How To Handle A Data Breach: 5 Tips For SMBs

Another day, another massive data breach.

Tuesday's news that AntiSec has published 1 million Apple Unique Device Identifiers (UDIDs) online--from a trove of 12 million such UDIDs--joins a long list of large-scale data breaches involving customer information. Other recent cases include the LinkedIn password breach and the Dropbox hack.

High-profile examples like these generate the headlines, but similar, smaller-scale breaches can happen to SMBs with alarming ease. AntiSec claimed those 12 million UDIDs were pilfered from a FBI agent's laptop, after all--if that's true, do your employees stand a chance? (The FBI denied AntiSec's claim.)

If you ask Craig Spiezle, executive director and president of the Online Trust Alliance, even security-conscious SMBs should treat customer data breaches as a when-not-if proposition.

"If [SMBs] collect sensitive data, they need to face the inevitable fact that they will have a data-loss incident, whether that's a breach, a lost USB stick, or a stolen computer," Spiezle said in an interview. Adopting that mindset isn't a pessimistic approach; it's a pragmatic one, according to Spiezle, because it leads to better planning and smarter, faster decisions.

[ For more SMB security tips, see 5 Flame Security Lessons For SMBs. ]

So the question is: How will your company respond if an incident does happen? Spiezle offered the following advice on developing a strong plan for acting in the wake of a data breach.

1. What Data Do You Have? The first step is to fully understand the kinds of customer information your company is handling and storing--and why. It might sound obvious, but according to Spiezle, breaches often expose how little an organization knows about its data. "I've gone through a lot of breach responses with companies where people are literally sitting around a table saying 'I had no idea we were doing that,'" Spiezle said. That can exponentially complicate matters when a data-loss event occurs--you can't very well determine the consequences and communicate them appropriately if you don't know what was at stake in the first place. Assess the kinds of data you have, who has access to it, and why.

The general rule of thumb: Limit access to those who need it for legitimate business reasons. Put a particularly high burden of proof on the case for storing sensitive customer information on laptops, external drives, mobile devices, and other hardware that can be easily lost or stolen.

2. What Are Your Regulatory Requirements? Spiezle is quick to note that this is one of the toughest data-breach challenges for SMBs that lack a compliance officer--much less an entire compliance staff--or that rely on IT generalists rather than information security specialists. But your regulatory requirements will dictate what you must do in data-breach scenarios. These are defined by the likes of HIPAA or PCI, but Spiezle noted that 46 states also now have some form of reporting requirements.

Alas, while there are vendors that can help, there's no central online destination for companies to assess all of their compliance requirements. Spiezle thinks federal legislation could help. "It is a very complex issue, and [it] again underscores the importance of pre-planning," he said.

Bonus advice: Be proactive. If you do seek help from a vendor, Spiezle pointed out that it's much better to do this when you don't already have a problem--it's tough to get the best terms if you're negotiating at 3 a.m. on a Saturday after a breach has already occurred.

3. Who Will You Notify? Knowing who you'll need to communicate with can help lead to faster, more effective responses to data-loss events. Identify those groups before something goes wrong. "This might be partners, customers, [or] government agencies," Spiezle said. He noted that some companies develop relationships with appropriate law enforcement agencies in advance so that they know the proper people to contact in the event of a data breach. Consider it the business equivalent of keeping a list of emergency contact numbers near your home phone.

4. When Will You Notify Them? This is a tricky and much-debated area: How soon should you notify affected customers and other stakeholders? Spiezle said it's a case-by-case decision. With law enforcement or other government agencies, it's usually an ASAP scenario. Customers and partners are a tougher call. On the one hand, Spiezle said, you don't want them to find out from the media or other external sources. On the other hand, you don't want to make things worse by communicating inaccurate information, which can happen if you act too quickly. Some of this decision may be guided the regulatory requirements your company operates under, too. Rule of thumb: Communicate as quickly as possible without sacrificing the clarity and accuracy of the information you provide.

5. What Will You Say? One way to cut down your response time and outreach efforts: Prepare your customer and other external communications in advance. This gets back to the importance of Tip 1--it's tough to accurately message a breach if you don't know what data you had in the first place. If you've got a complete understanding of your information and how you handle it, you can develop solid communications templates in advance.

An additional benefit: You're likely to communicate more clearly if you're writing when things are running smoothly than in the panicked aftermath of a breach. "I've seen several companies that have emails already written, Web pages ready to go, and they just have to add and populate the specifics," Spiezle said.

OTA offers a sample notification letter and related resources in its free Data Protection & Breach Readiness Guide, which Spiezle said will be updated next month.

Cybercriminals are taking aim at your website. Is your security strategy up to the challenge? Also in the new, all-digital 10 Steps To E-Commerce Security issue of Dark Reading: About half of the traffic to e-commerce sites is machine generated--and much of it is malicious. (Free registration required.)