With more and more businesses selling goods and services over the internet, utilizing credit card processing companies, and using internet-connected devices, the incidences of data breaches are rising every day. And of course, this includes many small businesses, which may prove especially vulnerable to data security breaches. So, the question is what should you do if you realize that you may have suffered a data security breach?
We offer some general guidance here. For starters, it is important to act quickly to limit the damage – but you also need to keep a cool head. So, consider the pointers we offer below, and, as the adage goes: “Keep calm and carry on.”
1. Contact Your Service Providers
Usually when a small business is subject to a data breach, it’s because a company they contract with has suffered a breach. This could be your credit card processor, your website, a cloud hosting provider, or the company that maintains a database or other collection of information utilized by your business. If these companies have been breached, they need to know so that they can act to protect your business’s data and the data of their other clients.
Alternatively, you might learn about a data breach from a company with whom you do business, which may have compromised your company’s data. You may want to contact a computer forensics company to determine the scale and scope of the breach. And you may also ask that company what steps they are taking to protect your business from potential fall-out. It is during this period, soon after the breach, that you need to work to contain the breach and ensure that your data is safe.
2. Consult Legal Counsel
As data breaches have become more common, so too have state and federal laws and regulations addressing them. Most states now have their own privacy and data breach laws that require you to take certain steps, file certain documents with relevant authorities, and notify certain parties that you have suffered a breach. These laws also impose deadlines, some 30 days or less, during which you must comply with these laws or face sanctions and fines. An attorney experienced in privacy and cyber security law can help you to navigate this process and comply with these requirements.
3. Contact the Authorities
A data breach is theft, plain and simple. While different in kind than someone physically breaking and entering your business to steal, the result is still the same – someone has stolen something that belongs to you. Accordingly, you should contact the authorities. It’s likely best to start with your local police. But if they don’t have experience handling this sort of crime, you might also contact your local FBI Field Office. If your business operates in a regulated industry, you also want to contact your regulator (HIPPA for healthcare, etc.) to determine whether they can provide assistance.
4. Inform Affected Parties
Most laws on data breaches require you to inform affected parties. This may be suppliers, business partners, customers, or employees. Usually this must be done as soon as is practically possible. You will want to consult with your attorney to ensure that your notice provides all information required by applicable law. Your attorney will also be able to discuss the issue of potential liability with you so that you can plan appropriately.
You may also want to contact certain other entities that do business with affected parties. For instance, if the data stolen includes information such as credit card numbers or social security numbers, you should consider contacting the major credit reporting bureaus (Equifax, Experian, TransUnion) to notify them of the potential for fraudulent activity. You should also consider contacting your regional IRS office to similarly inform them of the potential for fraudulent activity.
5. Getting Your Business Back to Normal
Recovering from a data breach is not a quick or easy process, and it’s likely that those affected by the data breach will be wary of doing business with you for fear that your system may be breached again. It’s important to return to normal operations shortly after the breach has been contained and addressed. This will start you on the road to rebuilding your business’s reputation. You may also want to consider cyber security services or cyber security insurance. The former is designed to prevent breaches from happening in the first place (firewalls, anti-virus software, etc.), and the latter is designed to limit your losses. With a sufficient investment of time and effort, your business can recover and get back on the road to growth.
What is NFIB Legal Center Doing on this Front?
As you can imagine, a data breach may raise all sorts of legal issues, which is why it’s advisable to consult with a trusted attorney. One of those issues is the potential for a Federal Trade Commission lawsuit. Believe it or not the FTC has been suing some businesses that are victimized by hackers on the theory that they should have done more to protect consumer information in the first place. But that’s a peculiar argument given that FTC has never promulgated regulations governing data security standards. And in any event, NFIB has argued in several cases that FTC lacks authority to regulate data security standards. For that matter, we’re awaiting an important decision on this issue in LabMd v. FTC, which is currently pending in the Eleventh Circuit Federal Court of Appeals.
*This article does not provide legal advice. Businesses are advised to retain counsel from a trusted attorney licensed in their state.