What To Do If You’ve Had A Data Breach
A data breach is a worst nightmare for a lot of companies, as it can massively impact business and customer trust in your brand. Whether it’s customer or client data being stolen, companies can be a target for hackers looking to scrape information like email addresses or credit card details. If you have had a data breach of any kind it’s important to respond very quickly and efficiently to manage the problem before it becomes a real disaster for you and the business.
Secure Your Network
The most important first step is to get things secure again as quickly as possible and patch up whatever vulnerability allowed a hacker to get in and steal data. The last thing you want is a series of breaches because the access has been left open for hackers to return to steal more data.
A data management service can help you to identify the scale of the breach. Depending on how much data and what kind of data has been lost, you may need to assemble a team of experts which includes experts in different industries like data forensics teams to identify the source, and legal counsel who can advise of local and federal law that may have been broken thanks to the breach. Your own HR and marketing teams should be involved too, to help you communicate the problem to employees and customers.
If the breach was caused by someone accessing a physical area, get this resecured immediately. Change any access codes and check that protocols about closing doors or not giving access to anyone but authorised staff are being followed. Who has access to the space? Are there old access keys still active that shouldn’t be?
Take any equipment affected by the hack offline as soon as your realise a breach has happened, but leave the machines switched on until your experts have looked at them. Turning them off may impact the team’s ability to see what happened to allow the breach to happen. Check your and other websites for improperly posted information and remove it immediately.
Fix Vulnerabilities
When you’ve identified where the breach came from, take steps to stop something similar from happening again. Look at where the breach came from and see what changes can be made to prevent something similar from happening again.
If the breach came from a third party service provider, take a look at what personal data they are able to access from your business and consider whether you should change their access rights. Only give access to the bare minimum of information they need to provide their service, and no more. They shouldn’t have any administration access either. Did your network segmentation contain the breach or could it be made stronger? Was encryption enabled when the breach happened? Who had access to the data and should anyone’s access levels be changed?
Prepare some honest communications for those impacted by the breach, including shareholders, staff, customers or investors. Give these key people information they might need to further protect their data, and let them know what data has been stolen.
Notify Appropriate Parties
If you’ve had a breach, you need to notify customers, affected businesses and law enforcement.
Most states have legislation about notification of security breaches that includes personal information. Depending on what information was taken, other laws and regulations may apply. Check state and federal laws, and any relevant regulations for your business to see what requirements you have to meet after a breach.
Notify local law enforcement immediately. You need to report the problem to them so they are aware of the risk of identity theft. If your local police department don’t usually deal with data breaches, you can contact the local office of the FBI or US Secret Secret. If mail was stolen, contact the US Postal Inspection Service.
Are you covered by the Health Breach Notification Rule? If you are, you must notify the FTC and in some cases, the media. Check the FTC’s rules about who you need to notify of the breach and when. If your business is covered by the HIPAA Breach Notification Rule, you must also notify the Secretary of the US Department of Health and Human Services.
If account information, like bank account numbers, have been stolen but you don’t maintain the accounts, contact the business who does they can be on the alert for fraudulent activity. If you store data for another business, you must contact them promptly. If names or Social Security numbers were stolen, contact the credit bureaus for advice.
You must also contact any individual affected by the breach so they can promptly take steps to protect their information, like freezing credit cards or changing account details. Give them clear information about exactly what was taken, and make sure they have a designated point of contact at the company in case they have any questions or concerns. Give them some information on how best to recover from data theft. Write a letter that includes what happened, what information was lost, what you’re doing about it, what they can do and who to contact for more information.
Don’t Panic
It’s important to work systematically through these steps so the breach is dealt with properly. Try not to panic, so mistakes aren’t made.
A breach might seem like a business ruining disaster, but if you respond quickly and properly, you can recover. Work to recover customer trust in your brand, and you can come back from a problem like a breach. In 2011, millions of PlayStation Network customers were hit by one of the largest data breaches ever, but with prompt response and hard work to draw back customers, PlayStation were able to recover and hold onto their place as one of the biggest names in gaming.
Like PlayStation, consider providing compensation to any customers who may have been affected, and make sure you clearly explain how the problem will be handled on your end so customers can feel confident that you won’t suffer another breach.