In a world of rising cybercrime, leaders of small to midsized businesses are concerned about falling victim to a data breach. This is a reasonable fear but worries about data breach reporting should never keep you awake at night.
TL;DR: When you understand what a data breach is, what you need to report, and how to create a system that turns data breach reporting into a process, you can rest easy that you are maintaining compliance if a hacker infiltrates your systems. Learn More.
A data breach is when your company’s data has been exposed without authorization. The only times you have to worry about data breaches are when personal, unencrypted data has been exposed, including things like:
In Washington, each of these items would have to be exposed with a corresponding first name or first initial, plus last name to be considered a breach. If I gave you a random social security number such as 438-67-9873 (which must be someone’s social, right?), it doesn’t do you any good unless you have corresponding identifying data. This identifying data is often referred to as Personally Identifiable Information, or PII.
If hackers get access to this PII data, your organization is the victim of a data breach.
When your business data is breached, reporting can be complicated. Various sectors, such as federal contractors, healthcare providers, and financial firms have specific reporting requirements mandated by the federal government. Organizations that do business with California residents have other requirements (CCPA), as do organizations that do business with European residents (GDPR).
In general, small to midsized businesses do not have reporting requirements mandated by the federal government, but they are required to report data breaches to Washington’s Attorney General (more on that in a moment).
Data breaches are scary. It’s best to have a system or process in place if you become a victim.
Here are best practice steps to follow, in order, after a data breach:
If you haven’t yet notified your MSP, contact them. Then contact your lawyer and your cyberinsurance carrier. Contact local law enforcement and make a report.
If a hacker has posted something questionable to your website or others, remove it.
Washington requires that you notify affected Washington residents within 45 days after discovering the breach, and that you also notify the Attorney General within 45 days. The Attorney General will need a copy of the communication you sent to affected people along with an exact number (or estimate, if you can’t be exact) of the number of residents affected. Delays are allowed if prompt reporting would interfere with law enforcement actions.
Notifications should be in written or electronic form and sent to each affected person individually, but if notification costs would exceed $250,000 or must be sent to more than 500,000 Washington residents, you can inform people by completing all three of the following:
You aren’t required to provide lots of information in your notification, but transparency is the best policy. We recommend that you include succinct info about what happened, what information was involved, how your organization is responding, what your customers can do, and how they can get follow-up information. (Your lawyer and cyberinsurance firm will have much better advice than we do.)
If other businesses were involved, let them know about your breach. If social security numbers were breached, contact the credit bureaus. If bank numbers or credit card data was breached, contact the banks.
Even if you have taken all reasonable cybersecurity precautions, data breaches happen. If your data is breached, we can help you figure out what to do next and potentially recover your data if it was stolen in a ransomware attack. Whatever you need, we’re here to help.
Remember: worries about a data breach should never keep you up at night. When you have a great MSP to work with and an established process or system to follow, you’ll have the power to handle data breaches efficiently and effectively – no matter what.
For 20 years, the friendly and knowledgeable team at Interplay in Seattle has helped business leaders across a range of industries get more out of their tech, stress free. Not only are we always (and we mean always) happy to offer the best managed IT services, support, and advice, we’re also the team you can trust for the best cocktail recommendations here in Seattle or in Disney World – we’re versatile! All humor aside though, we’d love to help you get your IT running smoothly and securely, around the clock.