7. If Customer Data is Stolen or Lost — What to Do Next
Create and publish a data breach notification policy.
Consider informing consumers that you will notify them through a quicker and relatively inexpensive method (e.g., email or publication) instead of a more expensive method (e.g., US mail). However, there are state-specific laws on the notification delivery method, so consult with an attorney before sending out any notices.
Train your employees to identify breaches.
Consider the following points for your employee training:
Teach employees what constitutes a "data breach." They should be aware that this might include errors such as inadvertently sending information to the wrong person via mail or email.
Instruct employees to report any event where personal information is accessed, acquired by, or shared with an unauthorized person to you or to a specific supervisor.
Consider providing employees a confidential means of reporting a data breach. This can be particularly useful if your employees might be afraid that reporting a data breach might result in disciplinary action against them or one of their colleagues.
Immediately gather the facts of a potential breach.
Investigate the basic facts surrounding the incident.
Keep a written chronology of what you learn, when you learned it, and from whom.
If your business is short on internal resources, consider obtaining the assistance and guidance of a data forensic expert to assist in your investigation.
Your investigation should try to answer the following questions:
Was the data kept on paper or in an electronic record?
If the data was kept electronically, was it encrypted?
Did the data include names and/or addresses?
Did the data include any financial account numbers or payment card numbers?
Did the data include any birth dates?
Did the data include any Social Security numbers?
Did the data include any other information that could be linked to specific consumers?
How many people's information was included?
In what states did the affected people reside?
In what countries did the affected people reside, and what languages do they speak?
Who (if anyone) acquired the data?
Did the person or entity who acquired it misuse it? Are they likely to misuse it in the future?
If you think you need help, consult with a data forensics team to investigate and determine the full extent of the event.
Notify financial institutions.
Seek outside counsel.
Consider asking the following questions to the outside counsel you engage:
Which state laws apply to the incident?
Would the incident be considered a "data security breach" under those laws?
Am I required to notify consumers of the incident?
Am I required to notify the government of the incident?
If so, which state or federal government agencies must be notified?
If not, should I voluntarily notify my local law enforcement, or the FBI?
Am I required to notify the consumer reporting agencies (e.g., Experian, Equifax, and TransUnion)?
Am I required to notify the payment card companies of the incident?
If notification is required, how much time do I have to issue those notices?
What is required if the affected individuals live abroad?
What information is required in the notification letter?
How and in what format should the notification letter be sent?
Notify affected customers.
Advise them of:
When it occurred
The specific steps you are taking to address the event