How to prepare for a data loss catastrophe now

Prevention is best, but businesses should also know how to react if they get hacked

by Alice Bredin

Even a well-prepared business may find itself the victim of a data hack such as stolen customer information or leaked employee health insurance records. As with any emergency situation, it’s best to have a plan of action in place ahead of time. Making decisions now—when you can think calmly about the best steps to take—is preferable to making fixes afterward, when you are in a rush and anxious about potential fallout.

Follow these five steps to get your plan in place.

1. Create a list of emergency contacts

Quick help from an expert is vital to containing the damage once your data has been compromised. The companies that provide your technology infrastructure have experts in place to help when a breach occurs, so make sure you can easily get in touch if you need them. Assemble a list of phone numbers or other contact methods, and make printouts for yourself and the members of your staff. Take time to find contacts that will be of help in your specific situation—you don’t want to be stuck dealing with a customer service line’s automated answering service when you’re desperate to get a real human expert on the line. Contact your Internet hosting provider and ask for the number that will send you straight to its security department. Follow the same process for your other technology and software vendors, starting with general customer information numbers until you get the source that deals with data breaches.

2. Do data inventory

An awareness of your sensitive data and where it’s stored will be invaluable if any of your defenses are breached. Hackers are typically after names, social security numbers, account numbers, credit or debit card numbers, and passwords, and knowing where this vulnerable data resides can help you take steps to protect it as well as mitigate problems if it gets infiltrated. For example, which employees access the most delicate information? Do they access it on their laptops, or are they also using phones to log in to programs that contain this information? Communicate with your employees to make sure they are also aware of where particularly valuable data is kept. Institute a policy that requires your team to communicate swiftly after a breach to make certain everyone knows which systems and programs to check first to make sure the breach is contained.

3. Learn your reporting requirements

Almost every U.S. state legally requires companies to notify law enforcement, customers, employees, or other groups if their data has been exposed, so research the specifics in your area. Some states may require that a company inform customers of a breach via electronic communication, for example, and others require companies to coordinate with credit agencies. Your state’s attorney general’s office will have guidelines for you to reference, and many offices post them online as well. The guidelines are often written in dense legalese, so take time to make sure you understand them. (TechInsurance, an agency for IT freelancers and small businesses, has a reference chart that lists requirements in a simpler format.) Create a to-do list for which entities you must notify if you have a breach and the required methods for reaching them.

4. Create a customer support plan

Reacting to a breach with care and consideration for your customers’ worries will help them maintain trust in you. Go beyond legal reporting requirements to provide extra information on the nature of the leak and how customers can protect themselves. Create a list of best practices for customers—such as changing passwords or monitoring their bank statements— and store that list somewhere you can easily access it. That way, you can quickly create a clear, informative statement to post to your website, send out via email, or broadcast on social media if you suffer a breach. Consider other ways you can demonstrate excellent customer support, such as setting up a hotline or email address to answer customer questions, or offering several free months of credit monitoring.

5. Plan how to keep your business running

Your customers will still expect to make purchases or receive services even if your company is dealing with a breach. Develop contingency plans so that you are able to maintain operations while the breach is being resolved and security weaknesses are addressed. These plans may include arranging for loaner computers in case devices at your place of business are too compromised to use securely, or even planning alternative work locations. Consider tools that make remote work possible. These may include a remote desktop service, such as AccessMyLAN® from AT&T or Citrix® GoToMyPC, that allows employees to access documents and applications securely from the company network, or a secure cloud-based service that enables teams to share and collaborate on files remotely. You might also identify a team member who will keep customers, vendors, and business partners up to date on the breach resolution.