Small Business Data Breach: Mitigating the Damage

What is a business data breach?

A data breach is a security incident in which an unauthorized entity obtains access to private information without permission. A data breach can be caused by a deliberate hacker attack, a malware infection or computer virus, a stolen device, or an inadvertent leak by someone in your organization. Bad actors can target confidential data about your business, employees or customers.

Businesses that don’t use data security software and organizations without robust security practices are at particular risk for data breaches. However, they can happen to any business — and when they do, the company must understand its legal obligations, take steps to contain the breach, and get its systems secure and up and running as quickly as possible.

How to mitigate a small business data breach

If you think a data breach has occurred, it’s important to act immediately. As with any business disaster plan, you should have basic procedures in place for handling a breach and be ready to implement it as soon as you see signs of trouble. Discuss the plan ahead of time with employees so they’re ready to do their part if the worst happens. 

Take the following steps to contain and mitigate harm from a small business data breach:

1. Understand and document the situation. What makes you think you’ve been hacked? Observe and document signs that a computer has been infected or a network has been infiltrated. Note what files, data and intellectual property have been accessed. Keep this documentation in a secure location.
2. Contact the experts. If your business has an IT or computer security consultant or staff, contact them immediately if they’re not already aware of the incident. Tell them what you’ve seen, and get their advice on the next steps. Work with your IT team to execute a plan to secure your computers and get them back online — and continue operating your business in the meantime.
3. Contact your insurance provider. If you’ve secured the right small business insurance policies, your provider can supply crucial coverage for losses incurred by the data breach. Contact your provider as soon as possible, and work with the company to file a claim and get compensated for your losses.
4. Get in touch with a lawyer. Contacting a lawyer may be appropriate in the aftermath of a data breach — particularly if third-party information belonging to customers or employees was compromised. A lawyer who specializes in data breaches can guide you through the legal requirements, including notifying potential victims of the breach.
5. Restore trust in your company. If the breach affected customers, employees or other third parties, you must work to restore their trust. Start by being transparent about the incident and explaining what you’re doing to rectify the situation and compensate victims. Your lawyers, cybersecurity experts and insurers will provide valuable guidance and advice about measures you can take to remedy the situation and restore trust in your business.

What is the cost of a data breach?

While data breaches at massive corporations grab the media spotlight, they also happen at small businesses — and the costs of a cyberattack at this level can be financially devastating. 

According to Jeff Kosc, a partner with the law firm Taft, businesses affected by data breaches face monumental hard and soft costs. 

Hard costs

Businesses that experience a data breach face significant hard costs from several sources. 

• Credit card company fines and charge-backs: Credit card companies have broad powers and rights in data breach situations and can impose significant fines on affected businesses — particularly if the business didn’t comply with Payment Card Industry (PCI) regulations. PCI compliance requires businesses that accept credit cards to adhere to specific security measures. “If there is a breach of PCI, [credit card companies] have rights to level fines on merchants,” Kosc cautioned. “They are also entitled under those agreements to charge back any fraudulent charges that take place on anyone’s card as a result of the data breach.”
• Consumer notification costs: The affected businesses incur potentially massive costs associated with alerting consumers of the breach and paying for their credit monitoring services.
• Investigation costs: Businesses must bear the costs of data breach investigations and often must pay for measures to ensure such incidents don’t happen again.
• FTC fines: Depending on the scope of the breach, businesses may face fines from the Federal Trade Commission. For example, in a well-known Equifax breach, the company agreed to pay at least $575 million in an FTC settlement.

Soft costs

Data breaches are also costly in subtle ways, including the following: 

• Productivity loss: According to Kosc, many companies affected by data breaches face significant soft costs stemming from productivity losses. Employees and leadership teams are understandably focused on cleaning up the mess and may neglect day-to-day responsibilities and projects. Data breaches are productivity-killing distractions that affect every department and worker. “You are pulling everyone away from their regular job duties to deal with a data breach,” Kosc said.
• Reputational damage: Businesses that experience data breaches suffer potentially devastating damage to their reputation and trust. “There is a community of people who have a trusted relationship with you, and that can be jeopardized,” said William Pelgrin, CEO and co-founder of cybersecurity service CyberWA. “How you recover from all of that can be very difficult.”

How can cyber insurance help in the event of a data breach?

Cyber insurance and data breach insurance are types of business insurance that can help cover some of the losses that businesses incur in a data breach. Cyber insurance and data breach insurance are similar and often referred to interchangeably. However, only cyber insurance pays for legal defense and settlement costs, and data breach insurance also covers information that wasn’t stolen from a computer or other device. 

