Does your organization have a plan in place for responding to a data breach?
Recent surveys have found more than half of small and midsize businesses in the United States have experienced at least one data breach. Among those who have experienced this problem, only one-third have notified their customers when the breach occurred.
“A data breach comes as a result of a cyberattack that allows cybercriminals to gain unauthorized access to a computer system or network and steal the private, sensitive, or confidential personal and financial data of the customers or users contained within.” Malwarebytes.com
Does my business need a security breach plan?
A data breach can hurt your business from a variety of angles, including your brand, reputation, customer confidence and satisfaction, and employee productivity. Failure to act in a timely and effective manner can also put you at risk for legal penalties.
Every business should have a plan in place on how to respond if sensitive information on customers and employees is compromised. This plan is known as a security breach plan, data breach response plan, or cyber incident response plan. A plan customized to your business will help you have the procedures in place to minimize or contain damage from a data breach. It will also help ensure you and your employees know the steps you should take to respond in a straightforward, documented manner.
What should I include in my data breach response strategy?
Your data breach response strategy is a key part of mitigating risk when it comes to a data breach. Here are a few suggestions of what to include as you develop a strategy specific to the needs of your business:
- Develop a data breach notification policy. This policy is written for your customers and tells them how your organization will notify them if a data breach occurs.
- Train your employees to be able to recognize breaches. All employees should be able to identify a potential data breach and know how to report the incident.
- Notify financial institutions. Contact the bank that manages your credit card processing if financial information (such as credit card numbers) is compromised.
- Seek assistance from an attorney or risk consulting company as soon as you become aware of a possible data breach. These professionals can help you identify which laws might be involved and whether you need to alert customers or the government.
- Notify affected customers in the way you said you would in your “data breach notification policy.” It is important that you do this as soon as appropriate based on the situation. Having your customers find out about the data breach from another source will not help your customer relations or your reputation.
Once you have a plan in place, test it often. This can help ensure your employees are familiar with the recommended procedures if a breach occurs.
These suggestions from the Federal Trade Commission can help you get started developing a data breach response plan for your business: https://www.ftc.gov/business-guidance/resources/data-breach-response-guide-business
Tips for notifying customers of a data breach
In a survey by Ponemon Institute, customers indicated how they would expect an organization to respond after a data breach. They revealed the following:
- Breach notifications should be easy to understand, well-written, and concise. Do not include so much legal language that it becomes difficult to understand. Present all the facts in a way the average person can understand.
- Let people know what your organization is doing to protect them from financial damage.
- Explain the risks and offer advice. Provide information on what steps your customer should take to protect themselves.
- Offer financial help. Many experts recommend offering credit monitoring services to breach victims.
Developing and implementing an effective data breach response strategy will enable your organization to protect the personal information your customers and employees have entrusted you with.
Typical business insurance policies often do not provide adequate coverage for cyber risk. Cyber insurance programs are available to help cover the costs of responding to data breaches and providing services to affected individuals. To learn more about what options are available, contact your Leavitt Group insurance advisor.
The best defense against loss from a data breach is to do all you can to prevent a breach from occurring in the first place.
Other articles you’ll find helpful:
Social Engineering — A Risk You Can’t Ignore
Protecting Your Business from Cybercrime
The Case for Cyber Liability Insurance