According to the Verizon Data Breach Investigation Report, 61 percent of breaches hit smaller businesses—up from 53 percent in 2016. Criminals can target personal information from a corporate server, insider information, intellectual property and more. They can expose and publish personal information on public-facing sites. They can deploy costly ransomware attacks. The aftermath can be devastating. Every small business need to create a crisis plan, with detailed instructions, strategies and tactics to manage the crisis effectively, including communications to stakeholders. Don’t leave anything to chance. Here are a few ideas:
- Record everything. You or another trusted team member should begin taking notes. A good starting point: Who discovered the breach, and how?
- Secure the area and your systems. Put up physical barriers if you must and instruct employees not to touch IT equipment or go near it. Do not turn anything off. Take your servers and computers offline to prevent further tampering.
- Alert and activate your response team. It is the responsibility of the chief executive or another high-ranking operations expert to create a crisis response team, including a key representative and expert from appropriate departments. In the case of a data breach, the crisis team would consist of representatives from computer forensics, IT, public relations, legal, and other functional areas, including human resources. This group must be in sync and informed of new developments all at the same time. The group must also agree on a communications strategy, both internal (to employees and staff) and external (customers, clients, shareholders, media).
- Notify your lawyer and law enforcement. State and federal laws vary on notification of security breaches involving personal information. It’s important that every business owner fully understands the rules and regulations of their own state and industry. Refresh your memory and review new regulatory updates once a year with your lawyer. In a crisis, you may want to consider hiring legal counsel that specializes in cybercrime and data breach. An excellent option for small businesses is to sign up for a pre-paid legal service like LegalShield, which offers legal-specific plans for small businesses and solo entrepreneurs.
- Notify your insurance carrier. You do have cyber insurance, right? Cyber liability insurance covers a business’ liability for a data breach and can help pay for the recovery expenses, legal fees and any penalties and fines.
Unfortunately, the road to recovery after a data breach can be long, difficult and expensive. Data breaches can be damaging to your company’s reputation, and a single misstep in your crisis plan may alienate and anger clients and employees. Small investments in insurance, legal counsel and media training can make all the difference.
Submit your questions to email@example.com and you may see it here. This column is designed to give general information and should not be construed as legal advice on any specific fact or circumstance & does not create an attorney/client relationship. The choice of a lawyer is an important decision and should not be based solely upon advertisements.