What’s worse than a massive data breach? Not reporting it.
Yahoo is learning that lesson the hard way. The Internet giant is coming under intense scrutiny for only just revealing that at least 500 million of its user accounts were stolen back in 2014. It now faces multiple class action lawsuits and its sale to Verizon could be in danger.
The lessons learned don’t apply just to big corporations: any small business that collects customer information also has important obligations to its customers. In fact, 47 states and the District of Columbia each have their own data breach laws. (Only Alabama, New Mexico, and South Dakota do not.)
Increasingly, hackers are turning their attention to entrepreneurs. Forty-three percent of hack attacks in 2015 were against small businesses, according to Symantec’s 2016 Internet Security Threat Report. This is a 9% increase compared to 2014.
Here’s what small-business owners are required to do in the event of a data breach:
1. Inform customers immediately: Once you know a breach has occurred, by law you are required to inform customers whose data has been compromised. State laws may vary on how quickly you need to get the word out. Generally speaking, however, “speed is of the essence,” says Thomas Brown, managing director in charge of the cyber-security and investigations practice at Berkeley Research Group. Michael Kaiser, the executive director of the National Cyber Security Alliance, says businesses should inform consumers as quickly as possible, even if they don’t have all the answers. Exceptions may include when an investigation by law enforcement authorities is underway.
2. Send a written notification: You’ll need to send a written notification to every customer, that clearly states a data breach has occurred, when it occurred, and what kind of information was compromised. For example, was it driver’s licenses, credit card numbers, or social security numbers that were stolen? You’ll also need to say what the company is doing to provide a remedy, and what actions customers can take. Remedies may include directing people to a website or a 1-800 number set up by the company, where they can get additional information. You may also want to supply contact information of the three credit monitoring agencies, Equifax, Experian and Transunion, which can put fraud alerts on consumer accounts. In some cases, if the data breach involved more than 500,000 customers or notification costs would exceed $250,000, many state laws allow you to send electronic communication. (California, whose data breach statute is considered the most stringent in the U.S., includes in its law the exact template that businesses need to follow when communicating with customers about a data breach.)
3. Know the state laws. Currently the only state to do so, Connecticut recently amended its breach statute requiring businesses to offer a minimum of one year of credit monitoring to consumers affected by a data breach. You’ll need to offer it if you operate in the state.
4. File a notice of breach. If you notify more than 500 customers about a breach, many states will also require you to file a notice with your state attorney general’s office.
5. Comply with your industry’s regulating bodies. Businesses operating in certain industries, such as healthcare and financial services, may have additional notification requirements for example under the Health Insurance Portability and Accountability Act (HIPPA), or through regulating bodies including the Securities and Exchange Commission (SEC) or the Financial Industry Regulatory Authority (FINRA). Among other things, HIPPA stipulates that if a healthcare business experiences a breach involving more than 500 customers, it must notify a prominent media outlet about the incident. The SEC and FINRA also require financial services businesses to contact them about breaches, as well as any state regulating bodies.
Recommended best practices
6. Implement an ‘incident response’ plan. Have an “incident response” plan in place. It should be written and updated at least once a year. It should include the telephone numbers for attorneys, IT forensic experts, and vendors who can help with customer outreach. It should also map out what your computer network looks like, so you can easily identify the potential vulnerabilities. That would include any staff regularly working offsite, cloud service providers, or the networks of any company you may have recently acquired.
7. Call in a forensics team. Once a hack attack occurs, you should bring in cybersecurity experts who can test your network to find out what kind of hack attack occurred and in what part of your network. You should also consider annual testing to find out where your network weaknesses are — through a process called “penetration testing”, where experts closely scrutinize your network for holes that hackers can exploit. That’s particularly important as the nature of cyber threats changes quickly and continuously, security experts said.
8. Notify local and federal authorities. It’s not a requirement in most instances, but it could be extremely helpful, as the hack attack against your business might be part of a coordinated attack by criminals. “Local police may already be seeing similar kinds of attacks, and collecting evidence against perpetrators,” Kaiser says.
9. Consider cyber insurance. Policies can be purchased from most major insurance carriers for between $5,000 and $10,000 per $1 million in protection, says Mark Greisiger, president of NetDiligence, a cyber risk management firm. Policies will generally cover things like legal and forensic fees, expenses related to customer outreach, costs for providing customer credit monitoring, and court costs related to civil litigation and class actions. Many policies come pre-loaded with access to online portals that let you connect immediately with the experts you’ll need following a breach, Greisiger says.
10. Come up with a contingency plan. Data theft can shut down your business for weeks or months while IT experts work to secure your network again. You’ll need to do serious damage control with your existing customers, and figure out a way to keep sales channels open. That might include having a backup network or reverting to old-fashioned methods of selling, such as taking orders by phone or paper. “You have to get back to operating as quickly as possible,” Kaiser says.