Security Breach Investigation and Remediation

Security breaches can have a devastating effect on an organization’s mission goals and reputation. Organizations that face a security breach are often left puzzled with how to proceed next.

If you have had a security breach in the recent past, let our IT and security consulting experts help you trace the attack and preserve evidence in the process. Electronic fraud investigations, forensic computer investigations and E-crime expert support are our forte. ERM boasts of an exemplary past record in incident response support and security breach remediation.

Today, the regulatory oversight surrounding security breaches and their notification is very strong and is strictly enforced. Thirty-five states, plus the District of Columbia, have now enacted laws (California – 2003, Florida – 2005) requiring businesses to provide notice of security breaches affecting personal information. To take an example of the Florida statute,

Florida Statute Section 817.5681.

Some Definitions

Unencrypted personal information: “Personal information” under this law means an individual’s first name, first initial and last name, or any middle name and last name, in combination with any or more of the following data elements when the data elements are not encrypted:

• Social Security Number
• Driver’s license number or Florida Identification Card Number
• Account number, credit card number, or debit card number, in combination with any required security code, access code, or password that would permit access to an individual’s financial accounts.

Security breaches: “Breach” or “breach of the security system” under this law means the unlawful and unauthorized acquisition of computerized data that materially compromises the security, confidentiality, or integrity of personal information maintained by the person.

Applicability

The law applies to any person who conducts business in Florida and maintains computerized data in a system that includes personal information. This law does not apply to governmental agencies, but it does apply to businesses that are providing government services under a contract with a governmental agency.

Notices and Disclosures

Notices and disclosures are to be give when it is determined that there was a breach of the security of a system that maintains computerized data, and a Florida resident’s unencrypted personal information was, or is reasonably believed to have been, acquired by an unauthorized person.

Any person that maintains data that includes personal information on behalf of another business entity must disclose any breach of security to the other business as soon as practicable, but no later than 10 days following the determination of the breach.
Consistent with the needs of law enforcement, affected Florida residents must be notified without unreasonable delay, and no later than 45 days following the determination of the breach.

If a breach requires notification of more than 1,000 persons at a single time, the person must also notify, without unreasonable delay, all consumer reporting agencies of the timing, distribution, and content of the notices.