So Your Data was Breached. Now What?


You suspect that your business experienced a security breach. Maybe a laptop was lost by a worker, a hacker got into a customer database, or information was inadvertently published on your site. Whatever happened, you are likely wondering what to do and how to minimize damage.

The FTC’s new Data Breach Response: A Guide for Business summarizes the measures to take and whom to contact. Here’s a glimpse of what is inside.

You’ll need to move fast to secure your systems. Some immediate measures include:

  • Secure bodily areas potentially related to the breach. Lock them if necessary, and alter codes.
  • Stop additional data reduction.
  • Take all affected equipment offline immediately, but be careful not to destroy evidence.
  • Monitor all access points to your system. If credentials were stolen by a hacker, you’ll want to alter those credentials even in the event that you’ve eliminated the hacker’s tools.
  • Remove improperly posted info from the web. After you clean up your website, run a search to ensure other sites haven’t submitted the info. If they have, ask them to remove it.
  • Consider your service providers. If they have been included, make sure they’ve remedied all vulnerabilities and think about whether you want to change their access rights.
  • Check your network segmentation so a breach at one server or website does not lead to a breach at another.

Now you must notify the appropriate parties of the security breach. Take a look at your country’s data breach notification law. If it’s a breach of health data, also look at the HIPAA Breach Notification Rule along with the FTC’s Health Breach Notification Rule. Notify law enforcement, affected businesses and individuals.

  • Law enforcement — Call your local authorities, the FBI or the U.S. Secret Service. The sooner they know about the breach, the more effective they can be.
  • Businesses — If account information (such as credit card numbers) were compromised and you don’t maintain the accounts, notify the institution that does so they can keep a lookout for suspicious activity.
  • Individuals — The quicker you notify individuals, the faster they can take action to secure their information. When deciding how you will inform the people impacted by the breach, think about the nature of the violation, state laws, the likelihood of the misuse of the data obtained, and the potential harm if the data is misused. Consult with law enforcement and, based on the type of information breached, consider offering a year of credit monitoring when notifying people.

The Data Breach Response manual includes a model data breach notification letter. Your letter should clearly describe how the violation happened, what information was taken, what actions you have taken, and what steps individuals should take next. We recommend adding the relevant portions of this document provided by the FTC on the type of information compromised. Additionally, encourage people who find that their information was misused to file a complaint with the FTC, using the FTC Identity Theft website.

Now that you have seen some highlights from the guide, take a few minutes to read the whole Data Breach Response Guide and discuss it with your staff. Short on time? Watch the data breach response video for businesses.