What to do after a data breach
data breaches only affect the 'big guys?" Think again. According to Visa, roughly
85 percent of data breaches occur at small businesses.
a June 2012 study by the Hartford
Financial Services Group Inc., found that 85 percent of small business owners
believed a data breach was unlikely and that many were not implementing simple
security measures to help protect their customer or employee data.
Despite this nonchalance, the aftermath of a data breach can be an
administrative nightmare for a small business. If a hacker gets hold of your
customers' payment card data, here are the first four steps of damage control.
Step 1: Control
the time a merchant realizes there's been a data breach, it's generally too
late to undo the damage. That's because data breaches are generally discovered after
customers report fraudulent use of their cards to their banks (which then trace
the fraud back to the merchant).
So, once your systems have been breached, the first step is to immediately contain
and limit the exposure to prevent further loss and help preserve evidence for
the investigation, according to Visa. Specifically,
Visa recommends that merchants do the following:
Do not access or alter compromised
systems by logging onto the machine or changing passwords.
Do not turn off the compromised machine. However, do unplug the cable and otherwise
isolate the compromised machine from the rest of the network.
Do log all actions your business has taken since the breach, and save all logs
and electronic evidence.
If you are using
multiple machines on a wireless network, do
change the network name on the wireless access point and other non-compromised
machines that may be sharing a connection. Just don't touch any potentially
Do stay on high alert
and monitor any systems that contain cardholder data.
Step 2: Contact the authorities
If the compromise could result in harm to a person or
business (such as identity theft), call your local police department
immediately, the United States Federal Trade Commission (FTC) recommends.
The sooner law enforcement learns about the theft, the
more effective it can be. If the local police are not familiar with
investigating data breaches, the FTC suggests contacting the local office of
the FBI or the U.S. Secret Service.
Step 3: Notify necessary parties
After the initial damage has been contained, contact all
parties that are connected to the stolen data.
Before you contact your customers, consider calling an attorney who can
advise you regarding state-specific laws. Some states, for example, have notification deadlines. If you don't inform your
customers that they could be vulnerable to identity theft by that deadline,
your business could incur hefty fines.
Contact your merchant bank, credit card networks and any other financial
institutions linked to the stolen card info. The financial institutions that
maintain your customers' accounts will need to monitor those accounts for
fraud. Visa, for example, requires compromised merchants to provide all at-risk
account numbers so that it can notify the issuing banks.
Step 4: Gather the facts
The Better Business
recommends gathering the facts surrounding the breach. Depending on the scale
of the breach and the potential for damage, you could find yourself in the
middle of a forensic investigation. So be sure to do your best to have the
answers to the following questions:
did the breach occur?
it a malicious attack or an internal error? For example, did cyber criminals
strike, or did one of your employees accidentally lose a flash drive containing
the data encrypted?
information was contained in the data (names, addresses, credit card numbers)?
many people were affected?
The final step:
you have gotten through a data breach, it is time to get serious about defending
yourself against the next attack. If you haven't done so already, make sure
your business is compliant with at least the minimum Payment Card Industry Data
(PCI DSS), the data security rules that govern the payments industry. Complying
with PCI DSS requirements, although sometimes costly and time consuming, can
strengthen your business's defenses on several fronts:
security: Making sure your system is more difficult to break into.
data protection: Ensuring that, even if data is stolen, it's encrypted so that
a thief cannot use it.
measures: Limiting access to cardholder data to a few employees to reduce the
chance of a data breach (or narrow down the culprits if one occurs).
monitoring: Constantly adapting to the latest data security technologies --
because that's exactly what thieves are doing.
you need motivation, keep in mind that small- to medium-sized businesses could
be increasingly targeted by thieves. According
to a July 2012 white paper from network
management company Mako Networks, larger companies are throwing their resources
behind sophisticated security measures. Smaller merchants, meanwhile, often
find building data security protections to be an "arduous process",
making them an easier target.
See related: Restaurant
battles bank over security breach, Many small
merchants ignoring security standards
Published: August 31,2020