Business Data Breach & Customer ID Theft
By Susan Buckner, J.D. | Legally reviewed by Aviana Cooper, Esq. | Last reviewed June 06, 2024
Editorial Note: We earn a commission from affiliate partner links on FindLaw. Commissions do not affect the editorial integrity of our legal content.
This article has been written and reviewed for legal accuracy, clarity, and style by FindLaw’s team of legal writers and attorneys and in accordance with our editorial standards.
The last updated date refers to the last time this article was reviewed by FindLaw or one of our contributing authors. We make every effort to keep our articles updated. For information regarding a specific legal issue affecting you, please contact an attorney in your area.
In today's computer-based world, we tend to think of a data breach as something that only happens online. When hackers break into a database and steal passwords and personal information, that is a data breach. In fact, any security incident that results in unauthorized access to sensitive or confidential information is a data breach. If a thief breaks into a medical office and steals hard copies of patient files, it is as much a data breach as files removed from a computer.
However, cybercrime may cause more harm because it is harder to spot. Signs of a physical burglary are easy to spot, but a customer data breach can take weeks to locate. An IBM report released in 2023 found that it takes an average of 277 days to locate and repair a data breach. This is time small businesses do not have.
This article reviews the types of data breaches, ways to reduce your risks, and how to respond if a breach occurs. Your state may require you to notify the attorney general's office, a cybercrime response office, and your customers.
What Is a Data Breach?
Business data breaches go beyond mere identity theft. Identity theft is what happens after cybercriminals attack a business. If a business collects customer information, such as addresses, credit card numbers, or Social Security numbers, they are a target for criminals. They sell the data on the dark web to other users who commit fraud and theft.
Any business that gathers this information must take strong security measures to protect the data. You will be liable for any breach which exposes your customers to data loss. Some common types of data theft include:
- Unauthorized access by an outside party: This may be accomplished through the use of malware, spyware, or hacking.
- Unauthorized internal access: This is when an inside party deliberately reveals sensitive data to an outside party.
- Device theft: Data thieves put “sleeves" into card readers at bank ATMs, gas pumps, and other locations to read the magnetic strips. These sleeves store the strip information and download it into a card writer at another location. Thieves use the bogus cards to purchase goods or fill cash cards until the real owner notices the theft.
- Ransomware attacks: In one of the newer data theft tricks, thieves don't target the data itself, but the computer system instead. They inject a virus into the business's system and block access until the business pays the criminals a fee to remove it.
Small business owners can avoid many of these cyberattacks with robust antivirus software and some practical internet security policies. For instance, someone must download malware into your computer via infected software before it activates. Employees should not open suspicious emails or install unauthorized apps on business computers. These simple tactics can prevent the majority of cyber threats today.
Responding to a Cyberattack
If your business is a victim of a dedicated cyberattack or a data breach, there are steps you should take to protect yourself and your customers. Before you have a breach, you should set up a breach response team. The Federal Trade Commission (FTC) has a business information page for handling data breaches. You can also contact the Small Business Administration (SBA) or other business resources.
Secure Your Operations
The first thing you must do is lock down the source of the breach. Your data breach response plan should include a method of physically and electronically isolating the location of the breach. Depending on your business needs, you may need to take some equipment offline. You will need computer forensics experts to determine the cause of the breach.
Once you locate the breach, do not shut down your computers or other equipment. This may delete information needed to find the source. Keep a written log if you need to change any passwords or authentication information.
Notify Appropriate Agencies
Call local law enforcement at once. They must know about the potential for identity theft. If they are unfamiliar with computer crimes, contact the nearest FBI or U.S. Secret Service office. Other agencies you may need to contact include the U.S. Postal Service, the FTC, and Health and Human Services (HHS) if the breach involves medical records and the major credit reporting agencies.
Notifying Customers
All states have laws requiring a breach notification to your customers as soon as practical. Law enforcement may delay the notification so it does not impede a criminal investigation. You should designate a public relations contact person to deal with questions and the media.
Your breach notice should state at a minimum:
- What happened: Disclose the nature of the breach, how you discovered it, and what steps are being taken to correct the problem.
- What information was involved: Reveal the type of data damaged or taken, such as financial information, medical files, or related data.
- What we are doing: Indicate how the business is working with authorities to correct the problem, the agencies involved, and what other steps are being taken to protect customer data.
- What you can do: Provide information the customer can use for their own data protection, information about cybersecurity providers, and ways to protect their information already out on the internet.
- A “more information" section: Include a contact section for your business, the local agencies working with you, and the FTC and other agencies relevant to your case.
You may also want to provide updates for your customers as the case progresses. Assure your customers you will work with them if the harm progresses to identity theft and they have issues with credit monitoring agencies later.
Notifying Other Businesses
If you have data breach insurance, you must notify your company about the breach. If your business maintains data for other companies, you'll need to notify them as soon as possible so they can begin their own damage control measures. You may need to contact banks and credit monitoring centers to be aware of fraudulent activity from your account.
Preventing Data Security Breaches
It's easier to avoid data breaches than to clean up afterward. The IBM report released in 2023 found that the average cost of a data breach was more than $4 million, mainly due to lost business revenue and the costs of detection. The longer a breach takes to find and fix, the more it costs your business. The FTC recommends these steps for avoiding data breaches before they cost you time and money.
- Know what data you have and where you have it: Too many organizations have sensitive information on laptops, flash drives, and tablets that travel from home to office and back. Restricted information should remain in one secure location.
- Minimize duplicate data: You should not have multiple copies of customer data anywhere. You should destroy paper files and wipe unused computers before disposing of them.
- Lock everything down: Strong passwords are not enough. Nor is forcing staff to swap out their passwords every month. That usually means people write the new password on a note on their desk. Better methods include good firewalls, double authentication, heavy-duty encryption, and a good IT department.
- Plan for a disaster: Keep abreast of changes in the cybercrime world. The current trend of ransomware attacks is not limited to big, wealthy corporations. Know how you want to respond to a security breach before it happens.
Contact a Business Attorney for Data Breach Concerns
An increasing number of laws and regulations about data privacy are in effect. If your business deals with customer data, you must comply with all these laws. If you're unsure which ones apply to your business, speak with a business and commercial law attorney. They can advise you about the laws in your state and put their expertise toward keeping your business safe in the future.
FindLaw will earn a commission if you purchase business formation products through these affiliate links.
Meet FindLaw's trusted partner LegalZoom, an industry leader in online business formations
Kickstart your LLC in minutes!
Join the millions who launched their businesses with LegalZoom.
LLC plans start at $0 + state fees.
Prefer to work with a lawyer?
Stay up-to-date with how the law affects your life
Learn more about FindLaw’s newsletters, including our terms of use and privacy policy.