by Lim Seng Siew, Director OTP Law Corporation
In the first part, we talked about what is a phishing attack. In this second part, we will talk about what to do if you are a victim of a hack.
Steps to Take When an Incident Occurs – C.A.R.E.
The PDPC has a very convenient 4-stage data breach management model under the acronym C.A.R.E. which stands for “containing” the breach, “assessing” risks and impact, “reporting” the incident and “evaluating” the response and recovery to prevent future breaches.
The Data Breach Management Plan
The 4-stage CARE model should be in your Data Breach Management Plan (sometimes called Incident Response Plan) and you should have a plan, even if you are a one-man operation. When a breach occurs, things are likely to move fast and will be chaotic. Planning ahead will help reduce the confusion and stress. Further, the plan should be in writing. In a chaotic situation you will forget. Therefore, when a suspected breach is detected, just whip out the plan and follow the steps listed. Remember that the plan need not be perfect. The Evaluation stage also involves re-evaluating your always ‘imperfect’ plan and refining it if necessary.
It’s also not enough to have just a plan. Equally important is to test the plan with ‘dry-runs’. The dry-runs will familiarise your staff with the plan and identify any kinks or shortcomings with the plan. A practical tip is to have the dry-run as one of your office’s team building exercise. With a bit of imagination, it can be fun.
Contain the Breach
Act to contain the breach as soon as you are aware of a data breach. In earlier times, this can be to simply turn everything off. In today’s world, this may not be an option especially if some of the technologies used by your business involve cloud services. And even if you can turn the equipment off, at some point in time you will need to turn them back on. So other steps are still necessary.
To contain the breach, your first step will be to change the passwords, not just of the hacked account but all others as well, especially when these other accounts use the same password.
Next, do a full system scan with anti-malware apps to detect if any malware has been installed in any of the computers or devices used in your business. You need to know ALL the accounts and ALL the computers and devices used. So, the plan must have an updated list of all these accounts and equipment.
Alert your banks and credit card companies. If necessary, change or stop your credit cards. You can do this while the scan is ongoing. The contact information of your banks and credit card companies should be in your plan. You should also monitor all your accounts for any suspicious activities.
Call your IT provider (internal IT staff or an external service provider) for assistance and notify your cybersecurity insurer. These insurers will have the necessary experts on call to assist you with the more complicated containment and assessment situations. Further, they can advise on other precautions to take as their other customers may also be victims of the same hacker.
Ask your IT provider to preserve the evidence of the hack or compromise such as the phishing email from which the attack started from, the system log files that record how the attack progressed, and/or the malware that was installed on your systems.
The steps you take in the containment stage is focused on preventing further compromises, determining the extent of the breach, and implementing mitigating measures to minimise the impact of the breach.
Assess Risks and Impact
The second stage is to assess if your containment is working or if the hacking is still going on. If the hacking is still on going, then you should continue with the containment efforts until the hacking has stopped.
Once the containment efforts are successful, then a deeper assessment of the data breach should be undertaken. That deeper assessment covers discovering the root cause of the breach, the effectiveness of the containment actions, and the effectiveness of any technical protection (eg encryption) of the data. Assistance from your IT provider or cybersecurity insurers is usually required to do this.
In parallel with the technical assessment must be an assessment as to who needs to be informed of the incident. The steps taken to assess if the data breach is a notifiable breach under the DBNR must be documented as the PDPC may take enforcement action against you if they deem that there has been an unreasonable delay in that assessment.
Report the Incident
The next stage is to Report the incident. You should have determined during the assessment stage who should be informed.
You should report the incident to the Police if a crime is suspected, to the PDPC if the breach involves personal data and is of a significant scale or causes significant harm, and to SingCert (Singapore Computer Incident Response Team) if it is a cybersecurity incident, and to the regulator of your business sector, if there is such a regulator. The PDPC also has a voluntary reporting scheme even if the incident is not a mandatorily notifiable one. An incident or breach need not be a cybersecurity incident. As an illustration, if physical documents are stolen and those documents contain customer’s confidential information and/or personal data, the police and the PDPC should be informed but SingCert need not be informed since it is not a cybersecurity breach.
The individuals whose data or information are compromised should also be informed. The PDPA requires the affected individuals to be informed as soon as possible, at the same time or soon after notifying PDPC. However, bear in mind that there could be some exceptions. As an example, if adoption information is involved, consider carefully whether certain individuals should be informed as the adoptee may not know that he or she is adopted.
The PDPC Guide on Managing and Notifying Data Breaches says that you have 30 days to determine if it is a notifiable breach. Any longer will have to be justified to PDPC. However, once it is determined that there is a notifiable breach, you must report to PDPC within 3 days. The PDPC has a webpage (at https://eservice.pdpc.gov.sg/case/db where reports can be made.
Except for the requirements by the PDPC, there are no hard timelines for when an organisation must notify other parties. However, you should do so as soon as possible. You don’t want to explain to the affected customers why you took 3 months to notify them. Explaining to them about the incident is already difficult enough.
Evaluate the Response and Recovery
The final stage is to Evaluate how you responded to the incident. Do that after the chaos has reduced and the reports made. This is so that you can deal with the next incident better.
Things for you to consider in your post-breach evaluation include:
- Determining the cause of the incident. Are there signs that should be monitored to prevent another similar incident? Are there weaknesses that can be strengthened?
- Evaluating the effectiveness of the initial containment actions. Are there weaknesses that can be strengthened?
- Evaluating the Data Breach Management Plan. Does the plan need to be updated?
- Evaluating the effectiveness of external parties like your IT provider or cybersecurity insurer. Were they able to effectively support you during the incident? What feedback can you give them? In a more drastic situation, you might have to consider engaging a fresh set of external parties.
- Evaluating employees’ response. Were employees aware of security related issues? Were the key employees (like your internal IT team) given sufficient resources to manage the incident? Is additional or refresher training required?
Thus far, we have been dealing with what to do after an incident has occurred. In the third part of this series, we will discuss what are the simple steps to take to reduce the chances of being a victim of a hack.
If you have a need to seek legal advice on your cybersecurity situation or just require legal assistance in any way, please reach out to us at enquiries@otp.sg or +65 64383922.