In recent years, many of the biggest companies in the world have been victims of major data breaches. During that same time, thousands of small- and medium-sized businesses, including non-profit organizations, have also had their data compromised. Whether your organization is large or small, it’s critical that you are prepared for a data breach. These steps can help.
Step 1 – Create a Breach Response Team.
This cross-functional team will coordinate efforts across your company and be the primary contact if a breach occurs.
Step 2 – Assess your data.
It’s critical that you know what information you’re storing so you can respond appropriately. You need to identify the following:
- What type of data are you holding for your members, contributors, employees and vendors?
- Where is that data stored?
- Which systems handle this data, and do they have the latest security protocols and tools?
- Which team members are responsible for each of those systems?
- Do any third parties handle your member data?
Step 3 – Assess your obligations.
Now that you better understand the sensitive information you have in your data files, you need to determine what requirements you have to meet in the event of a breach. Who are you required to notify? How soon do they need to be notified?
Step 4 – Create a contact list.
Identify stakeholders that you need to reach out to immediately:
- Team members you need on deck.
- Legal advisors that can ensure you’re meeting all your obligations.
- Key contributors and partners that need to be informed or consulted with.
Step 5 – Create a communication plan.
The sooner you alert your members, the better the long-term outcome. You need to identify:
- How and when you will alert your members.
- How you will address your key contributors.
- How you will release this information to the media.
Step 6 – Don’t panic.
As long as you’ve taken the above steps, if a breach does occur, your response should be automatic:
- Contact your breach response team and let them take point.
- Identify the data that has been compromised and take immediate steps to stop the breach and/or take the data offline.
- Contact your legal advisors to ensure you are taking all necessary legal steps.
- Alert all stakeholders (members, vendors, contributors, etc.)
- Follow your communication plan.