Your clients entrust your business with their personal information on a regular basis. You swipe credit cards, make sales, take phone numbers or addresses, and might need even more sensitive information at times. We’d like to think that our computer systems and IT are secure, but they’re not. They can come under attack at any time, and if they fall you need to know how to face the consequences.
When a cyber thief steals your clients’ personal identifying information, or PII, you’ve become the victim of a data breach. The seriousness of a breach depends on several things, but nonetheless, there’s a good chance that it will require a very awkward conversation with clients. How are you supposed to tell them that their information and their privacy was compromised on your watch? The thing is, thieves are very crafty and they often go after…
- Social security numbers
- Credit card numbers or info
- Tax identification information
- Social security numbers
- Business ID numbers
- Employer ID numbers
- Fingerprints, DNA, and other things that are used to confirm identities
- Payroll information
- Medical information
- Dates of birth, addresses, phone numbers, names, etc.
You need to have a plan for how to handle a data breach, and we’re here to help make sure that you don’t get caught off guard. We’ll go over what you need to do in the event of a hack, what information you need to gather, and how you will tell your clients about the data breach.
What should you do if you are informed of a possible breach?
1. Investigate immediately.
Do some digging. You’re looking to see when the breach occurred, how the attackers stole the information, and how many of your clients would be affected. Remember, the stolen information is confidential for a reason. Don’t involve people who aren’t needed in your investigation.
2. Make a report.
Management has to create a report about the incident. They should cite the people involved. They also need to keep this record updated as the investigation proceeds, marking down any new information that you’re able to uncover.
3. Figure out if the breach is actually a breach.
Make sure that what you fear is a breach is really a breach. If you find out that nothing was actually stolen, amp up your security so that it doesn’t turn into a real situation.
4. Take stock of the risks.
You need to know what you’re dealing with. Ask yourself the following:
- How sensitive is the data that was accessed?
- How many of my customers were affected?
- Can this information be used to cause harm to my customers?
- Did the breach have a specific purpose behind it? Is there a high risk of this information being used for fraud?
- What’s protecting the PII? (If your data was physically stolen)
- What can I do to reduce the chances of my clients being harmed?
The answers to these questions will help you figure out how bad the situation is.
5. Notify the people who need to be notified.
You need to consult with your company’s legal advisors to see who you are required to tell about the breach. This will be influenced by the number of people who were affected and the type of information stolen. Once you’ve identified the people you need to notify, stick to the list. Telling anyone and everyone about what happened might cause those who aren’t affected to panic.
Send your clients a hard copy of the notification. Even if you call you clients or send an email, your notification should also be in a written, physical format that will actually reach them.
6. Create a hotline.
You need to address the concerns of those who have questions and reassure them that you want to help as much as possible. Any of your affected clients who want to talk to your company about the breach should be able to.
What does the law say about notifying people of breaches?
There are only four states that don’t currently have laws that obligate businesses to tell their clients about breaches (AL, KY, SD, and NM). Healthcare centers, financial businesses, and government agencies are required by federal law to protect their computer systems, but individual states have passed their own laws about computer security. You have to follow the laws set forth by your state.
Even though each state’s laws are slightly different, they all have…
- A time limit for notifying your customers.
- Consequences for not meeting the deadline.
- Permission for customers to sue for your company’s role in the breach.
How do I tell people about the data breach?
You might dread having to tell people that their personal information was stolen from your company. The way that you respond to the breach is crucial. If you handle the situation poorly, your customers might turn up their noses at your business. Their loyalty could be gone.
There are a few things that you need to include in your letter of notification. You need to tell your client:
- What happened and when it happened.
- What types of PII were involved.
- What you are doing to investigate the situation.
- How you plan to minimize the fallout.
- How you’re going to prevent future breaches.
- What they can do to protect themselves.
- How to contact you if they have questions.
Remember, you want to tell your clients what happened swiftly and openly, but you also need to make sure that the information you give them is as accurate as possible.
How can the way that I handle a data breach affect my company?
Remember the Target debacle in 2013? Target’s point-of-sale systems were compromised, leading to 40 million of their customers having their financial information stolen and 70 million having their personal information stolen. To say the least, it was a disaster.
Target was criticized for the way that they handled the breach. They were seen as being unsympathetic. They were also accused of not telling people what happened quickly enough. They lost business because their customers no longer trusted them and they resented the way that Target dealt with the data breach. Target also had a change in leadership because of the way the situation was handled. Both the CEO and CIO left the company.
You don’t want your business to suffer a hit to your reputation, so handle the situation in a sympathetic way. Like you, your clients are freaked out. Treat your clients with respect and address any concerns they have. Report your findings accurately and quickly.
Technology is powerful. Those who can manipulate and infiltrate it could cause your business a real headache by stealing the personal information of your clients. The unsettling thing is that technology is always evolving. That means that your cyber security has to evolve right along with it if you want to make your clients’ information as secure as possible.
We can help you understand your cyber risks, and we can help to get you the coverage you need so that you’re protected if you ever fall prey to a data breach. You can even get a free quote for cyber insurance, or give us a call to talk about your cyber risks.