Small Business Corner

Share:

Data Breach Response Guide for Business

Published: August 1, 2019

You just learned that your business experienced a data breach. Whether hackers took personal information from your corporate server, an insider stole customer information, or information was inadvertently exposed on your company’s website, you are probably wondering what to do next.

What steps should you take and whom should you contact if personal information may have been exposed? Although the answers vary from case to case, the following guidance from the Federal Trade Commission (FTC) can help you make smart, sound decisions.

SECURE YOUR OPERATIONS

Move quickly to secure your systems and fix vulnerabilities that may have caused the breach. The only thing worse than a data breach is multiple data breaches. Take steps so it doesn’t happen again.

Mobilize your breach response team right away to prevent additional data loss. The exact steps to take depend on the nature of the breach and the structure of your business.

Assemble a team of experts to conduct a comprehensive breach response. Depending on the size and nature of your company, they may include forensics, legal, information security, information technology, operations, human resources, communications, investor relations, and management.

Identify a data forensics team. Consider hiring independent forensic investigators to help you determine the source and scope of the breach. They will capture forensic images of affected systems, collect and analyze evidence, and outline remediation steps.

Consult with legal counsel. Talk to your legal counsel. Then, you may consider hiring outside legal counsel with privacy and data security expertise. They can advise you on federal and state laws that may be implicated by a breach.

Secure physical areas potentially related to the breach. Lock them and change access codes, if needed. Ask your forensics experts and law enforcement when it is reasonable to resume regular operations.

Stop additional data loss. Take all affected equipment offline immediately— but don’t turn any machines off until the forensic experts arrive. Closely monitor all entry and exit points, especially those involved in the breach. If possible, put clean machines online in place of affected ones. In addition, update credentials and passwords of authorized users. If a hacker stole credentials, your system will remain vulnerable until you change those credentials, even if you’ve removed the hacker’s tools.

Remove improperly posted information from the web.

Your website: If the data breach involved personal information improperly posted on your website, immediately remove it. Be aware that internet search engines store, or “cache,” information for a period of time. You can contact the search engines to ensure that they don’t archive personal information posted in error.

Other websites: Search for your company’s exposed data to make sure that no other websites have saved a copy. If you find any, contact those sites and ask them to remove it.

Interview people who discovered the breach. Also, talk with anyone else who may know about it. If you have a customer service center, make sure the staff knows where to forward information that may aid your investigation of the breach. Document your investigation.

Do not destroy evidence. Don’t destroy any forensic evidence in the course of your investigation and remediation.

FIX VULNERABILITIES

Think about service providers. If service providers were involved, examine what personal information they can access and decide if you need to change their access privileges. Also, ensure your service providers are taking the necessary steps to make sure another breach does not occur. If your service providers say they have remedied vulnerabilities, verify that they really fixed things.

Have a communications plan. Create a comprehensive plan that reaches all affected audiences — employees, customers, investors, business partners, and other stakeholders. Don’t make misleading statements about the breach. And don’t withhold key details that might help consumers protect themselves and their information. Also, don’t publicly share information that might put consumers at further risk.

Anticipate questions that people will ask. Then, put top tier questions and clear, plain-language answers on your website where they are easy to find. Good communication up front can limit customers’ concerns and frustration, saving your company time and money later.

NOTIFY APPROPRIATE PARTIES

When your business experiences a data breach, notify law enforcement, other affected businesses, and affected individuals.

Determine your legal requirements.

Most states, the District of Columbia, Puerto Rico, and the Virgin Islands have enacted legislation requiring notification of security breaches involving personal information. In addition, depending on the types of information involved in the breach, there may be other laws or regulations that apply to your situation. Check state and federal laws or regulations for any specific requirements for your business.

Notify Law Enforcement

Call your local police department immediately. Report your situation and the potential risk for identity theft. The sooner law enforcement learns about the theft, the more effective they can be. If your local police aren’t familiar with investigating information compromises, contact the local office of the FBI or the U.S. Secret Service. For incidents involving mail theft, contact the U.S. Postal Inspection Service.

Notify Affected Businesses

If account access information—say, credit card or bank account numbers—has been stolen from you, but you don’t maintain the accounts, notify the institution that does so it can monitor the accounts for fraudulent activity.

If you collect or store personal information on behalf of other businesses, notify them of the data breach. If names and Social Security numbers have been stolen, contact the major credit bureaus for additional information or advice. If the compromise may involve a large group of people, advise the credit bureaus if you are recommending that people request fraud alerts and credit freezes for their files.

