Preservation of evidence in case of security breach

Should there be a security breach it is imperative that local authorities be contacted immediately. Management should issue a       guideline to follow in order to preserve evidence. Since most security breaches are unique in nature the guidelines may vary            however listed below are basic suggested protocol for prevention of evidence in case of security breach. This could be outside         theft, internal employee theft, computer fraud, bank fraud, credit card fraud, etc. Chances are that if one area is breeched               multiple areas will be breeched, including branch offices.

  • Notify 911 or emergency police immediately. Follow notification procedures as outlined earlier in this document. If the 
breech crosses State line the FBI or CIA may be called in. If it involves military secrets contact appropriate agency. 
  • Lock down facility – no entry or exit. Write down names & phone number of everyone locked down. 
  • Quarantine computers, answering machines, all cell phones, fax receiving / sending equipment. If you have security camera devices secure all access to the back up. Keep it running until the authorities arrive.
  • Preserve all files, paper documents, desktop notes, shredded materials, trash, etc.
  • Preserve all computer files, outlook, E-Mails and back up computer equipment
  • Centralize staff, employees and visitors awaiting 911 responders
  • Call your Corporate office, lawyer, Director, Vice Director, CEO, CFO, Risk Manager, etc. to tell them of the situation.
  • Begin to make written notes on notepad of comments, questions and thoughts. Do not tear out pages.
  • Visually look and observe around area without disturbing evidence to see if anything appears unusual. If you see unusual
objects do not touch, just barricade it off carefully. A keen eye is needed for this task. 
  • Identify eyewitnesses and star witnesses so as to provide this list to investigators of law enforcement, insurance 
companiesand other authorities that may be involved.
  • If the security breach involves a shipment container have photographs taken immediately without touching the container 
or contents. Secure any locks or locking devices that may have been tampered with. Source shipping documents 
(Bill of Lading) for the container so that authorities will have knowledge of contents. On your notepad attempt to
 backtrack the process of shipment including what companies and individuals had knowledge of the shipment or 
who moved it.
  • If the security breach is at a remote location, at a freight forwarder location, aboard a ship, in a Port storage area, etc. 
the management should take information immediately on phone that would help preserve evidence. 
  • Management should instruct individuals at this remote location to follow procedures similar to those outlined above and below. Send by E-Mail or fax the Witness form for completion on-site or on the ship. Have this form sent back to 
your office.
  • Determine if a witness is an eyewitness or a star witness. The difference is as follows: An eyewitness visually sees 
the situation personally. Example: Tom Smith witnessed Mary Jones stealing documents from computer files. 
Another example: Mike Martinez was on the loading dock and witnessed personally two men in a cargo van pull up, 
cut the locks and enter the container. A star witness example: Tom Smith is sitting in the office working and hears 
portions of a phone call that Mary Jones is on that is out of ordinary business practice. Tom Smith hears her state she 
is forwarding information by E-Mail now however he does not clearing understand the entire conversation or see the 
E-Mail content. Another example: Mike Martinez hears sounds similar to someone cutting a lock and opening a
container.When he turns to walk to a door opening he sees a truck leaving the area. Eventually it is found a 
container has been broken into.
  • Provide each employee; staff member or known person(s) that have any remote information complete immediately the
Witness Report as shown below. This should be done as quickly as possible while information is fresh. Do not allow
individuals to discuss their thoughts together. Do not allow individuals to be in the same room when completing 
the Witness Report. Each Witness Report should be private and held confidential. Management should keep copies 
of these reports for internal purposes as well as provide copies to the authorities investigating the security breach. 
Time stamp each form with date, time of day, person name collecting data. 
  • Once legal authorities arrive be sure to take names, badge ID #, phone contact and division of authority agency they 
work for. Allow the authorities to do their job.

   Kenneth CoffingHRM, TCE, QM, QI, CPHA
    USA sole proprietor company consultant
   Healthcare Risk Manager, HRM
   Technical Civil Engineering, TCE
   Quality Management, QM
   Quality Inspection, QI
   Certified Public Healthcare AdministratorCPHI
   E-Mail:   Website:
   Skype: vietnamgoesgolfing