How to Respond to a Data Breach
Data breaches at big companies seem to be happening more regularly. Small companies get affected, too, but it is just not publicized as much when it does. Even the federal government has been the victim of large-scale foreign hacking incidents that affect millions of current and former employees in the government’s personnel database.
While there are things you can and should do to make your company less vulnerable to a data breach, you also need to know how to respond to one if your business is affected. With so many data breaches happening around the world, and particularly in the United States, your business’s chances of being the victim of one at some point are relatively high.
Always Have a Plan in Place
Even if your company’s data security is as perfect as it can be, you can’t ever be 100 percent sure your data is protected. Hackers are getting more sophisticated all the time, and if they are determined to get into your databases, they have a high chance of eventually succeeding. You may be relatively certain a data breach will never happen to your company, but always have a plan for dealing with it, just in case it does. In this day and age, you just never know.
Keep the Details of the Plan Confidential
In coming up with a plan for dealing with a data breach, you will need to work with other people, such as your company’s senior executives and security team. However, no one else needs to know about the details of the plan. Even the highest level employees cannot be trusted to keep the details confidential; even if they don’t tell anyone who means to break into your business’s data, the people they tell in casual conversation might use it to their advantage against your company.
Only the most trusted people in your company who actually need to know the details of the plan should be made privy to them. Keeping these details confidential is, in itself, part of your security plan for your data.
Decide on How You Will Inform the Public
If your data breach affects the public in any way, you need a plan in place for informing them. Your company needs to decide on certain things, such as who tells the public, when they tell them, and what they say. Even if the public isn’t affected by your data breach, you still need to have a plan in place for people in the business world or in your company, who need to be informed, and how, when, and what to tell them.
Getting the correct message out to the public in a timely manner in the event of a data breach can protect your company’s reputation from taking a hit, or even ruining your company and pushing you out of business. The public will need to know how they are affected, whether there is anything they should do to make sure their own financial and personal information stays secure as a result of the breach, what the company is doing to deal with the breach, and how the company will protect data in a better way in the future.
Keep the Public Informed
As long as the breach is ongoing, the public is going to want to know how you’re dealing with it. This will include how you are tracking down the perpetrators, and what action you plan to take when you find them. You can have a set of message templates that can be customized to your unique data breach incident, and then a schedule for disseminating each message to the public.
It is always a good idea to have one public spokesperson for your company who talks to the public, either directly or through the press, so they are consistently getting the same message from the same person. This minimizes the risk for incorrect information being given to the public that could be damaging to your company’s reputation and image.
Decide if the Government Needs to Be Informed
Some businesses have dealings with the government, or are so large that any data breach becomes a matter of governmental concern. Decide if your company needs to inform the government of a data breach, and if so, how it will do it.
Keeping a list of the contact information of people in the government who need to know is important, as is keeping that list updated. Keep a set of message templates to be disseminated to the government on a regular schedule to keep them informed of your progress in dealing with the data breach as well, just as you would for the public. Informing the government of the breach in a timely manner, as well as keeping them informed of your progress in dealing with it, will go a long way in letting your company avoid government intervention in the matter.
Keep Your Plan Offline
All the details of your data breach plan need to be kept offline, or on computers that are not connected to the Internet. Ideally, there should be a paper copy stored somewhere secure on the premises of your business, and somewhere else, such as a bank safety deposit box. There should also be digital copies on external hard drives kept in secure places both on and off your company’s property.
This way, you can always access your plan when you need it, only people who are authorized to use it will see it, and it will be protected if your company’s physical building suffers any damage. Keeping the information offline also keeps it out of the hands of hackers.
Use an Auditing Company to Assist Your Company in Developing and Implementing a Data Breach Plan
An external auditing company that specializes in data security, such as I.S. Partners, LLC, is an excellent choice to help your company develop a solid data breach plan, and can even implement it for you if you ever do need to use it. I.S. Partners, LLC is experienced in developing these plans, and are renowned for their trustworthiness. In fact, their reputation is built on it.
When it comes to dealing with data breaches, from developing a plan to tracking down the perpetrators to informing and updating the public and government agencies, I.S. Partners, LLC is the company you want to be your guide. Call us at 215-675-1400 or request a quote!