According to Lynn Kennedy, senior vice president for small commercial sales and distribution at The Hartford, this coverage has two primary components:

• Response coverage: Response coverage pays the costs of notifying customers after a breach, setting up credit monitoring for affected customers, hiring a public relations firm to help repair reputational damage, and hiring legal and forensic experts to identify a breach’s source.
• Expense coverage: Expense coverage pays for legal expenses if the affected business faces lawsuits related to the breach. “[Expense coverage] covers civil awards, settlements or judgments that the small business owner would become legally obligated to pay as a result of a data breach,” Kennedy said.

How can you restore customer trust and your business reputation after a data breach?

To begin repairing your business’s reputation and rebuilding trust after a data breach, it’s important to be transparent, proactive and willing to accept responsibility. “I am a big believer in, it’s not if bad things happen, but how you react when bad things happen,” Pelgrin noted. “That shows the quality of the company and … the individuals that work for that company.”

According to Pelgrin, the last thing your business wants is for news of the breach to get out six months after it occurred and have customers think you did nothing to help or protect them. At that point, “You’re in a position of trying to justify why you held on to that information,” Pelgrin said.

Alert customers as soon as you have concrete information on the breach. “You don’t want to put fear into people,” Pelgrin said. “You really need to know what happened so when you give the information, it is very clear [that] ‘This is what we know, this is what happened, and this is what we recommend to mitigate it.'”

How can you avoid a data breach and protect customer data? 

Small businesses often make the mistake of thinking cybercriminals aren’t interested in them.  “We tend to think that it won’t happen to us because we are too small and that they are really looking at the larger [companies], and that’s not the case,” Pelgrin cautioned. “Everyone is under constant attack at this point.”

While there are no guarantees you’ll avoid a data breach, you can take several proactive measures to reduce their likelihood and protect customers’ data. 

1. Know your environment.

Before you can protect your business, you must know exactly what systems and applications you have. Take inventory of your hardware and software, including their versions. You may discover a security vulnerability for a particular application or tool.

Ask yourself, “What are your assets? What does your infrastructure look like? What does your network look like?” Pelgrin said. “There may be a known vulnerability, and you might not even think it is within your infrastructure, and unbeknownst to you, it may be totally enabled throughout your infrastructure and therefore making you very vulnerable to an attack.”

2. Secure your environment.

Part of securing your devices from hackers is bringing your hardware, software and network to the highest possible security level. Small businesses often don’t realize the latest security measures aren’t installed when they buy new hardware and software. IT personnel must carefully evaluate each new piece of equipment and software and ensure that the latest security patches are downloaded. Additionally, Pelgrin recommended utilizing the highest security settings possible without hindering operations.

3. Control your environment.

Businesses must control employees’ access to the company’s network and data. Pelgrin said employees shouldn’t have access to higher levels of administration than they need and shouldn’t be allowed to download applications or programs without authorization. 

“Most of your employees should not have complete administrative access to their machines,” Pelgrin said. “That administrative access should be limited to very few trusted individuals.”

4. Assess your vendors’ cybersecurity postures.

Businesses must ensure their vendors have stringent security standards. Pelgrin advised asking all vendors and outsourcing partners for documentation that outlines precisely what security measures they have in place. “It needs to meet the standards of what you would employ internally,” Pelgrin said.

5. Monitor your environment.

Train employees to be aware of their systems and to note when they don’t act and perform correctly. “You don’t have to be a cyber expert to know something is wrong,” Pelgrin said. “Your gut is a great first sign that something may be wrong, and then you need to reach out to those that have the expertise to help diagnose whether, in fact, you have been a victim of a cyber incident.”

Pelgrin also recommended monthly cybersecurity training for employees to be aware of their actions and avoid inadvertently contributing to leaks. Teaching them about strong passwords and ways to recognize phishing attacks can help protect the company. “You want to make it real for employees, and the only way to do that is to talk about it and practice it,” Pelgrin said.

Kosc said hiring a dedicated staff member who is responsible for security, such as a skilled IT manager, is a vital step in keeping business data safe. “It needs to be something that is on someone’s mind every day because that’s their job,” Kosc said.

Understand and plan for data breaches

No company is immune to data breaches these days. While you can’t completely prevent network security threats and vulnerabilities, businesses should have a clear strategy for recognizing and dealing with cyber intrusions. “You want to have a plan in place before something like this happens, so when an event does happen, you know what to do and how to limit liability as much as possible,” Kosc said.

Part of that plan is knowing whom to call for help. You don’t want to waste time trying to determine where you can find assistance in a crisis. “You want to have those relationships upfront and in place,” Pelgrin said. Then, if you see signs of a breach, you can put your plan into action and begin mitigating the damage and getting back to normal.

Leah Zitter contributed to this article. Source interviews were conducted for a previous version of this article.