Cyber Crisis Control: Recover from a Data Breach with Your Reputation Intact
If a wave of anxiety is your first reaction following a cyber security breach, that’s completely understandable. As a small-business owner, however, your second reaction should be to take action. With your finances, customer trust and your reputation on the line, there’s no time to waste in addressing the issue.
Here’s how a business owner can effectively handle the fallout from a cyber security lapse:
Understand the Scope of the Breach
What have you lost and what impact will it have? These questions are key in assessing the scope of your security breach and what steps must be taken to address it. According to the Privacy Technical Assistance Center, an investigation should include identifying all affected data, machines and devices; conducting interviews with key personnel; documenting all facts; and locating and preserving all written and electronic records that could be applicable to the breach for examination.
Familiarize Yourself with Regulations
Lots of rules and regulations surround data security. Being familiar with the PCI Security Standards Council, for example, can help businesses avoid a breach in the first place. Once a breach has occurred, however, other regulations come into play, which can vary based on industry and location.
The healthcare industry, for instance, is subject to federal regulations under the Health Insurance Portability and Accountability Act (HIPAA) Omnibus Rule. According to Experian, these regulations include a comprehensive risk assessment, who should be notified of the breach and when, and requirements regarding alerting the media.
Different states have cyber security breach regulations as well. In fact, the National Conference of State Legislatures reports that 47 states, as well as the District of Columbia, Guam, Puerto Rico and the Virgin Islands, have enacted legislation dictating who must be notified during breaches and under what circumstances.
Be sure to check with your state, as well as laws governing your industry, to make sure your security breach response is in line with all regulations.
Know Who to Notify
No business wants to tell customers that their financial or personal data has been compromised under its watch, but notification is a necessary early step in dealing with a breach. Those who should be informed can include partners, customers and the government.
Gabrielle Karol wrote for Fox Business that, “customers should be informed to the extent possible, which will actually help build trust between your business and clients, as long as you effectively communicate that you are making all efforts to prevent another attack.”
Anyone impacted—whether the information is financial, such as a credit card number, or personal, such as addresses and phone numbers—should be notified right away. Based on which state and industry regulations apply, some of those notifications could be legally required.
Protect Your Reputation
Experiencing a data breach isn’t exactly good for a business’s reputation, but nothing is worse for your reputation than not admitting a security failure happened until others find out.
According to ZDNet, telling your story promptly and transparently, tailoring your message to your various audiences, and immediate apologies are key to keeping your reputation in good standing as you rebuild your cyber security. Giving sympathetic customer service to those affected doesn’t hurt, either.
“Companies should put extra effort in helping their customers deal with any repercussions from the security breach,” wrote Ellyne Phneah for ZDNet. “This will go some way to showing their concern and maintain customer relationships which could potentially be damaged by the incident.”
This includes teaching customer service staff to handle queries from the media and directing them to appropriate spokespeople.
Though news of a data breach isn’t exciting for anyone to hear or share, when those communications are handled thoughtfully and respectfully, it can go a long way toward maintaining a customer’s respect for your business.