What’s worse than a massive data breach? Not reporting it.
Yahoo learned this lesson the hard way. The former Internet giant has been under intense scrutiny for revealing that at least 500 million of its user accounts were stolen back in 2014. It now faces multiple class action lawsuits and its sale to Verizon could be in danger.
These rules don’t apply just to big corporations: any small business that collects customer information also has important obligations to its customers. In fact, 47 states have their own data breach laws.
More than half of U.S. businesses have experienced a cyber-attack in the past year forty-three percent of hack attacks in 2015 were against small businesses, according to Symantec’s 2016 Internet Security Threat Report.
Here’s what you should do once you’ve learned that your company has been hacked:
1. Inform customers immediately: Once you know a breach has occurred, by law you are required to inform customers whose data has been compromised. State laws may vary on how quickly you need to get the word out. Generally speaking, the sooner the better “speed is of the essence,” says Thomas Brown, managing director in charge of the cyber-security and investigations practice at Berkeley Research Group.
2. Send a written notification: You’ll need to send a written notification to every customer, that clearly states a data breach has occurred, when it occurred, and what kind of information was compromised. You’ll also need to say what the company is doing to provide a remedy, and what actions customers can take. Remedies may include directing people to a website or a 1-800 number set up by the company, where they can get additional information. You may also want to supply contact information of the three credit monitoring agencies, Equifax, Experian and Transunion, which can put fraud alerts on consumer accounts.
3. File a notice of breach: If you notify more than 500 customers about a breach, many states will also require you to file a notice with your state attorney general’s office.
4. Implement an ‘incident response’ plan: Have an “incident response” plan in place. It should be updated at least once a year. It should have telephone numbers for attorneys, IT forensic experts, Insurance agent, and vendors who can help with customer outreach. It should also have what your computer network looks like, so you can easily identify the potential vulnerabilities.
5. Notify local and federal authorities: It’s not a requirement in most instances, but it could be extremely helpful, as the hack attack against your business might be part of a coordinated attack by criminals.
6. Consider cyber insurance: Policies can be purchased from most major insurance carriers for between $5,000 and $10,000 per $1 million in protection. Policies will generally cover things like legal and forensic fees, expenses related to customer outreach, costs for providing customer credit monitoring, and court costs related to civil litigation and class actions. Many policies come pre-loaded with access to online portals that let you connect immediately with the experts you’ll need following a breach.
7. Come up with a contingency plan: Data theft can shut down your business for weeks or even months while IT experts work to secure your network again. You’ll need to do serious damage control with your existing customers, and figure out a way to keep sales channels open. Having an incident response plan in place and testing it to ensure it is successful is key. While most businesses focus on how to avoid falling victim to a data breach, it is important to ensure your organization knows how to respond in the event one was to occur.