3 Key Factors in Cyber Security Breach Reporting
The Seattle Times recently highlighted just how confusing it can be for companies trying to report a cyber security breach. As a managed service provider, we like to share the three key factors in cyber security breach reporting.
Start with the type of data impacted and the location of those impacted. You need to consider the compliance rules of the state where you do business, the state of residence of those impacted, as well as the federal government rules. Unfortunately there are no universal regulations.
2. Number of Records
In Washington, any breach impacting 500 or more state residents must be reported not only to the people impacted, but also to the state attorney general’s office. This can be done electronically at SecurityBreach@atg.wa.gov.
3. Type of Records
Different laws may apply depending on the type of data impacted. In general, companies have 90 days to report a breach from the date of discovery. However for HIPAA-protected data, that window is only 45 days.
Of course, earlier would be much better for the people impacted. Especially if the date of discovery is long after the actual moment of breach, as happened with the Solar Winds attack. That breach occurred in March but wasn’t detected until December.
Consequences of a Data Breach
Depending on the type of breach, it’s not an exaggeration to say that consequences of a breach can range from fines to the loss of your business. If customer data is stolen, the loss of trust and reputation can put your business at risk, as well as potential liability. Then there’s the risk of your business’s proprietary information and trade secrets being stolen. Plus the costs associated with re-securing your network after the breach, and potentially any ransom that you decide to pay.
An Ounce of Prevention (Instead of a Pound of Problems)
As managed service providers, we sometimes see businesses concerned about the costs of proactive IT support and cyber security. But that cost is a small fraction of what companies pay after an attack to recover their data and reputations.
If you are not proactively protecting your systems and have never been breached, consider yourself very lucky. Then ask yourself if that luck is likely to last in an environment where criminals don’t actually need any hacking skills to breach systems and lock or steal data: They can just buy a kit. SWAT Systems can help with prevention and cyber security breach reporting. Book a meeting or contact us to discuss your business IT needs. You can also download our free Choose IT Support Checklist.