Website Hack? What are the legal issues?

Someone is trying to hack your site. In fact, if your site is built on WordPress, which more than 75 million websites are, there are bots constantly trying to gain access to your site – perhaps even as you read this post. This isn’t because WordPress has security flaws.  It is because most sites are built on WordPress, so that is the Content Management System on which most hackers focus.  Thus, after you have taken reasonable steps to secure your site, you should have a plan in place in case a hack is successful despite your security measures.  Here is a short list of steps to take in the event your site is hacked. A word of warning: this will sound pretty simple, but it could get messy.

  1. Fix the problem – The first thing you must do is stop the bleeding by identifying the problem and repairing the breach. The longer the site is up and running after it is hacked, the more data you are going to lose. Have someone who knows what they are doing identify the breach and fix it. Your in-house tech support may be able to take care of this, but it is still a good idea to get an outside IT expert to take a look before you call it good.
  2. Get the facts straight – While you are repairing the security issue and restoring the site, you should be keeping detailed notes on exactly what took place. You may be explaining what happened to customers, security breach victims, attorneys, board members, law enforcement, or even the press. Having a clear, concise knowledge of the facts will make this easier and ensure your story is not altered. At the same time you are determining what to say, you should be deciding on who will be saying it. It is important that the person who is giving the explanation has a firm understanding of what happened so that they are prepared for follow-up questions.
  3. Call your attorneys – Your attorneys will be able to identify your legal obligations at this point. Most importantly, they will be able to advise you who you need to contact. This includes third parties whose information may have been stolen. It may even include banks if credit card information was stolen. Your attorneys can help mitigate the problem by outlining what legal steps need to be taken to avoid or minimize lawsuits. Data-breach legislation differs from state to state, so your attorneys can identify which states’ laws affect your situation and what those laws are.
  4. Develop a hack strategy for the future. You battled through this one – good for you. Now is not the time to sit back and wait for it to happen again—now is the time to put a plan in place that will A) prevent future attacks and B) alert you as soon as a breach is taking place (before any real damage is done).
  5. Communicate. It is critical that the first news of the breach come from you or your company—the last thing you want is for it to appear that you were trying to hide what happened. You may be legally obligated to alert certain people, such as shareholders, board members, clients, customers, etc. so that they can mitigate the damage at their end. Include the steps you have taken to fix the problem and what your plan for security in the future.

There is no such thing as a hack-proof website. As security technology improves, hackers are constantly thinking of new ways to circumvent it. Many computer security experts suggest the most effective thing you can do to keep your site secure, as simple as it seems, is to use complex usernames and passwords. Login pages are typically the easiest way for a hacker to get into your site, and they usually use bots that simply guess usernames and passwords. It is also important to back up your data every night and keep an eye on unusual activity on the site.