What are the true costs of a data breach? On the one hand, there are monetary damages: the estimated average cost per breach in the US is $7.9 million. Coupled with potential fines for negligence plus legal fees, and suddenly it’s no surprise that around 60% of small businesses will go out of business within 6 months after a significant breach and around 43% of all cyberattacks target small businesses because of presumed vulnerabilities. On the other hand, there are the less tangible costs of a cyberattack, such as organizational integrity and customer trust. Whether it’s your fault or not, a data breach will compromise the public’s perception of your business, although the extent of it will really depend on the actions you take immediately following the breach.
Still think this could never happen to you? Consider this scenario:
“A restaurant chain reports that the credit card readers in three of their store locations have been compromised. Forensic investigations identify that the point-of-sale systems, which are common at all three locations, have been manipulated to store sensitive cardholder data when payment cards are swiped through the reader. The restaurant’s acquiring bank imposes fines and penalties for failure to develop and maintain a secure payment system, failure to protect the system from vulnerabilities, and failure to test for the presence of unauthorized wireless access to the system for over two years.”
This situation and others like it are surprisingly common. As long as the internet is around, criminals will exploit it; and with the number of data breaches growing each year, you should know how to react if it ever happens to you.
Read, “7 Common Causes of Data Breach” to stay ahead of hackers.
Report Data Breaches IMMEDIATELY
Covering up a data breach never works. Sooner or later, people will find out if their personal info is compromised, and failure to report security breaches often carries hefty fines/penalties. Plus, it does immeasurable damage to your reputation. Remember the Equifax breach in 2017? They were accused of covering it up from their own staff! Whether or not this is true, the fact remains that if you hadn’t heard of them before the breach, you sure have now because of the negative headlines. Granted, Equifax is a large-scale example and chances are your small business won’t be making headlines for years after the incident. But it goes to show how one mishandled incident has consequences when it comes to public trust.
In many cases, you have to report data breaches that reveal personally identifiable information because it’s the law! Data breach reporting laws vary by state, but generally speaking, here’s who you should tell:
- Financial institution that processes your payments
- Insurance carrier/agent. The sooner they are involved, the better, when it comes to liability.
- Law enforcement
Note: it is especially crucial to report data breaches concerning medical records, which have tight HIPAA restrictions and must be reported to the US Department of Health and Human Services.
Conduct A Security Audit
Once reported, it’s important to figure out the extent of the damage, how and when the breach occurred, and what steps need to be taken in order to ensure it never happens again. When conducting your audit, you should:
- Find out what type of personal data was stolen and how much of it.
- Find out if staff members were involved either wittingly or unwittingly. Be sure to inform them of the breach and consider putting them through cyber security training so they stay informed on the dangers of spam, phishing scams, and other cyber threats.
- Document everything. Be sure to keep detailed records and logs of when the breach occurred, dates you notified the proper authorities, the steps you plan on taking for future prevention, etc.
As stated above, trying to cover up a data breach is not only dangerous to the consumer, it’s harmful to your reputation. People will find out one way or another that their information has been stolen. If you’re too busy covering your own behind, extensive damage will have already been done to their bank accounts, credit score, or worse. By warning your customers, you’re owning up to it and creating a reputation of trust in the long-run even if knee-jerk reactions are negative and embarrassing for you. Additionally, you’re allowing your customers to take preemptive action before too much damage is done to them.
Offer Customer Benefits
Make sure any services offered to customers fit the nature of the exposed data. If only debit or credit card information is exposed without a Social Security number, credit monitoring is not necessary – a new credit line cannot be opened via an exposed credit card alone. Simply counsel customers to keep an eye on their own accounts. The affected institution will likely issue a new card. If Social Security numbers are exposed, don’t just offer one year of free credit monitoring – after all, Social Security numbers don’t expire and could be exploited at any time.
Cybercrime is a real threat that takes advantage of an organization’s vulnerabilities and lack of technical knowledge/security awareness. Read “Common Data Threats and Vulnerabilities” to understand the risk at your business.
There are cyber security steps you can take to ensure that your organization is protected, such as getting cyber liability insurance from Society Insurance. It provides comprehensive data security coverage that addresses both first party losses and third party liability claims, breach response services, and claims handling backed by a team of legal, forensic and crisis management experts.
To find out more, get in touch with an agent today!