Responding to a Data Breach
Data breaches are becoming increasingly common. As business moves to a more digital platform, even small businesses are targets for cyber-criminals and hackers. Stolen data can range from username and passwords to personal identifying information and banking/credit card information. As a business owner, what steps should you take if you discover that customer’s personal information was exposed?
What was Stolen?
You need to determine what type of data that was stolen. In order to determine what type of data and the scope of the breach, a data forensic team is likely needed. They can determine the scope of the breach and the source. It is very important to know what was stolen and for what clients.
The most sensitive information includes credit card numbers along with the security codes, bank account information and social security information. Slightly less sensitive information is credit and debit card numbers (without the security codes), date of birth and email addresses. The least sensitive information is physical addresses and names.
Once you determine there was a breach, you need to take immediate action to prevent any further loss of data. Was there a physical intrusion that resulting in a data loss, such as a break-in and stolen computers or servers? Was a company laptop with client data lost or stolen? Work with police and data forensic experts to determine the cause of the breach and what can be done. If the breach was due to a hack, take systems offline.
Working with experts is necessary to secure your data and prevent further loss. Once vulnerabilities are discovered, they can be fixed. Vulnerabilities can come from service providers, lack of encryption, not securing network access and/or passwords.
Make sure the breach cannot happen again and outlines steps to take to correct and prevent it from happening in the future.
Notify Relevant Parties
Most states have rules about who needs to be notified in the event of a data breach. Check the laws in your state to see what your legal obligations are.
Law enforcement should always be notified. Your first call should be to your local law enforcement. If electronic health information was exposed, then you also need to notify the FTC and possibly the Department of Health and Human Services and the media.
You need to notify those affected by the breach. Laws vary by state, but typically, notifications include information about how the breach occurred, what information was taken, how the information was used, what steps you have taken to prevent it from happening again, who to contact at your organization with questions, what actions you are taking to protect your clients (free credit monitoring for a set period of time). It is recommended that you include information about identity theft in your notification, such as how to put a fraud alert for the three credit bureaus and include links. The FTC also has an identity theft website that you can direct your clients and business associates to for information about how to protect themselves from a data breach.
The cost of the above steps are expensive and can be in the hundreds of thousands of dollars to properly investigate a data breach, fix the problem, notify those impacted and pay for credit monitoring. Small businesses often cannot absorb these costs on their own. Cyber Liability Insurance will not only provide coverage for these costs, but they also include resources such as forensic data analysists and help with notifications so that business owners are not as overwhelmed.
We have multiple carriers for Cyber Insurance. We can work with you to cover the exposure that you have, based on your business activities, so you are not paying for coverage you do not need. Do not let a data breach put you out of business, give a call today to discuss your options and we will work with you to find the best coverage at the most affordable prices to keep your business secure.