If you think your business is safe from prying hackers because it’s small, think again. Seventy-one percent of breaches involve small businesses, and only 20% of those businesses survive more than 18 months after a breach, according to Business News Daily. Because the likelihood of a business-ending breach is so high, your business needs a response plan to not only improve your response time but also reduce your company’s breach-related losses. Here’s how to create your data-breach response plan.
First, do your pre-planning homework. You can reduce your chances of falling prey to data thieves by keeping your company’s operating system and application software up to date, practicing good password security habits, and guarding against phishing attacks and equipment theft. It’s also an excellent idea to insure your business against data theft. More than 95% of small businesses don’t carry data breach insurance, although policies are available through many major insurers. Going without coverage can be a costly mistake. According to data from the National Small Business Association, the average small-business data breach cost $8,699 in 2013. Buy a policy now and the cost of the breach will be one less thing to worry about as you deal with the rest of the steps on this list.
Step 1: Know there’s been a breach
The ugly truth about data theft is that skilled criminals can ransack your company data and leave – or worse, hang around in your system collecting data as it arrives – without dropping clues most of us can spot. That’s why so many companies learn about their system breaches from outside sources like banks and customers. If you get such a report, take it seriously and activate your response plan right away. If your security software shows an infection, it’s also time to act.
Step 2: Isolate the problem
Regardless of how you learn about your suspected or confirmed breach, you’ll need to figure out which computers and/or servers are compromised. Take them off your business network – physically unplug their Ethernet cables or wireless adapters – and disconnect them from the Internet. Put this equipment off-limits for business use, but don’t turn it off. The PCI Security Standards Council advises that powering down infected equipment “may make investigation more difficult and remove answers you need.”
Step 3: Save access and activity logs
This is the step when enterprise-level businesses bring in the IT forensics experts to see who’s had system access and what they did. You may not have a team, but you can appoint someone on your staff ahead of time to back up and save the logs from each piece of compromised equipment and from your network in the event of a breach. You may not ever learn exactly which data was compromised, but keeping a record of the logs is the best possible start and will be critical if law enforcement or card issuers launch an investigation.
If you’re a solopreneur without the know-how to do this kind of backup, start looking now for computer-security businesses in your area that can do this for you and talk to them about their services, rates, and policies.
Step 4: Inform your payment and banking partners
Any time your customers’ payment data is at risk, you need to notify your payment processor, merchant bank, and the major credit card issuers right away. Your processor and bank will step up monitoring and review of your orders. Depending on the volume of credit card transactions your business generates, the card issuers may want to launch a forensics investigation led by a PCI-approved professional. Know the time limits your payment partners set for breach reporting and follow them. Late reporting can increase your liability for breach losses.
Step 5: Notify law enforcement
Depending on where you do business, you may be required to notify law enforcement in the event of a suspected or confirmed breach. Whether you’re required to or not, both the Federal Trade Commission and the Better Business Bureau recommend that you contact your local police department, state law enforcement, or the FBI to report the breach.
Step 6: Contact your insurer
Remember that insurance policy you bought before step one? Contact your agent and provide as much information as you can about the breach, including any case numbers assigned by the police or FBI.
Step 7: Call the credit bureaus
If your business stores customers’ personally identifiable information, payment data, or social security numbers, you should also notify the three major credit bureaus (Experian, Equifax, and TransUnion) so they can flag customers’ files.
Step 8: Tell your customers
This step makes many business owners wince, but transparency is the best policy. It’s also the law in most states and major territories. (The National Council of State Legislatures keeps a current list of state and territory breach laws you can check.) Be upfront when you contact your customers. Experian advises businesses that “consumers want to see facts about the breach, information about the risks they may face, steps they can take to protect themselves.” Give details if you have them. If you’re unsure what information was stolen, say so.
The FTC and state governments that require consumer notification of breaches offer sample letters you can adapt, like this one from the Massachusetts Attorney General’s Office.
Step 9: Tighten your security
Learn all you can from the data breach to figure out where your business is vulnerable and how to prevent a repeat incident. Cooperate with any investigators working on your case and let your customers know that you’re strengthening your protection of their data. Keep your data breach insurance policy paid up.