If you are like most business owners, a myriad of questions immediately run through your mind: How bad is this going to be? Is it just a virus? What information is going to be lost? What if that information is stolen?
With the recent onslaught of data breaches, the one thing we should all know is that there is a chance a data breach has occurred anytime a computer has been infected in your company. Once the infection is identified, it’s important to understand what the virus was intended to do. If the intent was to “gather” data, you need to take immediate action. If you aren’t sure how to identify the intent of the virus, you should contact a specialist. Another simple way to consider this is if the virus didn’t damage the computer or attack files, the odds are your data has been stolen.
A lot of small businesses are hesitant to report a cyber-attack because they fear the damage it could do to the company. The reality is that the damage may already be done, and sitting quietly not only jeopardizes your customers … it’s also a crime. According to the National Conference of State Legislatures web site, 47 states (plus DC, Guam, Puerto Rico and the Virgin Islands) have enacted legislation requiring businesses to notify any individual that may have had personally identifiable information taken in a security breach. In most states, your business is not only required to notify your client base of the breach, but you are also required to offer credit monitoring services for those clients at your expense.
So, once you’ve identified that a data breach has occurred, it’s time to take a lot of action. Here are some of the most important immediate steps:
- Start a Document with all key dates/times (when the breach was reported, when response efforts began, and when the breach initially occurred). Also document everything you learn about how the breach occurred and your actions to limit the impact.
- Take the affected machine offline but make sure to leave it on so that whomever you have investigate can trace back how the breach occurred.
- Notify staff of the breach and ask for information. I strongly recommend running a scan on every other computer in the company to prevent further data loss. Encourage employees to explain any oddities they may have noticed on their computer.
- Contact a third-party IT vendor that can help make sure the breach is contained and eliminated as quickly as possible. Make them responsible for assessing priorities and the risks based on what they learn about the breach and report back to you.
- Consult with a lawyer to identify what legal steps may be taken. You may be required to notify law enforcement as well.
- If you have data breach coverage, notify your insurance carrier and seek their advice/assistance.
All of these steps should be completed within hours of the breach. Then, you need to start working with your lawyer, your insurance carrier (if applicable), your IT company and your internal staff to build a game plan for notifying your customers that were impacted by the data breach. Be sure to correspond with necessary law enforcement throughout the process because sometimes your company will be asked to delay the notification process so it doesn’t impact their investigation.
If you can’t tell which customers were directly impacted, you are required to notify everyone (in almost all state laws). Generally, you have 60 days to notify the affected individuals and that clock starts the moment you become aware that a breach occurred and mishandling this process can lead to severe consequences – including additional fines.
Once you have your hands wrapped around the notification process, you will have to turn your attention to rebuilding your brand reputation. According to the National Cybersecurity Institute, nearly 87% of people from a survey said they would be unlikely to do business with a company that has suffered a data breach involving credit or debit card information. An Experian Survey showed that depending on the type of breach, the value of your company’s brand will decrease between 17-31%.
Some of the key ways to limit the damage include:
- Quick response to the breach
- Open communication with your customers
- Explain actions being taken to prevent a future breach
As you can see, when a data breach happens, it will have a dramatic impact on your business and will take a ton of your time (and money) to overcome the problem. That’s why I strongly recommend having a formal data breach incident response plan in place. You can easily find examples of a good plan through reputable sources, and having a plan that you can immediately enact when a breach occurs is one of the best ways to minimize the damage.