What Should Companies Do After a Data Breach?

In this day and age, all businesses should take precautions to prevent a data breach – small companies are known to be particularly vulnerable. You likely have security standards in place to safely process credit card information and review social engineering tactics with employees, yet hacks can and do happen. When you’re on the hook for damage control, what should you know?
How Bad is a Data Breach?
When it comes to your customers and clients, never sweep the incident under the rug. It’s serious for everyone involved, for multiple reasons:

  • When thieves gain access to company data, they can steal customer identities and exploit their personal and financial information.
  • Your customers lose trust in your company – especially once it gets out that you suppressed information.
  • Your company secrets get out.
  • You’ll be facing a number of lawsuits, which could bankrupt your company.

Each year, data breach losses total $400 billion. In 2013 alone, over 13 million consumers experienced identity theft in some form, with data breaches being a common source. For these reasons, it’s best to address the issue in a timely manner – not cover it up or delay correspondence, hoping it will resolve itself.
How to Respond to a Data Breach
Based on points from the Federal Trade Commission (FTC), your business should:

  • Move quickly, especially with regards to your network. Address and fix vulnerabilities right away and implement a plan to ensure it won’t happen a second time. Also make sure your response is comprehensive, unbiased and involves the whole company. Ideally, bring in a team of outside data forensic experts for a new perspective.
  • Think physically, as well as digitally. Secure physical areas where an outside party may have accessed company data and change all access codes and credentials. Continue to monitor all entry and exit points.
  • Take all affected equipment offline, but don’t turn the machines off.
  • Reach out to your legal counsel to discuss the best way to go forward and address any state and federal laws.
  • Review all information on your company website, in case that may have tipped off the hackers. Do the same on other websites, especially as your company’s information may have been cached and captured.
  • During the investigation, document everything – never destroy evidence – and make sure your staff knows where to go or who to contact with important information.
  • With the forensic experts, examine aspects like encryption, backup data, logs regarding access, what type of information was compromised and how many people were potentially affected. Make sure you can contact this group of customers.
  • Develop a comprehensive yet targeted communications plan for all affected individuals – employees, customers, clients, business partners and investors. Provide them with key details about the breach, how to protect themselves and avoid inaccurate or misleading statements. In this document, let them know what information was usurped, how it could have been potentially used, what actions you’re taking to protect them and remedy the situation and how they can contact your organization. Furthermore, offer all affected individuals free credit monitoring.
  • As you send out notifications, make sure you comply with all legal requirements concerning security breaches.
  • Notify law enforcement about potential identity theft, so they can act swift and accordingly.
  • Consider redesigning the full security infrastructure of your business, examining both inside and outside aspects, upgrading your encryption program, re-educating your employees about data safety practices and requiring that all devices on the network have anti-malware software installed. Also develop rules restricting social media use on company computers.
  • Understand that recovery is never instant; it will take time to regain the trust of your customers.

To anticipate these potential events, make sure you have adequate business insurance, including liability, business continuity and data breach coverage. To discuss your current policies and make changes, give us a call at 203.729.5261.