How to Protect Your Business from Identity Theft: Response
What do you do if a data breach hits your business? The steps you take to respond to a data breach may make the difference between facing identity theft lawsuits and having a small, containable data breach.
The statistics about data breaches aren't pretty. A study by Risk Based Security, an Internet security firm, reports that in 2013, the number of consumers
affected by data breaches was twice as many as any other year. And they're happening at small businesses as well as larger ones. In fact, Forbes Magazine calls data breaches "inevitable" for small businesses.
Given the increasing risk of cyber attacks, you need a comprehensive plan in place to help you respond to a breach quickly, limit its damage, and prevent identity theft. Specifically, data breach response plans outline how to…
- Investigate the data breach.
- Report the breach.
- Contact your customers.
- Reduce the risk of identity theft.
Your First Response: Investigate the Data Breach
Before you can do anything, you need to know what you're up against. Depending on your level of technical expertise, you might need outside help as you investigate the breach. Your IT consultant should be able to help you figure out how much data was compromised, how many customers were affected, and how it occurred.
If a security flaw in your network or software caused the breach, fix it immediately.
Report the Breach: Who Do You Need to Tell If You Think You've Been Breached?
Depending on your state laws and the size of the breach, you might have to report it to a consumer protection agency, the office of the state attorney general, or other law enforcement agencies. (These laws vary, so check our guide to state data breach laws.)
How You Tell Your Customers about a Data Breach
First, it's important to note that your notification duties are likely outlined by state laws.
A few states set a specific number of days by which you must contact customers. In Maine, you only have seven days, but in other states you have up to 45.
Most states don't set a specific requirement, but instead use language like "in the most expedient time and manner possible and without unreasonable delay." In other words, states put the burden on you to contact customers as soon as you
reasonably can without jeopardizing data breach investigations.
But before you rush to inform your customers, make sure all your ducks are in a row. You'll need to post information on your website, set up a call center (or other means for receiving complaints and concerns), and possibly even hire temporary employees
to help you handle customer complaints.
Helping Your Customers with ID Theft Prevention
It's common practice for businesses to offer credit protection services for customers who have been affected by a data breach. Most businesses will offer their customers one year of fraud prevention services after a breach. But while credit monitoring
can prevent Internet fraud and ID theft, it is not cheap.
You'll have to pay for these services and set up a contact person in your organization who will answer customers' questions about how to apply for credit monitoring and explain how it can protect them from identity theft.
The good news: a Cyber Liability Insurance policy (which you can purchase as a standalone policy or as an endorsement to a General Liability policy or BOP) will cover most or all of these costs.
Responding to a Data Breach
Between meeting legal requirements, managing the data breach crisis, and helping customers protect their credit, there's a lot to keep track of. Data breach response plans and checklists help you avoid making any mistakes when you're in crisis
mode. You can print out our data breach checklists, and keep them with your data breach response plan.