What SMBs Have to Disclose About a Data Breach

 In a world of rising cybercrime, leaders of small to midsized businesses are concerned about falling victim to a data breach. This is a reasonable fear but worries about data breach reporting should never keep you awake at night. 

TL;DR: When you understand what a data breach is, what you need to report, and how to create a system that turns data breach reporting into a process, you can rest easy that you are maintaining compliance if a hacker infiltrates your systems. Learn More. 

What Is a Data Breach?

A data breach is when your company’s data has been exposed without authorization. The only times you have to worry about data breaches are when personal, unencrypted data has been exposed, including things like: 

  • Social security numbers
  • Financial account data including passwords or access codes
  • Driver’s license or state ID numbers

In Washington, each of these items would have to be exposed with a corresponding first name or first initial, plus last name to be considered a breach. If I gave you a random social security number such as 438-67-9873 (which must be someone’s social, right?), it doesn’t do you any good unless you have corresponding identifying data. This identifying data is often referred to as Personally Identifiable Information, or PII. 

If hackers get access to this PII data, your organization is the victim of a data breach. 

What Are You Required to Report?

When your business data is breached, reporting can be complicated. Various sectors, such as federal contractors, healthcare providers, and financial firms have specific reporting requirements mandated by the federal government. Organizations that do business with California residents have other requirements (CCPA), as do organizations that do business with European residents (GDPR). 

In general, small to midsized businesses do not have reporting requirements mandated by the federal government, but they are required to report data breaches to Washington’s Attorney General (more on that in a moment). 

What Are Best Practices for Reporting a Data Breach?

Data breaches are scary. It’s best to have a system or process in place if you become a victim. 

Here are best practice steps to follow, in order, after a data breach: 

  • Secure your systems immediately 

Take affected technology offline. Install updates and patches. Your Managed Services Provider (MSP) can help. 

  • Call in the experts

If you haven’t yet notified your MSP, contact them. Then contact your lawyer and your cyberinsurance carrier. Contact local law enforcement and make a report. 

  • Perform damage control

If a hacker has posted something questionable to your website or others, remove it. 

  • Prep your communications plan

Washington requires that you notify affected Washington residents within 45 days after discovering the breach, and that you also notify the Attorney General within 45 days. The Attorney General will need a copy of the communication you sent to affected people along with an exact number (or estimate, if you can’t be exact) of the number of residents affected. Delays are allowed if prompt reporting would interfere with law enforcement actions. 

Notifications should be in written or electronic form and sent to each affected person individually, but if notification costs would exceed $250,000 or must be sent to more than 500,000 Washington residents, you can inform people by completing all three of the following: 

  • Sending an email (if you know the person’s email)
  • Posting a breach notification conspicuously on your website; and 
  • Posting to a major statewide media source

You aren’t required to provide lots of information in your notification, but transparency is the best policy. We recommend that you include succinct info about what happened, what information was involved, how your organization is responding, what your customers can do, and how they can get follow-up information. (Your lawyer and cyberinsurance firm will have much better advice than we do.) 

  • Contact third parties

If other businesses were involved, let them know about your breach. If social security numbers were breached, contact the credit bureaus. If bank numbers or credit card data was breached, contact the banks. 

Need a Hand Reporting a Data Breach? Interplay Is Here to Help

Even if you have taken all reasonable cybersecurity precautions, data breaches happen. If your data is breached, we can help you figure out what to do next and potentially recover your data if it was stolen in a ransomware attack. Whatever you need, we’re here to help. 

Remember: worries about a data breach should never keep you up at night. When you have a great MSP to work with and an established process or system to follow, you’ll have the power to handle data breaches efficiently and effectively – no matter what. 

Get Answers to Your Data Breach Questions

For 20 years, the friendly and knowledgeable team at Interplay in Seattle has helped business leaders across a range of industries get more out of their tech, stress free. Not only are we always (and we mean always) happy to offer the best managed IT services, support, and advice, we’re also the team you can trust for the best cocktail recommendations here in Seattle or in Disney World – we’re versatile! All humor aside though, we’d love to help you get your IT running smoothly and securely, around the clock.