News & Resources

What to do if your business suffers a data breach

  • Posted on

While prevention is the best form of defence, all businesses are ultimately susceptible to cyber-attacks if a vulnerability is found. Richard Forrest, Senior Associate at data breach law firm, Hayes Connor, explains what actions businesses should take if they fall victim to a data breach.

Our growing reliance on technology has been compounded and increased by the coronavirus pandemic. From working remotely, to communicating with family, to test and trace apps, to online shopping, our society has relied on tech to get us through it all. This has put our personal and company data at much greater risk than ever before.

With the ever-changing nature of cybercrime, and this constant reliance on technology, businesses need to be particularly vigilant. That said, not everyone will be so lucky…

Why is a Data Breach Bad?

You hear the words “data breach” and “cyber security” rather a lot these days. Data breaches can occur in a number of ways, be it a business whose client data is exposed, company secrets being leaked, or a GP who accidentally exposes a patient’s data to another patient. These are just some of the many examples.

Data Breach

The question is, why is it so important for your company to avoid being associated with a data breach of any sort? There are a number of reasons for this, including:

  • Tarnishing your company name
  • Reducing customer loyalty
  • Can have an emotional toll on those whose data has been breached
  • Can lead to lawsuits, causing you to lose a lot of money along the way
  • Putting you or your customers at risk of financial crime e.g. hacked bank accounts
  • Identities may be stolen

A step-by-step guide on what to do if your business experiences a data breach

With the fallout that a breach of data may have on you, your company, and your clients and customers, it’s clear that they must be dealt with appropriately.

Taking responsibility for what’s happened is extremely important. As a solicitor in the field, I know first-hand the emotional trauma and stress a data breach can have on the victims. In most cases, people simply want an explanation and an apology, as well as a promise that this won’t happen again.

Then, it’s all about minimising the fallout of the breach. For all you know, the data may not have been used maliciously yet, so it’s important that you act quickly.

My steps for doing this, and preparing your business for the future so this doesn’t happen again, are as follows:

  1. Clarify whether your company has, indeed, experienced a data breach. This includes the destruction, loss, or unauthorised exposure of data.
  2. Gather a team together to deal with the issue, and fast.
  3. Assess whether this data breach will be a risk to people by finding out what type of data was stolen.
  4. If you think it will, notify the Information Commissioner’s Office (ICO).
  5. As a team, put together a process of how to deal with the situation.
  6. Hire a cyber security expert to assess how this breach occurred. They should be able to stop the data leakage and remove the hacker from the system, patching up how they got in along the way.
  7. Identify a cause for how your systems were infiltrated.
  8. Preserve the evidence of the data breach so you have it all in your records.
  9. Put measures in place to prevent someone from using the data maliciously.
  10. Let your customers know there’s been a data breach as soon as you can, either by phone or email. Be open and honest with them, letting them know how this happened and what actions are being taken to counteract this issue.
  11. Urge customers and clients to change any login details, keep their new details safe, and be vigilant about spotting any further attempts. After all, some hackers may target customers via emails, tricking them into believing they are your company.
  12. Keep everyone in the know about any updates as and when you know them. This includes all employees involved, and any clients and customers who have been affected.
  13. Respond to customer complaints and questions quickly and efficiently. Being there for them will help to assure them that you’re doing everything you can, hopefully keeping them loyal to you.
  14. To mitigate any further loss of customer loyalty, provide compensation, like discounts and offers, for those affected.
  15. Learn from it all by putting measures in place to avoid this happening again (see next heading).
  16. Try to stay one step ahead of the cyber criminals by thinking creatively. Use your hired experts to help you do this.
  17. Get in contact with a solicitor to help you deal with any fallout.
  18. Only notify the press once you have patched up the issue, otherwise further hackers may look to exploit the weakness in your system.

After all of this, make sure you get back to business as usual. Once everything is sorted, there’s no point dwelling on past mistakes, so try to move on from it, and create new avenues of discussion surrounding your business.

Cyber security measures to avoid a data breach

Many business owners will go in with the dangerous attitude that a breach won’t happen to them. That said, shocking statistics shows that 60% of UK consumers were affected by a data breach in 2019. This just goes to show that companies have a long way to go before they are truly protecting their company data responsibly.

Ultimately, although it’s easier said than done, avoiding a data breach really is your best port of call. Some of the best ways to protect your company before a breach occurs include:

  • Hiring a cyber security professional to monitor any suspicious activity across your company network.
  • Making sure everyone is working on a secure network, like a VPN, whether they’re in the office or at home.
  • Making sure all company devices are set up using secure passwords and multi-authentication logins.
  • Making sure all company devices are set up to go to “sleep” automatically after a certain amount of inactive use.
  • Providing training for employees on dealing with company data, updating devices regularly, accessing secure websites, disposing of secure documents, keeping up with GDPR principles etc.
  • Installing anti-malware and cyber security software on all PCs.
  • Providing company laptops or, if you can’t, make sure all personal laptops have anti-malware software installed and in use.
  • Using PayPal when invoicing companies you haven’t worked with before.
  • Never talking about important business information with anyone outside the company.
  • Not oversharing online.
  • Making sure you have a data breach response plan in place for next time, although hopefully there won’t be a next time.

Clearly, the best way to deal with the growing number of cyber security threats is to stay one step ahead, by preparing in advance. Although this may seem like a lot of time and money to spend on something that may never happen, it’s really just a long-term investment into your business’s future.

However, if you do end up falling victim to a data breach, we hope our tips will help you to get back on the road to recovery.

If you or your company have been a victim of a data breach, Hayes Connor can help you to deal with it, both practically and emotionally.