This post is not meant to be a primer on data breach protocols, but instead, is intended to raise the issue, create a discussion within your company, and get you (and your leadership team) to think about what to do before a breach and its ensuing crisis happen.
One day, you come into the office and discover that your network has been breached. To make matters worse, your customer data has been stolen. What do you do?
If you work in a midsize business and are part of the leadership team, try not to panic – you will need every ounce of concentration at this difficult time. First, check your procedures manual for the steps you need to take in the event of a network breach. You do have a policies and procedures plan listing the steps your company should follow in the event of a network breach, don’t you?
In the security industry we have a saying: There are companies that know they’ve been breached, and there are companies that haven’t discovered they’ve been breached yet. Simply stated, it’s not IF you’re going to have a network breach, but WHEN.
The decision about what to do is based on the type of business you have and where you are located: United States or another country. This post focuses on the United States and the laws or rules with which you must comply.
 First and foremost, alert your customers. Failure of communication can lead to loss of goodwill, loss of your customer base, and depending on the size of the breach, loss of your entire business. If you take due care, reasonable precautions to show that your organization is being responsible, lawsuits may be avoided. Customers appreciate when you are upfront with them – while they may not be happy about the news, they do understand that data breaches happen as part of doing business in today’s electronic age. If you pay for a free year of credit monitoring for all customers, that is really a very small price to pay to keep your customers.
 Compliance issues should be on your mind. Is your company covered under Gramm-Leach Bliley Act (GLB), Sarbanes-Oxley (SOX), Payment Card Industry Data Security Standards (PCI DSS), Health Insurance Portability & Accountability Act (HIPAA), or California Senate Bill 1386 (SB1386)? Does your company capture Personally Identifiable Information (PII)? Each requires compliance with different types of accountability, and each has its own set of stringent steps that a company must follow after a breach occurs. Be sure you are always up-to-date on the latest laws and rules so that your business is in compliance and not subject to a penalty or fine.
 If you are a public company, you must comply with SEC guidelines. Depending upon the risk, you may or may not be required to divulge the breach that has occurred depending upon the risk of financial impact.
 Depending on what type of data records you keep, you may need to notify the local police. If your servers are located across state lines, you may need to contact the FBI. While law enforcement may be scary, it may be a necessary step. Your breach may be part of a bigger data theft ring, or depending upon your customers and data, and possibly your employees, you may be a victim of espionage.
 IT departments may not be equipped to handle certain types of breaches, so it’s always a good idea to hire network and information security experts who know how to deal with plugging up the “holes” that have been created. This may also help avoid future breaches.
Finally, before you even open that “Breach Book,” make sure you have trained your employees about what to look for when opening email messages. This may be a strange thing to add, but remember, many breaches are a result of opening email messages and attachments that should never have been opened. Being careful is the first step to avoiding a breach in the first place. There are some types of breaches that cannot be stopped, but why not keep as many as possible from happening?
Your company may be lucky and never experience a data breach, or maybe you think you’re too small to be a target. But, the reality is, all it takes is one spear-fishing or phishing email to open up your network to anyone who might be “just looking” for an easy target. And also consider the disgruntled employee who wants to steal your data and give it to a competitor. This is a breach of a different kind, but still a breach. Humans are the weakest link in the security chain, so remember, all it takes is one broken link to breach your business.
This post was written as part of the IBM for Midsize Business program, which provides midsize businesses with the tools, expertise and solutions they need to become engines of a smarter planet. I’ve been compensated to contribute to this program, but the opinions expressed in this post are my own and don’t necessarily represent IBM’s positions, strategies or opinions.