessed by the hackers.
  • Provide a complete picture of the situation and the specific threats. To illustrate:
    • If the Social Security Number of an individual was stolen and misused to open new accounts and commit financial fraud or identity theft – an online report can be lodged with the Federal Trade Commission and an Identity Theft Affidavit By filing the affidavit with the police, the victim can enjoy extended fraud protection for up to 7 years and can dispute as well as block all fraudulent debts and credit accounts from their credit history.
    • Stolen information is often used to steal the tax refunds of individuals. This can total up to millions when perpetrated on a mass scale. In such cases one may alert the IRS (Internal Revenue Service) using Form 14039.
    • Be alert and lodge a complaint when a victim gets suspicious communications related to medical bills or insurance statements, utility and cell phone accounts, student loans, or any other documents which have no reference to them.
  • Offer any help and support where feasible. Keep the lines of communication open, so that anyone affected can reach out for any clarifications or support if required.

It is important to identify the extent of a data breach as early as possible so the disaster recovery measures can be put in place for all the victims. A delay could only compound the risks and the damages resulting from the breach.

In a related matter, the number of online scams is also increasing. In these, individuals receive an email or see a pop-up banner that appears to be issued by a reputable company – typically, one that the recipient currently does business with. The individual is asked to electronically provide confidential information. When electronically informing affected individuals of a data breach, do not ask them to respond via email. Instead, encourage them to make contact through an established and secure process.

When a company becomes aware that their name and/or logo is being used to perpetuate a scam, they should proactively warn customers and employees through press releases, media outlets, and direct communications.

The content on this blog is for informational purposes only and cannot be construed as specific legal advice or as a substitute for competent legal advice. They reflect the opinions of DCR Workforce and may not reflect the opinions of any individual attorney. Do contact an attorney for advice specific to your issue or problem.
Lalita is a people/project manager with extensive experience in operations, HCM and training and development across industries like banking, education, business consulting, BPO and information technology. She believes in a dynamic approach to life and learning as change is the only constant.