Whether you’ve just found out that your company has had an unfortunate information leak or you want to prepare, knowing what to do when it happens is crucial. As a small business owner, you can’t pretend like data theft and unintentional (or purposeful) loss doesn’t happen. It does. And the more you know, the better off your business will be.

How data breaches happen

There is a virtually never-ending list of ways that a company’s data might become compromised. But, the most common are by a hacker’s hand, because of an angry ex-employee, or a simple mistake. Regardless of the reason, a data breach is, according to Norton, a “security incident in which information is accessed without authorization.”

Understanding data compliance

There are many data compliance standards that small businesses should be aware of. The General Data Protection Regulation and Payment Card Industry Data Security are two that specifically affect businesses. GDPR, however, only applies if you do business in the European Union.

PCI compliance is required of any business that takes credit cards, and it has been around since 2006. This set of 12 rules is designed to minimize data access. These include maintaining firewalls and encrypting cardholder data as well as data transmitted outside of your organization. To comply with either of these, it’s best to start out by restricting access to any information you or your customers do not want made public. You can also create entry logs that document every instance where data is accessed. Further, regular scanning and testing for potential weak spots in your company’s security, which happens to be required of PCI, will go a long way toward making your customers’ valuable information safe.

What happens after a breach?

While no business owner wants to be known as the company that had a breach, the truth is that it happens. Often. And once it has happened, you cannot sweep it under the rug. You have to tell your customers.

Your first step is to figure out what, exactly, happened. It is not enough to know that a breach occurred; the root cause has to be determined. The Federal Trade Commission recommends leaving this to a forensic investigative team. You will also want to reach out to your attorney for legal advice. While your forensic experts are digging into your digital systems, take steps to secure physical records. It might be necessary to cut internet access and require that all employees change their password.

If information has been breached through your website, either by an errant piece of code or a simple publishing mistake, remove this immediately. Next, make sure that the employees or vendors that discovered the breach are available to answer questions.

Letting your customers know about the breach

Letting your customers know that there has been a data breach is an intimidating process. Your attorney and legal counsel can advise you on what you are required to announce. You might also need to contact any government bodies that are involved in your market sector. For example, if health information was accessed, you may have to report the incident to the Secretary of the US Department of Health and Human Services.

As the reasons behind the breach become clear, you will have a much better idea of steps you can take to prevent it in the future. This could run the gamut from scouring tech staffing agencies for IT professionals to making your current employees feel appreciated. NBC reports that 82 percent of employees don’t feel recognized, and this can lead to low job satisfaction, which can lead to termination, and then vengeance by an ex-employee. 

This is obviously a very scaled-down summary of compliance and data breach information. It’s much more complicated than a few paragraphs could possibly hope to cover. Hopefully, however, you can use the above information as a jumping-off point to kick-start your security measures or to point you in the right direction of what to do if it happens to you.