Our last post of this series examined some of the steps that you need take, as the owner and leader of your business, in the case that you have been impacted by a cyber-attack.
We examined the parts of your IT Infrastructure that need to be checked for, and if necessary, remedied, if in the unfortunate chance you have been a victim. These included:
- Checking your wireless devices;
- The passwords which your employees have created and used;
- The network segmentation;
- The servers.
This post takes the next step forward and examines what needs to be accomplished after a security breach – notifying the relevant parties.
Who do you notify…
There are a number of key parties that have to be alerted, and they are as follows:
1. Law Enforcement:
As a business owner, it is your responsibility to notify the relevant law enforcement officials.
In fact, it is even required by law that this must be done.
With regard to this, you must notify your local law enforcement agency, and even the FBI. The FBI has well trained agents on hand to visit your place of business and help determine what exactly transpired.
Keep in mind, however, the amount of help will be a correlation of the actual dollar amount that you have suffered.
For example, if the dollar you lost was just perhaps a few hundred, the FBI probably will not conduct a full-blown investigation.
On the other hand, if the dollar amount is in the thousands (or even hundreds of thousands) more than likely, they will open up a full case investigation.
The reason for this is that they have limited manpower, but they will at least come out and see you when you make that first call to them.
Depending upon what was impacted as well, you may even want to consider contacting the US Secret Service, and even the US Postal Inspection Service (you would contact the latter in the case that you suspect that cases of identity theft have occurred because of stolen mail at your property).
2. Contact the major credit reporting companies:
If you store credit card or banking information on behalf of your customers, then you must also contact the main three credit reporting agencies, and alert them of this fact.
With this, you can then offer your customers free credit monitoring services for an indefinite period of time. The contact information for these agencies is as follows:
- Equifax: 1-800-525-6285 (equifax.com)
- Experian: 1-888-397-3742 (experian.com)
- TransUnion: 1-800-680-7289 (transunion.com)
3. Notify you customers:
You must also notify your customers immediately after you have been impacted by a cyber-attack.
After all, it is their private information / data that is at stake, and it is your responsibility as well to make sure that they can recover from the security breach.
However, this can be a very tricky task to accomplish, and before you notify your customers, consider the following first:
- Consult with your law enforcement officials first, as you do not want to impede or give out too much information if the cyber attack is still under investigation;
- After it has been determined what pertinent information and data can be released, designate one of your employees (preferably an individual from the public relations department, if you have one. If not, you may want to consider hiring an outside consultant to do this, as it does take a certain approach when revealing this kind of incident to your customers) to be the main point of contact going forward.
- As mentioned, always offer your customers free credit reporting services for at least a year, if not longer. Also, if relevant, free identity theft / identity restoration services, if social security numbers have been compromised.
4. Notify both internal and external stakeholders of your organization:
Equally important is notifying both your internal and external stakeholders. The former includes primarily your employees. With the latter, this includes your suppliers, distributors, shareholders, board of directors, etc.
This post has reviewed the key parties that must be notified after your business has been impacted by a cyber-attack, or any other form of security breach.
There are different methods of notification, but the most common one utilized is direct mail.
However care must be given to how this letter should be drafted, because most states now have certain laws as to what kinds of information must (and even must not be) included in it.
This will be the focal for the next part of this series, and a model notification letter template will be provided as well.