Four Best Practices for Responding to Data Theft

By:
Randy R. Werner, CPA, J.D., LL.M./TAX
Published Date:
Jul 24, 2015

hands-typing-4An external auditor was brought in to audit the financial statements of a multistate grocery store chain. During the engagement, he uploaded payroll and pension plan data for some 5,000 employees onto his laptop, which he planned to encrypt once he got back to his office. On his way there, he stopped for lunch at a restaurant and left his laptop in the car. When he returned, the doors had been unlocked and the computer was missing.

What should the auditor do next?

1) Report the loss immediately. Many victims err in not reporting theft immediately, either because they’re embarrassed, worried about losing their job, or thought they simply misplaced the device and would soon find it. However, every firm should adopt a strict policy that requires its leadership and its employees to report losses promptly. This allows the firm to prevent further losses and to begin the repair and retrieval process right away. Moreover, some states’ laws require that clients be notified within a short period of time following the detection of   data loss.

2) Activate safeguards for protecting personal information. Using a remote mobile device security service is an effective way to provide safeguards if security has been compromised. Remote security enables a user to activate a “kill switch” that blocks access to protected files or completely wipes data in the event that a computer, tablet, smart phone or USB storage drive has been lost or stolen. The service may also track devices when they are connected to the Internet.

In addition, firms should take other protective measures—such as maintaining solid encryption policies—that protect the organization independently of the end-user and work whether the computer is online or offline. Some services are available by online subscription, without the need to purchase or support hardware or software infrastructure.

3) Notify the firm’s attorney and risk adviser/insurance company. They’ll assist the firm in determining whether there has been a breach, as defined by current state or federal laws. The advisers should also be able to help you fulfill the reporting and notification requirements under law.

Cyberliability or data breach insurance is recommended for covering data breach response costs, including notifications to clients and third parties, and computer network assets, such as data. Some insurance policies also cover legal services, forensic services and business interruption expenses, as well expenses stemming from cyberextortion and cyberterrorism.

Some state laws require that law enforcement be notified in the event of data theft, which may trigger news media and draw attention that could affect the firm’s public image and standing. In such situations, a crisis management or public relations firm may help to control communications and protect the firm’s reputation. 

Credit-monitoring services and identity theft education and assistance services are also recommended; cyberliability or data breach insurance plans will often cover them.  

4) Activate the firm’s incident response plan. If the firm is prepared, it will have an incident response plan in place in order to manage a breach. The best time to plan for an emergency is before it happens. On the flip side, the worst time to figure out how to respond to a crisis is while it’s happening. An effective plan will help the firm to—

--quickly and efficiently recover from security incidents,

--respond in a systematic manner to incidents and carry out all necessary steps to correctly handle an incident,

--prevent or minimize disruption of critical information systems,

--minimize loss or theft of sensitive or critical information,

--ensure that firm resources are used wisely and efficiently, and

--govern the flow of communications among the stakeholders (internal) and other organizations (e.g., insurance companies and law enforcement agencies).

Outline the basic steps of the plan by establishing checklists and clear action items. Upon discovery of a cyberincident, the following questions usually arise:

--What happened?

--What data were affected?

--How many individuals were affected?

--Is there a legal obligation to notify? (Consult with the firm’s attorney.)

--Should the affected individuals be notified immediately?

--Who needs to be notified? Business partners? Law enforcement or regulatory agencies?

If the firm has not yet prepared an incident response plan, assign individuals to be responsible for preparing one. They should be able to recruit others to a response team, if necessary. Team members need to know where client and personal information is stored. Inbound and outbound sources of information, and all methods of communicating such information, should be addressed by the plan.

An incident response plan should be part of a broader information security program that satisfies the provisions of state and federal regulations. For example, some state regulations require such programs to be in writing. (One advantage of this is that a written security program can be taught to staff so as to ensure that each employee knows the firm’s expectations and what he or she is required to do, including best practices for addressing new and continuing risks, such as social engineering, phishing and web application attacks.) Update the program to reflect new laws or regulations and hold training sessions about the changes so that staff can make it a dynamic, living program.

There are several benefits to having a strong information security program. Besides helping to ensure that private information remains confidential and available only to authorized parties, a strong program helps the firm avoid or reduce the high costs associated with data breaches. What’s more, it becomes a powerful selling point that clients appreciate in this era of heightened security awareness.

Randy R. Werner, CPA, J.D., LL.M./Tax, is a loss prevention executive with Camico. She responds to Camico loss prevention hotline inquiries and speaks to CPA groups on various topics.

For information on the Camico program, call Camico directly at 800-652-1772, or contact: (Upstate) Reggie DeJean, Lawley Service, Inc., 716-849-8618, and (Downstate) Dan Hudson, Chesapeake Professional Liability Brokers, Inc., 410-757-1932. 

 

Click here to see more of the latest news from the NYSSCPA.