This year, according to the Identity Theft Resource Center, there have been more than 500 data breaches reported at U.S. companies, resulting in more than 15 million stolen records.
If you look through the numbers, you'll notice that many of these data breaches happen at small businesses. You'll see names for small storage companies, hotels, grocery stores, consulting firms, and even a tattoo parlor. Hackers target all sorts of businesses –including your clients’.
As a provider of IT services, you can be held legally liable for losses associated with breaches your clients suffer. While it’s important to help your clients understand how to prevent a data breach, it’s also essential to have a plan in place to respond to one. Having a plan for handling data breaches can reduce the cost of an incident by up to 47 percent, according to the Symantec and Ponemon Institute 2013 Cost of a Data Breach Study.
This guide is designed to help you develop a response plan for when one of your customers suffers a data breach so you can respond quickly and effectively to minimize the likelihood that they’ll sue you for losses.
Sample Data Breach Response Plan: 8 Steps to Protect Your Business
The most important part of your data breach response is the work you do before an incident happens. With a clear plan in place, you don’t have to waste time researching your legal obligations to your clients or worrying about whether they will sue you. You just go. And the sooner you’re able to act, the better you’re able to contain the damage and help your clients get back to business as usual.
- Step 1: Perform triage. Stop the bleeding. Find out where and how the data leak happened. Fix it or take preliminary steps to fix it. This might involve updating security software, changing passwords, disabling accounts, and more. You may also have to collaborate with other contractors working with your client to secure the network.
- Step 2: Contact your insurance provider. Most Errors & Omissions Insurance policies sold to IT businesses include third-party Cyber Liability protection, which provides coverage for your legal defense and any settlement won by your client. The client might incur substantial internal costs (e.g., notification and credit monitoring expenses for customers whose information was exposed, lost revenue, or even reputational damages caused by bad publicity following the breach). To recover those costs, they might decide to sue you, the IT provider they think is responsible. The faster you report an incident at a client’s company, the faster your insurance provider can help you work to minimize losses. Delaying too long can even jeopardize your chances of receiving any coverage for the claim, so be sure not to put off contacting your insurer.
- Step 3: Focus on repairing, not assigning blame. Depending on the size of your client’s business, you may have to work with various department heads, other contractors, and employees to figure out how the breach happened and how to repair damages. Some of those people may not be forthcoming with information, especially if they think they’ll be blamed for the breach. To ensure you can restore network security, you’ll need a bird’s-eye view, so emphasize that your goal is to repair the damage, regardless of how it happened.
- Step 4: Educate your client to prevent future incidents. A recent Verizon study found that about 79% of data breaches are crimes of opportunity, meaning that tightening up security can go a long way to preventing data breaches. Review with your client best practices for updating passwords, installing software patches, using antivirus software, and limiting access to sensitive data. You may want to prepare a document with security guidelines that you can send (or resend) following a breach.
- Step 5: Recognize the limitations of your role (and who else should be helping). For many small businesses, IT security experts are the go-to people for responding to a data breach. While you can provide important data security services to your clients, it’s important to recognize the limits of what you can (and should) do. Explain to your client the importance of working with a background in criminal investigation (this interview with a former DOJ attorney who specializes in cyber crime goes into detail on the matter). Especially for larger data breaches, businesses need to document everything and adhere to certain investigation procedures to prepare for any criminal investigation.
- Step 6: Determine who should perform what duties following a breach. It’s easier to take action following a data breach when everyone’s role has been defined ahead of time. Review the above steps and decide who in your business will be responsible for each. Recognize that performing these duties may mean extra hours or delays on other projects, and adjust accordingly.
- Step 7: Save your records. You can be sued months or years after a data breach by a client who wants to hold you responsible. This makes it especially important that you preserve all records and logs from the time of the attack. You need to make sure that if you're in a courtroom two years from now, you have an accurate history of what actions you took to prevent the breach and manage the damage so you can defend yourself.
- Step 8: Rebuild your reputation. If you’re named in a data breach lawsuit, your reputation could take a hit. Consider focusing your marketing or public relations efforts following such a suit on emphasizing the security measures you have in place to prevent future incidents. This demonstrates that you take client security seriously.
To enable you to act quickly and efficiently following a client data breach, your response plan materials should include…
- Contact information for your insurance agent.
- A list of applicable state laws that outline fines or penalties you might be responsible for.
- Educational materials on data security to distribute to your affected client and their employees.
- Descriptions of data breach response roles for you and your team.
- A plan of action for documenting expenses related to the data breach.
The following blog posts offer more information on managing the risks data breaches present your business:
Your Most Powerful Anti-Data-Breach Tool (Spoiler: It’s Client Education)
What Are IT Professionals Legally Responsible For?
Data Leaks: 3 Questions Every IT Professional Needs to Know