Data Breaches can happen to any businesses of all sizes and therefore the question that must be asked is when one will happen, rather than if one will happen.
Most businesses today realize that, while a data breach can’t be predicted, it should be expected. The focus should shift to how to best handle data breaches that do occur.
Good planning will make the difference between a living nightmare for the whole organization or a prepared organisation that is ready to mitigate harm. The cost of poor planning, meanwhile, can be huge financial losses or even bankruptcy for small and midsized businesses.
This was the case for Impairment Resources LLC , a US medical records firm. The firm filed for bankruptcy in March after a break-in on New Year’s Eve 2011 that led to the compromise of roughly 14,000 files. The cost of dealing with the data breach was prohibitive for the firm, leading to its demise.
Creating a data breach incident response plan, and incorporating it into the organization’s business continuity plan, simply makes business sense. Here are seven things your business can do once your endpoint has been compromised:
- Stay calm. Don’t rush out the minute you learn about your data breach and announce it to the world. You will want to take a deep breath and organize your response team. Involve designated key employees, a privacy attorney, a computer forensics expert, and your cyber insurance agent as part of total data breach response strategy.
- Call your insurance agent. While traditional business insurance policies do not cover data breaches, a cyber insurance policy will. Your cyber insurance carrier would help coordinate your incident response team.
- Get a computer forensics investigator involved. Before you send out your notification letters, you will want to know whether any sensitive personally identifiable information (PII) was accessed/stolen. Knowing this will trigger whether or not you need to report your data breach and determine if notification letters need to be sent.
- Speak with/hire a data privacy lawyer. If you believe that your data breach has exposed sensitive PII, you will want to hire a data privacy attorney to help coordinate your breach from start to finish.
- Send out notifications to potential breach victims. Each state where you do business and where your customers reside will have its own requirements for reporting breaches. Follow state notification laws and adhere to specified time frames for sending out notification letters.
- Offer an identity-theft/credit-monitoring service. While not a requirement, it’s become an industry standard to offer some type of identity-theft/credit-monitoring service to each potential victim.
- Tighten your endpoints and fix data leakage. While no security system is 100 percent foolproof, installing firewalls, updating antivirus systems, investing in an IPS or IDS system, and updating software and patches can help your business minimize the risks of an additional data breach.
How your business responds to a data breach can either harm or enhance your reputation. Take the time to think about the steps involved and to create a data breach incident response plan before a data breach happens.
Disclaimer: Conditions apply for each policy and the information expected from you for a policy to trigger. Coverage may differ based on specific clauses in individual policies. Please ask your broker to explain any additional benefits and exclusions pertaining to your policy.
“The information provided is general advice only and does not take account of your personal circumstances or needs. Please refer to our financial services guide which contains details of our services and how we are remunerated.”