You’ve Been Breached, Now What?
The number of breaches and their costs have been increasing in the past couple of years due to the rise in online payments and other digital interactions. Because more of these activities are occurring digitally, it’s become more difficult for organizations to adequately protect the ever-growing amount of sensitive customer data entering their environments. As a result, businesses are paying the price.
According to IBM’s latest “Cost of a Data Breach” report, data breaches are costing companies an average of $4.24 million per incident. That’s a 10 percent increase compared to last year, which the report attributes to incidents becoming “more costly and harder to contain due to drastic operational shifts during the pandemic.”
The growing frequency and financial consequences of breaches can cause several problems with security and privacy for many companies all over the world. Knowing what to do next after a data breach occurs can be challenging, but you must have a plan of attack ready, or it could be impossible for your business to recover.
Discovering a Data Breach
After finding out your company has been breached, you will need to assess what happened and what data, if any, was exposed. Being able to identify the problem of who and what was compromised will make it easier when notifying individuals, businesses, and law enforcement of the situation.
To determine what legal requirements you need to satisfy in your response, you should speak with your internal security and legal teams. Your company’s location and industry will affect the specific laws you have to follow when notifying. Therefore, it’s important for your company to have a response plan that goes over how you will recover from any major security issues like a breach. Having this information available will allow your company to have the proper procedures in place to take the next steps in this process quickly.
Sending a Data Breach Notification
Before delivering a breach alert, your company must have up-to-date contact information for each party that’s involved. Knowing how they prefer to receive notifications and where they reside will affect how quickly they can receive notice.
Breach notifications are usually done in a written statement through the mail, but if customers have requested to receive only emails, then you will need to send it electronically to those specific individuals. If you lack the necessary data to contact your clients directly, you must provide a notice of the breach on your company’s website. See below for a general overview of common breach notification requirements.
GDPR
Notifications must be issued within 72 hours of discovering the breach and include:
The nature of the personal data breach including, where possible, the categories and approximate number of data subjects concerned and the categories and approximate number of personal data records concerned
The name and contact details of the data protection officer or other contact points where more information can be obtained
The likely consequences of the personal data breach
The measures taken or proposed to be taken by the controller to address the personal data breach, including, where appropriate, measures to mitigate its possible adverse effects
CCPA
“Immediately following discovery” of a breach, notifications must be issued “in the most expedient time possible and without unreasonable delay.” Necessary information includes:
Name and contact information of the one issuing the notice
- List of the types of personal information involved in the breach
Key dates involving the breach
- Whether a delay in providing the notice is attributable to an investigation by law enforcement
A general description of the breach
The contact information of major credit reporting agencies if the breach exposed a Social Security number or a driver’s license or California identification card number
An offer to provide appropriate identity theft prevention and mitigation services if the one providing the notice was the source of the breach
LGDP
Notifications must be issued in a “reasonable” period of time and include the following:
Description of the nature of the affected personal data
- Information regarding the data subjects involved
Indication of the security measures used
- The risks generated by the incident
The reasons for the delay in communication (if any)
- The measures that were or will be adopted
NACHA
Notifications must be issued “as soon as reasonably possible” and include:
The approximate cause(s) of the breach incident
- The approximate date of the breach incident
The approximate size of the affected population (victims)
- The type of data exposed
The routing and transit numbers (“RTN”s) of the affected RDFI accounts
The ODFI’s designated security contact for inquiries from RDFIs
Organizations that are involved in the breach
HIPAA
Notifications must be issued electronically within 60 days of the discovery of the breach if more than 500 individuals are affected or within 60 days of the end of the calendar year if fewer than 500.
If you are in the U.S., additional notification requirements vary by state. You can view an up to date table with this IAPP.org resource.
Usually, when a company is compromised, the best time to deliver a breach notification is as soon as possible. Because a breach can affect a company’s reputation greatly, it’s crucial to react quickly and follow the specific requirements outlined in the applicable regulations.
Recovering from a Data Breach
Your customers will likely be wondering how they should respond after they learn of a data breach of your company. Actions they need to take will depend on what information was compromised, but in general, customers should update their login credentials, card numbers, etc., to make sure they are secure. Also, they should both watch and report any suspicious activity they see for their accounts in the future.
To make customers feel safe moving forward, your company should aim to comply with all applicable laws and standards for the safe use of personal and payment data.
In the aftermath of a breach, you can’t go back in time and prevent it from happening, but you can analyze why and how it occurred, learn from it, and make the necessary corrections to prevent it from happening again. Simply satisfying compliance obligations doesn’t always result in acceptable privacy and security measures being formed, but it could help your company to prioritize improved security standards and better knowledge of new regulations to come.
Additionally, data protection technologies such as tokenization can be effective security measures for minimizing the impact of a breach. Although tokenization can’t prevent your systems from being compromised, it can limit the exposure of sensitive data. By removing this data from your environment, you can protect it in the event of a breach, allowing you to issue a notification that reassures your customers that their personal information is safe. As a result, you can potentially avoid additional fines and penalties and help restore consumer confidence in your brand.