Data Breach Response: A Guide for Business

The Federal Trade Commission’s new outlines the steps to take and whom to contact if you suspect that your business has experienced a data breach. Here’s a glimpse of what’s inside:

You’ll need to move quickly to secure your systems. Some immediate steps include:
Secure physical areas potentially related to the breach. Lock them and change codes, if needed.
Stop additional data loss. Take all affected equipment offline right away, but be careful not to destroy evidence. Monitor all access points to your system. If a hacker stole credentials, you’ll need to change those credentials too, even if you’ve removed the hacker’s tools.
Remove improperly posted information from the web. After you clean up your site, conduct a search to make sure other sites haven’t posted the information. If they have, ask them to remove it.

What about breach notification? That’s where many companies have questions. First, take a look at your state’s data breach notification law. If it’s a breach involving health information, also look at the HIPAA Breach Notification Rule and the FTC’s Health Breach Notification Rule. Notify law enforcement, affected businesses and individuals.
Law enforcement – Call your local police, the FBI or the U.S. Secret Service. The sooner they learn about the breach, the more effective they can be.
Businesses – If account information (like credit card numbers) was stolen and you don’t maintain the accounts, notify the institution that does so they can keep an eye out for suspicious activity.
Individuals – The faster you notify people, the faster they can take steps to protect their information. In deciding who to notify and how, consider state laws, the nature of the breach, the type of information taken, the likelihood of misuse and the potential damage if the information is misused. When notifying people, consult with law enforcement and, depending on the type of information breached, consider offering at least a year of free credit monitoring.