Knowledge Drop / On Security Breach Notification
Plug The Hole
You’ve determined you’ve had a breach. Before taking any action to notify users of a security breach issue, confirm the source and method of the breach are completely understood, and the vulnerability is eliminated. Once you’re confident the same breach cannot be repeated and the potential for similar breaches has been eliminated from the system, youre ready to consider customer notification.
Identify The Accounts Exposed
If the breach isn’t site-wide, you may not need a system-wide notification. First, define the universe of accounts exposed in the breach. Database organization and partitioning may shrink the universe of exposed accounts, and reduce your obligations under state law.
Determine What Data Is At Risk
Identify exactly what information was or was not exposed. Does it depend on how the user signed up for his/her account. For instance, did the user sign up through Facebook Connect or another account thus providing or limiting the information you have on hand? Identify the data and the collection method. Even if you don’t collect certain personal information in the normal course of business, a database breach where users volunteer personal information (like a customer service database), may trigger additional reporting requirements.
Craft The Notice
Do notify people whose information was exposed. Your notice should explain what information was exposed and provide information on what should be done (e.g., passwords should be changed). Make sure the notice is self-contained and does not beg additional questions, but have customer service staff ready with answers. A notice should be just that, and not charged with emotion: Don’t discuss the maliciousness of the breacher or label them hackers.
Don’t Rush The Notice
State law requires breach notices to be timely, but don’t over-rush it. Close the hole, fix the vulnerability, and confirm the data exposed, or you may have to repeat the cycle. A notice should never be sent before you have a complete understanding of all of the relevant facts.
Consider Additional Reporting Requirements
Depending on the nature of the breach and the data exposed, you may have a duty under state law to report the breach to state authorities. Additionally, if credit card information was exposed, your agreements with credit card companies could require reporting to those companies. Check your agreements and state law provisions as part of your breach due diligence.