It's not uncommon to hear stories about large corporations such as Citrix and Starwood Marriottfalling victim to data breaches. However, small and medium-sized businesses are also at risk for these cybersecurity attacks. No matter the size of the company, recovering from the breach presents similar challenges.
What is a data breach?
A data breach occurs when sensitive information is accessed by cybercriminals who find the means to bypass network security from a remote location. They may steal personal and sensative information like:
A data breach can also occur due to simple mistakes by employees. The Identity Theft Resource Center found that in 2019, 705 million non-sensitive records were compromised due to a data breach, while cyber attacks exposed over 164 million sensitive records. Non-sensitive records such as usernames or passwords could lead to additional exposure. The Ponemon Institute found that the global cost of a data breach in 2020 was $3.86 million.
The Importance of Creating a Data Breach Response Plan
Businesses should prepare for a cybersecurity attack by creating a comprehensive data breach response plan. A data breach response plan, also known as a security breach response plan or a cyber incident response plan, helps businesses appropriately respond to a cybersecurity attack by providing the necessary steps to respond in a straightforward, documented manner. There are various data breach response plan templates to utilize, and depending on the size of the business, they can be a few pages to several hundred pages long. While the details can and should be customized to the organization, there are certain things every security breach response plan generally includes.
What to Include in a Data Breach Response Plan
Having a data breach plan in place will give your business procedures to follow if you are a victim of a data breach. Certain essential elements to the data breach response plan will need to be considered to pull the procedures together.
Establish a baseline with existing security policies
Take a look at the company's current privacy and security policies to use them as a framework for the data breach response plan. There's usually no need to duplicate efforts and create an entirely new security policy. Instead, save some time and avoid duplicate efforts by expanding the current policy to include cybersecurity attacks and data breaches.
Identification about what defines a data breach
Businesses should clearly state what type of data breach requires a response plan, which will vary by industry. Perhaps the company stores personally identifiable information (PII), such as social security numbers, date of birth, mother's maiden name and so on. This type of information is typically legally protected data, and many state laws require businesses to notify the victims after such a data breach. Another common cybersecurity attack involves incidents that could lead to a material loss in the company, for instance, when confidential information or trade secrets become compromised.
Designate a data breach response team
Although there's no way to determine what departments of the company could be impacted by a data breach, one employee from several key groups, such as IT, Human Resources, Legal, Communications, Compliance, the C-Suite, etc. should be assigned specific roles in the event of a security incident. This team should be immediately notified and understand the responses required for both internal and external inquiries that will undoubtedly arise.
Messaging and communication
A data breach policy should also include a messaging deployment schedule and an escalation process for the key team members mentioned above. A communication plan should follow all legal notification requirements for notifying all parties affected by the breach, such as customers, employees, vendors and more. This process is a vital step that sets the timeline and alerts the victims about the specific data that was compromised. Make sure to seek counsel from the legal team who can review the particular state laws and compliance regulations that apply and what possible compensation might be provided to the victims of the data breach.
Information about what data breach insurance covers
Data breaches have become a fact of life in today's online world. Cyber liability insurance grew from the errors and omissions insurance policies developed by tech companies 20 years ago, which were created as a means to cover events like software crashing another company's network. Along with creating a data breach response policy, today, many companies also utilize cyber liability insurance, sometimes called data breach insurance, to stay protected against financial loss and damage from a cybersecurity attack.
What are Data Breach Protection Laws?
Data breach notification laws vary by state, but today, all 50 states have breach notification laws. Most states have implemented legislation that requires businesses to notify customers of the security breach when it involves personal information. For example, in Ohio, protected information includes a combination of social security numbers, drivers' license numbers and credit/debit card account numbers. In 2020, California enacted the California Consumer Privacy Act, giving consumers more control over how their data is shared and more protection should a data breach occur.
Additionally, depending on the type of information compromised, each state will have its own specific data breach notification requirements. A business's legal counsel should be one of the first departments alerted following a cybersecurity attack, as they will research the state's law on whom to notify in the event of a data breach, and find out if the breach the business experienced fits the type covered by the law.
Some of the parties you may need to notify include:
Local law enforcement
As soon as you realize your business has been the target of a cybersecurity attack, the legal team should notify local law enforcement to report the situation. Time is of the essence, as the sooner the authorities are made aware of the incident, the more effective they can be in stopping it from escalating further. The FBI's state office can also be of assistance if the local police aren't familiar with cyber theft investigations. Law enforcement can also help with the timing of the data breach notification you will send to your customers to ensure it's not obstructing the investigation.
If any of your company's vendors or business partners were affected by the data breach – for example, if your business stores or collects customers' personal information like social security or credit card numbers via a third party vendor – legal counsel needs to notify them as soon as possible. This helps ensure they'll monitor their accounts accordingly to watch for any potential fraudulent activity.
Companies should send valued customers a formal notification of the data breach in the form of an email or letter. In general, the notification should include the following information:
How and when the breach occurred
What information was stolen and how it may have been misused
The steps being taken to address and remedy the situation
Actions the customer can do to protect their information
Contact number, email or website customers can visit to learn more
Remember, the potential damage to your company's reputation is one of the most significant issues a data breach can cause. Properly communicating with customers helps protect your relationships and rebuilds the confidence they have in your organization.
Disclaimer: WorkersCompensation.com publishes independently generated writings from a variety of workers' compensation industry stakeholders. The opinions expressed are solely those of the author and do not necessarily reflect those of WorkersCompensation.com.