A data breach happens when confidential, private or protected information is exposed to someone who does not have authorization to access it. This can be the result of an intentional event like a hacker attack or a security incident resulting from poor software or systems.
Any company can experience a breach, but the most common causes include employee error and lax security measures. This includes unpatched and vulnerable software, weak password protection, easy-to-phish users, and a lack of email encryption. The most common types of information breaches involve are credit card and bank account numbers, social security numbers, dates of birth, home addresses, and emails. Other types of data that hackers steal are intellectual property, business records and strategy, and research and development data.
When a data breach occurs, you must take immediate action to contain the damage and limit potential exposures. This should include taking the affected machines offline until forensic experts can inspect them, and removing any unauthorized access. It’s also important to review your legal responsibilities regarding data breach notification. All states, and the District of Columbia, have laws requiring businesses to notify customers when their personal information is compromised.
Communicate with consumers about the breach in a clear and transparent manner. Explain how you will contact them in the future and what steps they can take to protect themselves. Many organizations post this information on a dedicated website so consumers can find answers quickly, rather than trying to answer questions via phone or email.