So You’ve Experienced a Security Breach—Now What?

Data security breach. Few phrases strike more fear into the hearts of business owners. A breach can happen to any company at any time, from a small mom-and-pop retailer to a massive international conglomerate. More than 7,000 data security breaches were reported in 2019 alone, with more than 15 billion records being exposed. When your business is struck by a security breach, taking swift and decisive action is the best path forward.

Stop the Bleeding

security breachPreventing further data loss is the first thing to do when a security breach is discovered. How that will look depends in part on the nature of the breach. An intentional data exposure by an employee requires a different response than a breach caused by a server weakness.

In any case, mitigating further damage is job one. This may involve shutting down certain systems, immediately changing passwords and access codes or remotely wiping devices that have been compromised. Ideally, your employee handbook or other company policy includes a security breach response plan and establishes a data breach response team or point person who oversees this process.

Determining the extent of the breach is urgent but can be difficult to do, especially in a business with limited IT power. Some companies bring in forensics experts to investigate and assess the damage. Law enforcement may also be involved if the breach is caused by theft of physical property.

Tighten Data Security

Once you’ve secured your data, the next step is to close any gaps that contributed to the breach or could contribute to future breaches. Your company’s IT personnel will be busy during this period. If you’ve brought in forensic experts to analyze how the breach happened, their findings will inform what changes need to be made.

Adding more security protocols to strengthen your digital barriers is a good step, no matter how the breach happened. But there’s also work to be done that doesn’t involve IT. Are employees complying with policies around safeguarding company devices while working from home? Are there any procedures that could have helped you identify the breach sooner? Do employees need a refresher on data destruction best practices, to make sure your physical data is always protected?

Report the Security Breach

This can be one of the most painful parts of a data security breach for a business owner: Sharing the news that your data has been compromised. You might worry that reporting a breach will hurt your reputation or turn your clients away. Luckily, we live in an age where people understand how easily breaches happen.

In any case—depending on the nature of the breach, your industry and your state, you may be legally compelled to report the incident to certain parties. This can get tricky if the breach exposed any customer information, especially if those customers live in other states. For example, Massachusetts has a data breach notification law applying to any businesses or other organizations that own or license personal information belonging to Massachusetts residents. It’s advisable to consult with an attorney when there’s any confusion around what notification laws apply in your situation.

Procedures for reporting data breaches also depend on your location and the breach. In Massachusetts, a breach must be reported if it exposes personal information of a resident, defined as the person’s name in combination with their Social Security number, driver’s license/state ID card number or a financial account number. Notifications must be made to the Office of Consumer Affairs and Business Regulation and the Attorney Generals Office. There are additional requirements for notifying consumers about data breaches that may have affected them.

Note that if the breach involved any personal medication information, the FTC’s Health Breach Notification Rule applies. It has specific reporting requirements that vary based on the scope of the breach. A business that violates this notification rule is subject to penalties of up to $43,280 per violation.

Move Forward

Data breaches can be devastating when they happen, but hopefully your business will be able to move forward with stronger policies in place. It’s useful to build in some checks and balances to make sure that your workforce doesn’t become lax about data security once the initial breach is in the past. This might mean implementing a record retention policy, requiring staff to go through refresher training every year, changing remote device policies and limiting access to secure data.

As you look to your company’s future, remember that security breaches aren’t always digital. Your paper files and data-storing devices must be protected with the same vigilance as your servers. A hacker has to intentionally target your company with a digital attack, but an employee who mistakenly throws away a sensitive financial document could expose your entire company by accident. Data security is just as important when employees are working from home.

Permanent data destruction has to be your company’s policy for disposing of sensitive information. Northeast Data Destruction works with businesses to prevent security breaches by collecting sensitive materials in locked containers and shredding them in our secure, NAID AAA-certified facility. How can Northeast Data Destruction help you protect your company’s data? Contact us today.