My Business Had A Data Breach: 3 Steps To Take NOW!
If you are reading this blog, unfortunately it is probably because your business suffered a data breach. Whether it was sensitive information stolen by a hacker, an employee stole customer information, or information accidentally leaked on social media or your website, there are 3 very important steps to take now.
- Secure your information: Immediately, secure your information and do everything possible to prevent another data breach. Remove the data from social media or the website if appropriate. Take all affected systems offline immediately, change passwords, secure hardware, but do not shut down the system. You should hire a forensics team to determine the how, what, when. You don’t want to shut down the system until they tell you to. You will want an entire team of experts to assemble, depending on the size and nature of your business and the breach they might include an information technology expert, Human Resources, Communications, Operations personnel, and legal counsel.
- Close the holes: You will want to fix any vulnerabilities. Contact your service providers to determine what information they might have access to and perhaps change permissions. Work with the forensic team of experts to determine if the data was encrypted, analyze your backup data, and who has access and restrict access as much as possible.
- Notify: Create a plan of communication to identify and notify the appropriate parties. Develop a list of those affected along with their contact information. Be sure to check state and federal laws that may affect your business with special regulations or requirements. Notify the police department of the crime. Depending on the type of breach you may need to contact the postal service, the FBI or the ICC. If health information was compromised you will want to review the health breach notification rule and/or HIPPA. If bank or credit card information was compromised, contact the financial institution that controls the account. Designate a point person in your business to notify the businesses or individuals affected. Be truthful and open about what was compromised so the individuals or businesses can protect themselves properly. Consider offering a year of free identity theft monitoring.
The FTC has developed and released a special guide with more in depth information as well as a sample letter for those affected. You can view the free guide here.
As you can see a data breach is a very serious issue and can cost your business time and money. It can also affect your reputation so you will want to respond to a data breach now, rather that later. To help offset the financial burden, many business have data breach coverage built into their business owner’s policy and data breach response coverage as well. If not, it can sometimes be added by a special endorsement.
We want to be sure your business is protected properly. Contact us for a free review of your current business insurance to be sure you have the appropriate coverage or if you need more information about data breach and data breach response.