BBB Small Business Advice: Reduce the Damage Done by a Data Breach

March 30, 2010

While the volume of data breaches declined in 2009, data breaches at businesses—as opposed to the government or non-profit sector—are on the rise. Better Business Bureau recommends that small business owners take steps to protect their data and also develop a plan of action in order to react quickly and reduce the damage if a data breach does occur.

There were more than 498 reported data breaches in 2009, according to the Identity Theft Resource Center. While this is an improvement from the 657 breaches in 2008, unfortunately, the share of data breaches occurring in the business sector, specifically, increased to 41 percent.

Even when a company takes all necessary precautions, a data breach can occur as the result of a malicious attack or employee error. The key to limiting the damage—and retaining customer trust—is to develop an action plan in case a data breach does strike your business.

Resolving a data breach can be costly to a business, not only because of the time and energy spent resolving the issue, but also due to the number of customers whose trust in the business was lost in the wake of the breach. According to U.S. Cost of a Data Breach Study released by PGP Corporation and the Ponemon Institute, data breach incidents cost U.S. companies $204 per compromised customer record.

BBB recommends that small business owners take the following steps to prepare the business and reduce the damage in the event of a data breach:

1. Create a Data Breach Notification Policy.
A data breach notification policy tells consumers how your business will notify customers if a data breach occurs. Consider informing consumers that you will notify them through a quicker and relatively inexpensive method (e.g., e-mail or publication) instead of a more expensive method (e.g., US mail). However, there are state-specific laws on the notification delivery method, so consult with an attorney before sending out any notices.

2. Train Your Employees to Identify Breaches.
Employees need to know how to spot a potential breach and how to report this type of event. More information on the red flags of a data breach is available in Chapter 7 of BBB’s new publication for small business owners, Data Security – Made Simpler.

3. Immediately Gather the Facts of an Alleged Breach.

How and when did this occur? Was it an internal error or the result of a malicious attack? Determining the source of the breach quickly enables you to take immediate steps to reduce any further damage.

4. Notify Financial Institutions.
If financial information, such as payment card numbers, was compromised, contact the bank or company that manages your payment card processing.

5. Seek Outside Counsel.
Seek attorney assistance or guidance from a risk consulting company as soon as you become aware of an incident that might constitute a data security breach. Your attorney can help you identify which laws might be involved and whether you need to alert consumers or the government of the incident.

6. Notify Affected Customers.
Notify them in the manner you said you would in your Data Security Policy. Explain what occurred, when it occurred and the specific steps you are taking to address the event

BBB and partners Symantec Corporation, Visa Inc., Kroll’s Fraud Solutions and NACHA – The Electronic Payments Association created Data Security–Made Simpler, an online resource to help small businesses implement key data security policies and practices.

Data Security—Made Simpler was created by BBB in collaboration with two nationally recognized data security experts, Dana Rosenfeld and David Zetoony.

Small business owners can get additional free advice and tips on improving data security from BBB at


Kelvin Collins is president/CEO of the Better Business Bureau of Central Georgia & the CSRA, Inc. serving 41 counties in Central Georgia and the Central Savannah River Area (CSRA). This tips column is provided through the local BBB and the Council of Better Business Bureaus. Questions or complaints about a specific company or charity should be referred directly to the BBB at Phone: 1-800-763-4222, Web site: or E-mail: or