One things that you know for sure is that you must safeguard others personal information, often the result of a compromised password or sensitive data pulled from the garbage. But businesses that collect personal information such as addresses, credit card numbers or even Social Security numbers have a great responsibility to prevent data breaches and protect their customers from identity theft.
This article covers the various types of business data breaches, including ways to minimize your risks and — if a breach has occurred — how to respond.
Difference Business Data Breaches
Personal information potentially used to steal one’s identity or illegally access financial accounts can be compromised in a number of different ways:
- Unintended Disclosure – Information is mistakenly disclosed online or sent to the wrong party via email, fax or other means.
- Hacking or Malware – An outside party gains electronic entry, either directly or through malware (i.e. spyware or trojan horses).
- Payment Card Fraud – A thief uses a skimming device or other method to obtain credit card numbers at a retail counter.
- Insider – An employee, contractor or other individual with legitimate access intentionally breaches otherwise secure data.
- Physical Loss – Lost, stolen or discarded paper documents with sensitive customer data are obtained by identity thieves.
- Portable Device – Lost or stolen computer, smartphone, memory device, CD or hard drive falls into the wrong hands.
Not all data breaches result in identity theft. For example, stolen credit card numbers can be used until the customer cancels his or her account but generally don’t give the thief access to one’s identity (which typically requires an address, date of birth and Social Security number).
Make Sure You Contact Law Enforcement
Notifying your local police department immediately after learning about a data breach of customer data is the best way to minimize the damage and also demonstrates a good faith effort to protect your customers. Most states have laws requiring businesses to notify the police, business partners and customers if their personal data has been compromised.
If your local police department is not experienced with identity theft or other information security matters, contact your local FBI or U.S. Secret Service office. For incidents involving mail theft, call the local office of the U.S. Postal Inspection Service.
You Should Notify Other Businesses
A data breach can sometimes affect banks, credit issuers, business partners or other affected organizations. If account information such as credit card or bank account numbers has been stolen, but you don’t maintain those accounts, be sure to call the relevant financial institutions so they can monitor for fraudulent activity.
How to Notify Customers, Clients, Patients, & Other Affected Parties
Early response to a data security breach is the key to preventing, or minimizing the damage from, identity theft or other potential misuse of personal information. While most states require businesses to notify customers about known data breaches, a federal bill known as the Data Accountability and Trust Act is expected to pass soon.
The Federal Trade Commission recommends consulting with local law enforcement officials before releasing a notification so it doesn’t impede the investigation. The FTC also suggests businesses designate a contact person to facilitate the notification process, using letters, web sites and toll-free numbers to communicate with affected individuals.
Your security breach notice should generally follow these guidelines:
- Describe clearly what is known about the compromise, including how it happened, what data was taken and (if possible) how information has been used by thieves and what actions have been taken to remedy the situation.
- Explain how people should respond to the data breach, including the contact information of appropriate organizations and agencies
- Include current information about identity theft in general
- Provide contact information for law enforcement officers working on the case
- Encourage victims of identity theft to file a complaint with the FTC
How to Protect Personal Information
It’s in the best interests of every business to prevent data security breaches in the first place. The FTC suggests the following five principles for protecting the sensitive information of your customers and business partners:
- Take Stock: Know what personal information is in your organization’s files and computers. This includes smart phones, removable flash drives and information that may be shared with other organizations.
- Scale Down: If you don’t need it, it’s a potential liability and should be securely disposed of. As a rule thumb, only keep personal information for which there is a legal or business necessity.
- Lock It: Make sure all personal information is both physically and electronically secure, which includes knowing exactly where all sensitive data is stored. Remember that any security system is only as strong as its weakest link.
- Pitch It: Use wipe utility programs to thoroughly erase any possible personal data from all decommissioned computers and make sure you shred paper records before recycling them. Identity thieves often find valuable information in the garbage.
- Plan Ahead: Devise a plan for responding to security breaches before they happen. A swift and professional response is key to recovering from a potentially damaging data security breach.
Business Data Breach Lawyer Free Consultation
If your business has suffered a data breach, you should also contact the business data breach lawyers at Ascent Law, LLC. We want to help you resolve the issue, salvage and protect what you can, and prevent it from happening again. Call us for your free consutlation (801) 676-5506. We want to help you.
8833 S. Redwood Road, Suite C
West Jordan, Utah
84088 United States
Telephone: (801) 676-5506