What should you do if your business is hacked?
If you run a business that relies upon technology to function and you find yourself on the receiving end of a hack or data breach, it can be easy to panic. Don’t let the situation become more problematic by delaying action. By implementing some (if not all) of the below actions, you can lessen the impact to your business and ensure you are following the letter of the law.
Remember statistically speaking, being hacked is more an issue of ‘when’ and not ‘if’. Be prepared and it will be much easier to navigate.
- New laws brought in with the General Data Protection Regulations (GDPR) from May 2018 will require you to notify the relevant supervisory authority within 72 hours of becoming aware of a data breach. Although not yet in force it is wise to begin this practice now rather than later. You will be expected to provide thorough information, and provide updates when you learn more as the incident progresses. If you fail to report a breach when required to do so, it can result in a fine of 2 per cent your company turnover or 10 Million Euros, whichever is higher. Breaches only need to be reported if it is likely to result in a risk to the rights and freedoms of individuals. Be sure to contact your local police as well to report the crime. And, don’t attempt to hide the breach; it will only be to your detriment.
- Inform your clients immediately. Once you are aware a breach has occurred, you might be legally required to inform customers if their data has been compromised, but only if the data is considered to be personally identifiable information (PII) . There really is a need for speed, the sooner the better. You will need to send a written notification to every customer. It needs to clearly state a data breach has occurred, when it occurred, and what kind of information was compromised/stolen. You’ll also need to inform them what steps you are taking to remedy the breach.
- Following a hacking incident you will most likely need to bring in a cybersecurity expert. They will test your network to find out what kind of attack occurred and in what part of your network. You may want to have a cybersecurity firm check for weaknesses in general on a semi regular basis to minimise the likelihood of any future attacks.
- Comply with your industry’s regulating bodies. Businesses operating in certain industries, such as financial services or healthcare, may have additional notification requirements, so be sure you are aware of what these are.
- If you have a cyber insurance policy in place, then be sure to contact your broker. You will need to start the claims process as soon as possible. If you don’t already have one in place, then it is highly recommended that you consider it. The right cover can help avoid a major loss in income and potential reputational damage. All of which can be insured against.
- Assuming you have a contingency plan it’s time to implement it! A hack or theft of data can put you out of business for weeks or months until your network again is secure again. Ensure you minimise damage with existing clients, and find an alternative way to keep business turning over.