Not sure where to start if you notice a data breach? Here are seven essential steps to follow
Becoming aware that your company has suffered a data breach can be unsettling. However, due to the nature of cybercriminal activity, it is crucial to react quickly and correctly to contain the incident, minimize any further damages, and protect your business from legal troubles. Data breaches are affecting millions of people across the globe, with over 340 million records already compromised in 2023 headline cases and new incidents surfacing every week.
Your business’s best approach to a breach or cyberattack will be unique to the company and will depend, to some degree, on the service you offer, as this affects the type of data you may store. However, regardless of the size of your business, taking the right steps after a cyberattack can help protect your company and any records at risk if you fall victim.
1.Identifying and Containing the Damage
Once you have been made aware of a data breach, the first step is to identify and contain the damage. Businesses with a dedicated cybersecurity team, who are likely to have identified the breach initially, should secure any systems, patch software, change access codes, and so on.
This includes locating where the system weakness was and how it was hacked in the first place. If your business doesn’t have an in-house cybersecurity team, you can outsource IT specialists and a forensics team, as well as seek HR, legal, and crisis management advice, depending on how volatile the situation is. They will help analyze the threat, the extent of the breach, and how to mitigate it.
2.Understanding the Impact
Investigate the breach by running diagnostics to understand the impact it may have had on your business and customers. You need to know if any data has been compromised and, if so, where it may have been shared. Data is often stolen by hackers to sell online, usually via the dark web. However, if you identify manipulated stolen data on other websites, email the website owners to remove it. It’s also important to check what types of cyberattacks are most likely to impact businesses within your industry.
3.Report
A data breach risks the unsolicited sharing of people’s data, which can affect their rights and freedoms. How quickly you need to notify the authorities or your local cybersecurity council, or whether you need to escalate further, can depend on your location, the type of business you have, and how big the risk might be. Generally speaking, however, seeking advice and reporting incidents as soon as possible is best.
Be sure to familiarize yourself with state laws, which your legal counsel will be able to help with. Who you report the breach to can depend on the type of company and the scale of the impact. For example, if you are a covered entity — a healthcare provider — and unsecured health information has been exposed, you must notify the Secretary of HHS (Health and Human Services) of the breach within 60 calendar days from discovery if more than 500 individuals are affected.
If fewer than 500 individuals are affected, you should report it within 60 days of the end of the calendar year in which the breach was discovered. This must be done using the electronic notice forms online. The Federal Trade Commission (FTC) recommends that companies notify law enforcement as soon as possible by contacting local FBI or U.S. Secret Service offices.
In the UK, the General Data Protection Regulation (GDPR) states that incidents that pose a risk must be reported within 72 hours of identification. The Information Commissioner’s Office (ICO) provides a self-assessment tool to help people and companies determine whether a breach needs to be reported. Trust Service Providers and Qualified Trust Service Providers, people or legal entities that create and validate electronic signatures, must report data breaches that may cause serious impact within 24 hours of discovery to the ICO. If you need to report another type of cybersecurity incident, you can do so via the National Cyber Security Centre or seek more guidance on the government website.
4.Document evidence
Even for incidents that do require reporting, it is important to document as much information and evidence as possible. When reporting the breach, law enforcement or another party helping to act on the breach will use this information to determine and advise on the next steps. If you have confirmed that the security breach doesn’t pose a risk and doesn’t require reporting, you should still document the details of the event, including the reasons why it was not reported. If the company is found to not be following regulations, it may be at risk of penalties and heavy fines, as well as subject to legal cases from anyone affected.
5.Communicate clearly
A data breach can expose people’s personal, financial, and health information, and in some cases, social security numbers can be taken too. It’s important to be clear and honest in your communication with anyone who may have been affected.
Generally speaking, you’ll want to inform them of the measures your business has taken to ensure control of the situation and advise them on anything they can do from then on to protect themselves. This could include setting up a fraud alert for credit files, changing passwords, setting up two-factor authentication (2FA), keeping a close eye out for phishing emails or unusual activity in bank accounts. You can also include links to up-to-date information on identity theft if appropriate.
How, when, and what information you communicate to those affected depends on different factors, including the level of risk for how the information stolen could be misused. It can also depend on state laws, so consulting with a dedicated law enforcement contact is recommended by the FTC. They will also be able to advise on the best steps so as not to interfere with any ongoing investigations surrounding the case.
6.Consider forms of compensation
Depending on the extent of the breach, offering some form of compensation can help protect the company’s reputation, as well as protect customer and employee data moving forward. For example, when PayPal had a data breach in March 2023, customers affected were offered compensation in the form of free credit monitoring for two years. Although gestures like this won’t revert the data breach, they will add an extra layer of security and trust after such an incident. Offering information packs or sharing information from cybersecurity experts could similarly help anyone involved feel more confident against future attacks.
7.Learn for the future
As cybercriminal activity evolves over time, every data breach is an opportunity to learn how to better safeguard your company, its systems, and customers or employees against future attacks. Most businesses will have employees secured with 2FA for emails and general anti-virus protection, but this sadly doesn’t provide full immunity against cyberattacks that could lead to a data breach.
Final Thoughts:
The key learnings from a data breach event might be different every time. Running a full report of what happened after the event is important to impose new or fine-tune any existing cybersecurity measures your company has in place.
If your business doesn’t already have one, invest in a dedicated cybersecurity team who can reinforce security systems and offer training to employees on data protection and cybercrime risk management. Also, adopt advanced encryption and firewalls, impose more controlled access to systems, and liaise with legal teams where needed to ensure all areas of concern are addressed.