Notify Individuals

If you quickly notify people that their personal information has been compromised, they can take steps to reduce the chance that their information will be misused. In deciding who to notify, and how, consider:

  • state laws
  • the nature of the compromise
  • the type of information taken
  • the likelihood of misuse
  • the potential damage if the information is misused

For example, thieves who have stolen names and Social Security numbers can use that information not only to sign up for new accounts in the victim’s name but also to commit tax identity theft. People who are notified early can take steps to limit the damage.

FOR MORE GUIDANCE FROM THE FTC

Download the complete Data Breach Response guide for businesses here. This publication provides general guidance for an organization that has experienced a data breach. If you’d like more individualized guidance, you may contact the FTC at 1-877-ID-THEFT (877-438-4338).

For additional information and resources, please visit business.ftc.gov.

View all posts

Members' Voice Testimonials

This credit union is the best, I love the customer service and you can't beat the interest rates. I'm happy to be a member of this great credit union.

- James · Locust Grove, GA

The branch manager introduced herself and was extremely helpful. She stated that if there is anything we ever need to please let her know. Very positive experience!

- Larry · Cumberland, MD

Greta was absolutely amazing - as always. She makes me and my parents feel valued and supported. We are forever grateful. [The Credit Union] has been hugely supportive over many years. And we feel known and cared for.

- Eliza · Washington, DC

Long as I have been with the credit union, I haven't had any problems. I also like the protection on my account.

- Charles · Upper Marlboro, MD

My overall experience at the credit union was exceptional. The staff was hospitable offering water, my service was timely and professional and the office was well lit and clean.

- Denise · Washington, DC

As a member for more than 40 years, i have always had great service from the USSFCU and know that they stand behind their great reputation.

- David · Silver Spring, MD

A top rate Credit Union, [I'm] privileged to be part of! Thank you for all you do for our family! USSFCU Credit Union was able to resolve our financial situation - vehicle, personal loans, customer service/recommendations, within 6 months. We belonged to another credit union for over 20 years, with results not even close to comparison. We switched ...

- Manuel · Bowie, MD

Your people and products are amazing. The recent [online banking] overhaul is phenomenal. [I've] been electronic banking since Tele action phone banking - paying bills with my push button landline decades ago. USSFCU is light years ahead of everyone else in terms of ease of use and client experience!

- Misty · Brookings, OR

I have been a member for more than 30 years. I no longer reside in the DC area but continue to bank with USSFCU because of the ease and the customer service.

- Tamra · Denver, CO

I have been a member for over 50 years, and I have always gotten good service with loans, when I had to have service at a branch, and when I needed to have money sent to me from my savings account. The personnel have always been friendly and treated me with respect.

- John · Fort Washington, MD

I especially appreciate being able to quickly speak with someone (not a robot) and that person has always been knowledgeable and helpful.

- Bernard · Richmond, VA

Excellent customer service streamlined and transparent process. The representatives are efficient, knowledgeable, and understanding of the type of loans offered by Credit Union.

- Erwin · Ellicott City, MD

The USSFCU behaves as a credit union ought to behave. The staff works with and for the members, not for a corporate board. Interest rates for a car loan, a home improvement loan, and a mortgage are low and terms are transparent.

- Ruth · Takoma Park, MD

Staff are courteous and friendly to work with. Very knowledgeable about services and products offered or available. Excellent follow-up with customers.

- Jacquelyn · Sanford, FL

I have appreciated USSFCU services for many years since I left my work on Capitol Hill. I have appreciated the occasional webinars on purchasing a home or retirement planning.

- Jamie · Washington, DC

I have been a member since 2006, and have always appreciated the customer service response to any concern or query. In addition, as I have traveled extensively, USSFCU has provided support and access.

- Kathleen · Ukiah, CA

I've had a credit union account for decades, even though I no longer work on Capitol Hill. I now have two accounts. I've been able to do all of our banking remotely, by app or by phone.

- Richard · Washington, DC

I have been a USSFCU member for almost 20 years. There is nowhere else I want my money to be. I always receive excellent service.

- Nicole · Alexandria, VA

I deeply appreciate the stellar service, the proficiency, the professionalism, and the kindness. I am truly honored and grateful to bank with a financial institution that treats customers like family.

- Angela · Alexandria, VA

Read More testimonials.