You’ve been hacked. Sensitive data on your company, your employees, or your customers has been compromised, and now it’s up to you to do something about a data breach.
First, don’t panic.
Lack of security due to scarce resources paired with a lack of precaution makes startups an easy target. But the good news is that the majority of these attacks aren’t going to be from nefarious cyber criminals, scheming to do something with that data—they’re usually from hackers looking for an easy opportunity to get access to a few credit cards.
If you contain and handle the situation properly, a data breach doesn’t have to be an existential threat to your company.
1. Contain the Problem
The first step is to try and pinpoint the root cause of the breach to make sure it’s contained. Too often, startups try to handle this themselves, but it’s always better to get help from a third-party professional with digital forensic experience.
Most developers know that the majority of data breaches are due to negligence or mistakes. Leaving it up to your team to find the root cause can result in blaming and finger pointing, creating irreparable damage to your team. And in the event that it is a targeted attack, most developers don’t have the deep technical experience to find the culprit—rather than just the results of the attack.
If you don’t already have an Incident Response (IR) firm on retainer, getting one involved ASAP can feel impossible. All the firms promise to do the same thing and throw a bunch of jargon and credentials on their website which makes it difficult to differentiate one from another. As you compare consultancies, you should consider a few main things:
- Reputation. The data security industry has grown 2.5x in the last two years because of a growing concern around cyber security. You want to make sure that you find an agency that has been around and has helped companies in the past, rather than one that is just testing the waters. Feel comfortable asking for references from past clients.
- Type of experience. Find out the type of digital forensic experience that each firm has. Some specialize in defensive measures for protecting against attacks, while others specifically deal with offensive measures, once an attack has already been discovered. Ask about their experience with your type of breach specifically as well.
- Price. Most agencies charge an hourly rate. You should expect to pay $200 an hour at least—but most will charge you upwards of $300 an hour since you’re asking for help without any prior notice.
A statement from an IR can help your credibility when you communicate to customers about the breach, and they can help you put up the proper defenses against attacks in the future.
2. Research Your State’s Laws
Once you’ve taken action to secure against future attacks, make sure you’re protecting yourself from a legal standpoint. If customer data has been compromised, you could already be at risk of a class action lawsuit, so don’t make matters worse by not following the correct protocol during the aftermath.
47 out of the 50 states have their own laws about whom you should inform in the event of a data breach—only Alabama, New Mexico, and South Dakota don’t have breach laws. As you do your research about who to inform about what, keep in mind the following things:
- States have different definitions of “personal information.” Some states limit the definition to social security numbers, driver’s license numbers, or credit card information—while others have a broader definition, including access codes, medical information, or Taxpayer ID.
- Some states require notifying a state agency. There are different limitations around which cases need to be reported and what paperwork needs to be filled out.
- Some states don’t require you to notify anyone if the data is corrupted. If the data is compromised or is rendered unusable, you might not be required to report it to anyone.
- Some states require notification within a certain time period.
Many law firms have detailed documentation that sums up all these hairy details (here‘s an example from Baker & Hostetler). You can also find the details of the law and any changes on the respective “.gov” state sites, and read the law verbatim by finding your state in this index of security breach notification laws.
3. Break the News
The hardest part of dealing with a data breach is notifying all the people that it has affected. You’re faced with the task of breaking the news to people who’ve put their trust in you and your business. But if you’re honest, transparent, and provide just enough reassurance, you can move on—a Ponemon survey has revealed that 67% of customers don’t abandon a company once they learn about a data breach.
For internal parties, such as partners and employees, it’s best to be honest and transparent. Don’t send around a vague memo or have them learn from a public announcement—it’s impersonal and can make them have doubts about the legitimacy of your business. Tell people in person and give them the opportunity to ask questions.
When it comes to customers, however, it’s a bit trickier. You need to hit a balance of honesty and discretion, so that you keep trust without coming across as incapable. You have two different routes you can take to accomplish this:
- Hire a PR agency. They can help you put together a statement and advise you on the best way to communicate your particular type of breech. If you choose to go this route, make sure you pick one with experience handling data breaches.
- Put together an announcement yourself. If your business is small and you have a personal relationship with many of your customers, it can be better for them to hear it from you.
You need to offer a sincere apology and communicate 1) what happened, 2) how it was fixed or contained, and 3) what preventative action you’re taking to keep it from happening again.
4. Protect Yourself Against A Future Data Breach
After a data breach, the worst thing you can do is go back to business-as-usual. A data breach means that you’re not taking the proper measures to protect the people who are entrusting your company. And while your reputation might not be damaged from one breach—two or three data breaches could sink your business.
Protecting ourselves against them doesn’t require hiring IT security experts. In fact, 93% of breaches are due to human error, so a few simple precautions can protect you from the majority of security threats:
- Two-factor authentication for all accounts. It may be annoying, but it’s completely necessary. It is said that 80% of breaches could have been avoided had the businesses used 2FA.
- Encrypt all sensitive data whether it’s at rest or in motion. You can use a tool like 1Password to share passwords, and a tool like GNU Privacy Guard (GnuPG) to encrypt files that you send around. According to Verizon’s 2017 Breach Investigations Report, 63% of data breaches happened as a result of a lost or weak password.
- Discourage use of personal devices. You can protect the infrastructure at your own company as much as you want, but that all goes out the window as soon as team members open up files on their personal device.
- Keep an IR firm on retainer. You can find IR firms with zero cost retainers that can be available as soon as there is a problem. Pick one that has a reputation or experience dealing with the kinds of breaches you might expect.
Once you’ve contained and dealt with your first data breach, take a few extra precautions to make sure it doesn’t happen again. You’ll earn back the trust of your employees and customers, and be able to focus on more important things.