You just got the call from your IT director or security manager. Bad news. Worse than bad. Your association management system (AMS) has been breached.

Membership data. Financial data. Personally identifiable information (PII) on staff, members, partners, and the board of directors is in the hands of people who do not have your best interests at heart. Worse yet, you may be subject to a ransomware or extortion attack. If you do not pay money by a certain time, hackers will release their findings in the public domain.

What your association does next is critical to stem the bleeding, investigate the incident, and minimize business risks. These measures may sound like the responsibility of your IT department, but in actuality they are business imperatives with big financial consequences. The following steps are intended to minimize loss, information theft, and disruption of services.

These measures may sound like the responsibility of your IT department, but in actuality they are business imperatives with big financial consequences.

To Prosecute or Not?

Your association must decide if you plan to prosecute or restore and resume operations as quickly as possible. This is important because, if you choose the prosecution route, a forensic investigation requires significantly more time and investment than an incident response alone. To support prosecution, your association must comply with "chain of custody" procedures to submit digital findings as evidence. You will need to leave things exactly as they are to conform to precise processes and evidence trails. If the attack involves extortion or other forms of financial fraud, you are required to report the incident to authorities.

Do You Have a Checklist of Things to Do?

A data breach checklist outlines what to do and what to verify if your AMS is compromised. The checklist will assist in determining which route to take. This is where you retrieve and verify that audit trails, logs, alerts, and alarms of the impacted system are intact and not tampered. The same applies to data backups. The checklist provides a systematic approach to gathering information and assessing the situation.

Do You Have an Incident Response Team and Data Breach Plan in Place?

A data breach plan typically would include instructions or steps for handling the breach. The purpose is to provide a more detailed and thorough roadmap intended to help stakeholders minimize loss and disruption of services. Stakeholders should include anyone who will be involved in the handling or notification process, including representatives from IT, legal, HR, membership, communications, and customer service

Is Your Association Required to Publicly Announce a Data Breach as Required?

Legally, you may be required to publicly announce the data breach and notify each person affected. This decision is based on your state and the location and number of individuals affected. Legal issues aside, what you communicate, to whom, and how you say it will have an enormous impact on business continuity, revenue, and your brand.

Does Your Association Have the Type of Insurance to Cover the Cost of a Data Breach?

Many organizations are purchasing additional cybersecurity and data-breach insurance. Whether that is the right choice for your association may depend on the security of your back-end database tables. Are you encrypting sensitive and personally identifiable data? A cost-comparison will give you another data point in analyzing the optimum response.

How Quickly Can You Recover from a Data Breach?

Determining recovery time can be challenging. Timing is complex because it can be hard to establish when a breach started, when it was discovered, and how long the data was exposed. The one thing you can control is how you respond to re-establish your member's trust with an immediate security remediation plan and a solid communication plan to your constituents. Even better, perform an annual security risk assessment to minimize your risk.

Conclusion

Every association that has a member portal on the web must address these critical business criteria. Given that we routinely use and handle sensitive information, associations must be prepared to address and handle a worse case scenario. Ignoring the probability is to ignore reality and merely hope for the best.