Hackers are getting more sophisticated every year, and small businesses continue to be prime targets for attacks. IBM reported that, in 2021, the average data breach cost rose to over $4 million — the highest average total cost in the 17 years.
The most common type of cybercrime, which accounts for 44% of data breaches, is the theft of customer data, such as names, emails, and passwords. When data is stolen, you need to alert the impacted individuals quickly in order to help prevent further damage. Here are a few guidelines for communicating a data breach to your customers.
[Read more: Touchy Subjects and How to Communicate Them to Customers}
Remediate the threat first
Before you communicate to customers, take steps to secure your operations. “The only thing worse than a data breach is multiple data breaches. Take steps so it doesn’t happen again,” wrote the FTC.
Secure your systems by changing passwords, limiting user access, contacting law enforcement, and bringing in experts to understand exactly where your systems are vulnerable and what data has been accessed.
Take the impacted devices offline immediately, but don’t turn them off until you’ve consulted with forensic experts. If a hacker stole credentials, note that your system will remain vulnerable until you change those credentials. If information was improperly posted on your website or social media channels, remove it as soon as possible.
[Read more: 3 Things to Do Immediately If Your Business Is the Victim of a Cyberattack]
Create a communication plan
After taking measures to secure your data and prevent additional damage to your devices, take a deep breath and move on to alerting your affected customers. All states require that businesses notify customers in the event of a security breach that involves personal information. There may be other laws that you need to follow that apply to your situation, depending on the type of attack your business experienced. Check state and federal laws to find out.
When notifying customers, three elements are essential, according to cloud security company WHOA.
- Time: The sooner you can alert customers, the sooner they can take steps to protect themselves from fraud.
- Information: Try to give customers as much information as possible about the nature and extent of the breach.
- Thoroughness: Use multiple communication channels to make sure that all affected parties are notified of the breach.
The FTC has a list of information you are likely legally required to provide customers, including what information was taken, what actions you have taken to remedy the situation, and how the breach happened. Move quickly to reach out to your customers. The faster you communicate the issue, the faster your clients can change passwords and check their own systems and data for cyberattacks. Work with your security team and perhaps legal counsel to draft an accurate, factual message.
The only thing worse than a data breach is multiple data breaches. Take steps so it doesn’t happen again.
The Federal Trade Commission
Offer support and communicate with care
When you start notifying individuals, do so with care. The FTC recommends that you work with law enforcement to ensure the timing of your notification doesn’t impede the investigation. Designate a point contact person or team within your business to handle ongoing updates and to communicate how individuals should protect themselves. Create a webpage with resources, commonly asked questions and other resources to help customers get the help they need.
It’s also a good idea to offer at least a year of free credit monitoring, identity theft protection, or identity restoration services to your impacted customers. For a list of recovery steps, consider referring consumers to IdentityTheft.gov.
Prevent the attack from happening again
Rebuilding trust with your customers will take time. Continuously update customers with the steps you’re taking to ensure a data breach can’t happen again. Outline the protocols and tools you’ve put in place to keep their information secure. Provide your employees with regular security training, enforce strong password policies and multifactor authentication, and best practices that stay current with the evolving cyber threat landscape. It will take time, but being transparent about your commitment to cybersecurity will help slowly rebuild trust.
CO— aims to bring you inspiration from leading respected experts. However, before making any business decision, you should consult a professional who can advise you based on your individual situation.
Follow us on Instagram for more expert tips & business owners’ stories.
CO—is committed to helping you start, run and grow your small business. Learn more about the benefits of small business membership in the U.S. Chamber of Commerce, here.
Get Our Free Guide
Get the information you need to comply with the Corporate Transparency Act and file your beneficial ownership information reports by January 1, 2025. Failure to submit the new paperwork by the deadline puts small business owners at risk of criminal penalties. Download our step-by-step guide to completing the BOI reports.