7. If Customer Data is Stolen or Lost — What to Do Next

A small business must respond quickly if sensitive customer information is lost or stolen. Among other things, you may need to notify the affected customers and state and/or federal regulators.  This process will run more smoothly if you have taken steps to prepare in advance of a data breach by creating and publishing your breach notification policy, and by ensuring that your employees are trained to identify and report potential breaches soon after they occur.

Getting Started

  1. Create a data breach notification policy.
    A data breach notification policy tells consumers how your small business will notify its customers if a data breach occurs.
  2. Train your employees to identify breaches.
    Employees need to know how to spot a potential breach and how to report this type of event.
  3. Immediately gather the facts of a potential breach.
  4. Notify financial institutions.
    If financial information, such as payment card numbers, was compromised, contact the bank or company that manages your payment card processing.
  5. Seek outside counsel.
    Seek attorney assistance as soon as you become aware of an incident that might constitute a data security breach. Your attorney can help you identify which laws might be involved, and whether you need to alert consumers or the government of the incident.
  6. Notify affected customers.
    Notify customers in the manner you said you would in your Data Security Policy.

40% of data breaches occur at the small business level.

Source: 2013 Verizon Data Breach Investigations Report