How do I know if my business is ready for a cyberattack?
Cyberattacks can happen anytime. Being ready, however, means different things to different businesses. It depends on what information you store, how online your operations are, and the amount of damage hackers can do to your business. If your business is insured against a data breach or hack, you may want to start by making sure your business meets any requirements outlined in your policy.
Business owners and managers may want to be familiar with the common types of cyberattacks, including attacks on network security and wireless security, as well as social engineering attacks. These cyberattacks include:
- Phishing.
- Malware.
- Ransomware.
- Denial-of-service (DDoS) attacks.
If these terms do not sound familiar to you, it may be a sign to spend some time researching cybersecurity, or to reach out for help. Similarly, educating your employees on cyberattacks is a very effective tool because many cybercriminals target employees to trick them into giving up their credentials.
For example, if your business does nothing online other than maintain a website that provides information about your business, or engage in social media activity, then cybersecurity may be a simpler task. For those businesses, typically, the most important preparation involves activating multi-factor authentication for all your various logins, and making sure your recovery emails and passwords are regularly updated. A daily or weekly check that your online presence has not been compromised can often be done in just a few minutes.
For businesses that do more online, such as offering sales directly through their website, or maintaining data in the cloud or on a network, it may be helpful to work with IT security professionals to understand how to protect your business. Strategic planning with IT professionals and contractors can help assess your business's cybersecurity strengths and weaknesses, the budget required to implement security measures, and the best measures to implement over the long and short term. It can also help to develop a tactical strategy that addresses day-to-day needs, such as monitoring, as well as investigating suspicious activities on the network from both outside and within your network.
How do I respond after my business gets hacked?
If you discover that your business has been hacked, don't panic, but also don't delay taking action. If you do not know what to do, do not hesitate to reach out for help.
Generally, the first step is to determine the system that was breached, and to secure it immediately. If you can, fix the vulnerabilities that enabled it to be hacked, such as by changing the password, enabling a firewall, or removing the system from the network.
For example, if you find something strange posted on your website or social media that you did not post, change your passwords immediately. Then, make a record of what was posted and remove the content. If the hacker contacted anyone while using your account, check your sent messages, then notify anyone who has been messaged.
If you have an IT team, contact them as soon as possible to prevent further data loss. Depending on the nature of the breach, you may want to reach out to affected customers, employees, and vendors if they can take action to prevent losses.
Be sure to have Incident Reports ready so your employees who are handling the breach can document the details of the hack. This information can be helpful for dealing with the cyberattack and to determine what happened or how to prevent a future breach. Incident reports tend to be most helpful when filled out immediately after an incident as small details may be forgotten as time passes.
Does my business need a data privacy policy?
Maybe. If your business collects or stores personal information about customers, employees, website visitors, or anyone really, a data privacy policy may be a good idea. This can be part of a simple Online Privacy Policy for your website, your Employee Handbook, and your agreements with vendors, contractors, and clients. If you're collecting information, you may want to talk to a lawyer about the legal requirements in your state about safeguarding data.
Businesses may be required to give consumers certain notices to explain the type of personal information collected and how it is used. These policies usually protect financial information in addition to other personal information such as addresses and phone numbers. If your business operates across state lines, or globally, you may want to include additional information to comply with certain regulations, such as "opt-out" provisions, in addition to complying with the European Union's General Data Protection Regulation (GDPR) and the California's Consumer Privacy Act (CCPA).
Further, consider drafting Website Terms of Use and Online Terms and Conditions documents at your earliest convenience. These documents help visitors to your business's website understand the rules for using your website properly and following appropriate "netiquette."
When do I notify customers or employees of a data breach?
Generally, when you discover a breach, you may be obligated to notify your employees, customers, and anyone who may have been impacted. Breach notifications differ, and often depend on the state of where your business is located. Personal information is protected by a patchwork of laws across the U.S., but most every state has its own data security law of some sort.
Depending on the type of information breached, you may need to also notify the Federal Trade Commission (FTC), any state agencies that have jurisdiction over data privacy, and any foreign regulators, such as those falling under the European Union's General Data Protection Regulation (GDPR).
Ideally, anyone whose personally identifiable information (PII) data may have been compromised should be notified of the data breach and any potentially leaked information. There is a limited window for people to protect themselves against identity theft and fraud, so it is preferable to notify customers sooner rather than later.
Is my business liable if customer or employee data is compromised?
Yes, if your business fails to safeguard data or fails to meet customer notification requirements, there can be legal consequences in addition to a host of other negative business impacts. The extent of consequences may vary depending on the severity of the breach and the timeliness of your notifications. Generally, this might include fines and other penalties, reputational damage, customers' losses, operational downtime, loss of intellectual property, and possible legal actions.
Cyberattacks are becoming more sophisticated and constantly adapting to evade preventative measures. Taking a proactive approach, however, can minimize the risks of being targeted, and the potential damages and legal liabilities in case you do fall victim. With the proper preparation, you may be able to mitigate potential short- and long-term damage to your business from a cyberattack, or you might just prevent one in the first place.
If you think your business is at risk for cybercrime, or you have been hacked, reach out to a Rocket Lawyer network attorney today for affordable legal advice.
This article contains general legal information and does not contain legal advice. Rocket Lawyer is not a law firm or a substitute for an attorney or law firm. The law is complex and changes often. For legal advice, please ask a lawyer.