First, You Shouldn’t Lightly Say You Were Breached
A data breach is a serious incident that can have far-reaching consequences for businesses and individuals. When a company’s data is breached, it can lead to the theft of sensitive information, such as credit card numbers, Social Security numbers, and medical records. Criminals can then use this information to commit fraud, identity theft, and other crimes.
In addition to the financial and reputational damage resulting from a data breach, businesses may also face legal liability. In the United States, the Fair Credit Reporting Act (FCRA) and the Gramm-Leach-Bliley Act (GLBA) require businesses to take reasonable steps to protect the privacy of their customers’ data. If a company fails to do so, and their data is breached, they may be held liable for the resulting damages.
For these reasons, businesses should not lightly say that they were breached or hacked. Doing so could open them up to legal liability. Instead, businesses should carefully investigate any security incidents and take appropriate steps to mitigate the damage.
What is the Difference Between an Incident, a Breach, and a Compromise?
- An incident is any event that could potentially lead to a data breach. This could include a phishing attack, a malware infection, or a denial-of-service attack.
- A breach is a successful attack that results in the unauthorized access, disclosure, or destruction of sensitive data.
- A compromise is a situation in which sensitive data is accessed or exposed, but there is no evidence that it has been misused.
It is important to note that not all incidents will lead to breaches, and not all breaches will result in compromises. However, it’s crucial for businesses to take all incidents seriously and to investigate them thoroughly to determine if there is a risk of a breach.
If you did experience an actual breach, there are then steps you should follow to report it
Data Breach Notification Requirements and Recommended Steps
It’s important to know when you should inform people that you were breached, who you should notify, and how quickly. However, it is essential to note that the specific requirements for notifying different parties following a data breach may vary depending on the specific circumstances of the breach and the applicable laws and regulations. You should consult with an attorney familiar with cybersecurity laws and requirements, to determine who you are required to notify and how you should notify them.
Inform Your Protective Resources First
As soon as you’ve been notified of a confirmed breach, you should contact your firm’s protective resources, as they can best advise you on the best way to proceed:
- Your insurance company: If you have cyber insurance, you should notify your insurance company as soon as possible. They may be able to help you respond to the breach and cover the costs associated with the breach.
- Your lawyer: A good lawyer familiar with the specific requirements for notifying different parties in your state will be invaluable. It is all the more helpful if they are familiar with your business, industry, and the applicable laws and regulations.
Notification Steps Required in California
Let’s take California as an example of some typical steps businesses need to take following a breach. In this state, businesses are required to notify affected individuals of a data breach if the breach exposes their personal information. Personal information includes—but is not limited to—names, Social Security numbers, driver’s license numbers, credit card numbers, and medical records.
The notification requirements in California are outlined in the California Consumer Privacy Act (CCPA) and the California Civil Code. The CCPA applies to businesses that collect the personal information of California residents. The California Civil Code applies to all businesses that operate in California.
Step by Step
If a business confirms a data breach that exposes the personal information of California residents, the company must take the following steps:
- Notify affected individuals without unreasonable delay. The notification must be provided in writing and must include the following information:
- A description of the breach, including the type of personal information that was exposed and the date of the breach.
- Instructions on how affected individuals can protect themselves from identity theft and other fraud.
- Contact information for the business that they can use to get more information about the breach.
- Notify the California Attorney General’s Office. If the breach exposes the personal information of more than 500 California residents, the business must electronically submit a copy of the notification to the California Attorney General’s Office within 72 hours of notifying affected individuals.
What Can Businesses Do To Protect Against Data Breaches?
While it’s important to know how to respond if you think your business was breached, or if it actually was, the first thing you should always do is to limit the chances of a breach. There are several steps that businesses can take to protect against data breaches, including:
- Implementing strong security measures, such as firewalls, intrusion detection systems, and data encryption
- Educating employees about security best practices, and not to call every phishing email a hack
- Conducting regular security assessments
- Having a plan in place to respond to data breaches
By taking these steps, businesses can help reduce the risk of a data breach and the consequences that can follow.
If your business doesn’t have sufficient resources to implement all these steps, a managed security provider can help you or do the whole process for you. In the end, it will be worth engaging professional services to reduce your risks and the repercussions that can follow a data breach.