5 Important Steps to Take after a Data Leak

Jul 27, 2018

Data breaches are a major headache for businesses and consumers alike.  Consumers are naturally impacted by issues like stolen personal data and identity theft.  As a business owner, you have an ethical and legal obligation to protect consumer privacy and safeguard the confidential information your customers provide you with.

Even with measures in place to meet legal standards for data protection, however, you could end up suffering a data leak.  Whether you are hacked by a cyber criminal or a disgruntled employee steals information, you have to make sure to do all you can to rectify the situation.

This is especially important in light of the South Dakota Data Breach Notification Requirement that went into effect on July 1.  What do you need to know to follow applicable laws, treat your customers fairly, and protect your business?  Here are a few important steps to take following a data leak.

1.  Secure compromised systems.  If you have monitoring software or services in place, there’s a chance you’ll catch an attempted breach early.  Or it could be hours, days, weeks, or even months before you realize there’s an intruder in your system.  Regardless of when you discover a breach, you need to cut off the attack and lock down your system.

2.  Assess the extent of damage.  Once you’ve secured your system, it’s time to meet with your A-team to assess the damage and create a plan moving forward.  You not only need IT experts to determine how the breach occurred, which components were affected, and how much data was compromised, but you’ll want to consult with executives, board members, legal counsel, and so on to determine how best to approach the recovery process.

3.  Notify customers and proper authorities.  According to the new Data Breach Notification Requirement, notification must be given to affected individuals in the event of “unauthorized acquisition of data by any person that compromises the security, confidentiality or integrity of personal or protected information”.

Businesses also have to notify nationwide consumer reporting agencies, and if the breach affects more than 250 South Dakota residents, the Attorney General must be notified.  Notification may be given by a variety of methods (in writing, electronically, via statewide media, etc.) within 60 days of the breach.  Violations could result in fines up to $10,000 per day, per violation.

4.  Understand the “harm threshold”.  What if, after investigation, you determine that a breach “will not likely result in harm”?  Do you still have to notify consumers?  According to the Data Breach Notification Requirement, the answer is no – this is known as the harm threshold.  However, proper notification must still be given to the Attorney General.

5.  Address vulnerabilities.  Once you’ve stopped a breach, regained control of your system, and notified affected parties and proper authorities, it’s time to make a plan to ensure that this type of data leak doesn’t happen again, and this means pinpointing and correcting vulnerabilities that led to the data breach in the first place.

Businesses in and around Sioux Falls, SD can start by partnering with a reliable and qualified data destruction company like SEAM that offers high standards, legal compliance, essential certifications, and environmentally-friendly operations.  Contact SEAM today at 605-274-SEAM (7326) to get started.