With the number of data breaches in recent years, and thanks to stronger federal and state privacy laws, it’s becoming more and more common for consumers to receive a breach notification letter in the mail. These letters provide information about the breach and may even contain one-size-fits-all fraud prevention measures, but they won’t explain the real risks you face or provide you with a custom plan of action. But, what do you do if your business has been affected by a B2B data breach? The answers depend on two things:
- What kind of organization had the breach
- What kinds of information were exposed
A data breach occurs when there is an unauthorized entry point into a corporation’s database that allows cyber hackers to access customer data such as passwords, credit card numbers, Social Security numbers, banking information, driver’s license numbers, medical records, and other sensitive information.― Nicole Martin, Forbes magazine
Step 1: Find out what information was breached
If you receive a B2B data breach notification letter, it may tell you what types of information were exposed but it may not give you the full picture for a couple of reasons. First, businesses (especially those in the B2B space) are wary of bad press and legal liability and typically won’t give out more information than they have to, and breach notification requirements vary from industry to industry and state to state. Second, new privacy laws set shorter and shorter deadlines for breach notification, and sometimes new information comes to light weeks or even months after a breach is first discovered.
You might also hear about a data breach in the news before you receive a notification letter. If so, news coverage may include a web address where you can go to find out whether your information may have been exposed, as happened with the 2017 Equifax data breach.
In either case, it’s always a good idea to watch the news as the story develops. It’s not uncommon for more information to come to light over a period of weeks or months. In the meantime, take the breach notification letter or news stories as a starting point and then assume the worst.
To help guide your defense plan, think through all the information and customer or employee data that the impacted organization has on your behalf. Ask yourself:
- Where else do you or your team members use the same username and password that might give criminals access to other accounts?
- Did the organization house any of your employees’ payroll information, such as banking information, or their personal identifying information?
- Did they have any personal information of your customers, such as social security numbers, banking information, or physical location information?
- What payment methods did you store with them?
- Were they storing your or your customers’ or employees’ health data?
- Did they archive personal communications or photos that could create a dangerous situation for any of your customers or employees?
You can also utilize dark web monitoring to keep a pulse on who is buying or selling your customer or employee information, which can help you in a more proactive approach. For example, a dark ops team can help you find information for sale on the dark web that was collected from a B2B data breach and which impacts your business more directly.
All of this information could be used to hijack your customers’ or employees’ identities or used against you in other ways. It’s important to know what information may have been exposed so you can take steps to mitigate harm. For example, changing passwords on other accounts that use the same credentials, or notifying those impacted in your business as well.
Step 2 – Organize the information that was breached
It’s important to remember that even if your company was not directly breached, if you store customer information or data with an outside vendor (like an ITSM provider, credit card servicer, etc.) you may have a legal obligation to disclose the breach to your customers as well. For example, proposed SEC rules would require a company to notify customers (and other at-risk parties) within 96 hours of a material breach. For this reason alone, knowing what information is stored within the breached company is critical to inform your next move.
The personal information exposed in a data breach will typically fall into three broad categories. Take a look at your list of shared information and sort it into the following categories:
- Financial information: Information tied to credit cards, bank or brokerage accounts, money market funds, loans or lines of credit, etc. Also, Social Security numbers which are tied to retirement benefits, taxes, and refunds, and sometimes veterans (VA) benefits.
- Medical information: This can include health plan numbers and member IDs for private insurance or Medicare/Medicaid, as well as information about medical conditions and treatment.
- Other personal or identifying information: This includes all kinds of personal details which may not be protected by privacy law but which might be used to con, coerce, or embarrass a breach victim. Such information can also be used in phishing attempts to scam you, your family, or business contacts into giving up personal information or to enact physical harm to your executives.
Now that you’ve categorized what information the organization had access to you can dial in on more specific steps to take to protect yourself for each category.
Step 3 – Create or follow your company’s breach response plan
No company is breach-proof. But, knowing what to do in a B2B data breach scenario is of utmost importance. Your breach response plan should include the necessary steps to take in the event of the theft of financial, medical, or other personal identifying information as broken down in the prior step. During this step, you should notify your company’s legal counsel and a breach response vendor.
A breach response vendor will help you navigate incident preparedness and the steps your business takes after a potential data breach has been detected. These steps include thorough detection, identification, and containment of the breach, as well as an appropriate and scaled response plan for the impacted population.
Additionally, a breach response team is knowledgeable in your legal obligations to your customers when it comes to what you need to disclose, to whom, and by what date to stay in compliance – even if the breach was not directly to your company. They will help you understand if the breach poses a real threat to your business and all of the subsequent steps.
No one is breach-proof, but you can be prepared
Unfortunately, data breaches will happen. No matter how careful your company is and how strict your cybersecurity measures, the adversary is always looking for a way to get their hands on your customers’ and employees’ information. In fact, the number of data breaches rose 68 percent last year to the highest total ever. But that doesn’t mean you have to be a stationary target.
Combined with an external cybersecurity strategy, your breach response vendor can help you prepare for the worst and navigate how to protect your digital assets, customers, employees, and ultimately your brand. Learn more about ZeroFox Breach Response and talk to a member of our team.