Cybersecurity incidents happen fast and unexpectedly, and preparation is the key to managing them effectively. This preparation, which goes beyond basic measures like antivirus software and firewalls, can be the difference between a minor disruption and a major disaster.
Breaches Happen to the Best of Us
No matter how well-protected your business is, data breaches can happen. In 2022, NY corporations reported 25,111 incidents – the nation’s third-highest number of cyber incidents – with estimated losses of more than $775 million.
Proper preparation goes beyond prevention and considers worst-case, “what-if” scenarios. What if sensitive customer or employee data is stolen? What if your systems are locked and a ransom is demanded? What if an employee falls for a phishing email and your network systems get infected, leading to a data breach? What if an employee intentionally or unintentionally compromises security? What if a third-party vendor is compromised, affecting your business?
To prepare for “What-ifs” like these, you need detailed incident response plans, employee training on how to recognize and respond to breaches, and clear communication strategies for notifying affected parties and regulatory bodies, especially for businesses located in New York, or those that hold personal information on New York State residents.
Why?
New York State has strict mandates for protecting personal information and reporting requirements. If your business suffers an incident, understanding who you need to notify—and how to do it properly—can significantly affect how quickly you recover, avoid fines, and retain customer loyalty and trust.
Here’s a step-by-step guide to walk you through the steps you must take to comply with New York’s regulations and respond quickly to every business owner’s worst nightmare.
Step 1: Encourage a Safe Cyber Culture
Your first line of defense against a potential data breach? Your team! Encourage employees to report suspicious activity or anything that seems off—from unusual activity on their systems to strange emails or other odd behavior. Creating a culture where people feel safe and encouraged to bring up suspicious issues means that potential breaches can be caught early before they become more significant problems.
Chat about security practices during team meetings, include it in your internal communications, and keep the lines open for employees to report concerns. This way, everyone stays engaged and aware.
Step 2: Contain the Situation Quickly and Efficiently
Once you’ve confirmed a potential breach, your priority needs to be to contain it. Isolating affected systems—disconnecting them from the network—can help stop the spread, so start here. This step may involve some help from your IT provider since they’ll have the expertise to handle containment without risking further data loss. Think of it as putting a lid on a fire: the faster you act, the easier it is to keep things under control.
Step 3: Is This a Reportable Incident?
Not every breach requires a report, but under New York’s SHIELD Act, if personal data—like Social Security numbers, financial details, or health information—was potentially accessed, reporting is likely required. Here’s a quick way to tell if the breach is reportable:
- Personal data was accessed without authorization: If there’s unauthorized access to sensitive data, it’s reportable.
- There’s risk of harm: If the breach could lead to harm, like financial risk or identity theft, it’s reportable.
- Over 500 New York State residents were affected: Report this to the state and potentially other agencies.
Step 4: Notify, notify, notify
Notify the New York State Attorney General
If the breach meets the criteria, it’s time to reach out to legal counsel. An attorney can guide you on when, how, and exactly who to notify—from the New York State Attorney General to law enforcement. The Attorney General will require details on what happened, what private information was exposed, and what actions you’ve taken.
Although reporting might sound intimidating, it’s a key part of protecting your business and your clients.
Contact Info for the New York State Attorney General:
- Phone: 1-800-771-7755
- Website: New York Attorney General’s Office
Notify Affected Individuals as Quickly as Possible
Under the SHIELD Act, you must notify affected New York residents as quickly as possible – “in the most expedient time possible and without unreasonable delay.” While the law doesn’t give a precise timeline, a good rule of thumb is within 30 days. If you need to delay in order to complete forensic analysis or work with law enforcement, document the reasons. The goal is to be transparent and ensure that those affected can protect themselves.
This isn’t just a legal step but a way to maintain trust with your clients, customers, or employees. Be upfront about what happened and what data was involved, and offer guidance on the next steps, and credit monitoring where applicable.
Pro Tip: Crafting a notification covering all the legal bases is crucial, so if you need help with what to say or when, consider consulting an attorney.
Contact the Division of Consumer Protection (If Needed)
For more significant breaches or those with broader consumer impacts, you’ll have to contact the Division of Consumer Protection.
Contact Info for the Division of Consumer Protection:
- Phone: 1-800-697-1220
- Website: Division of Consumer Protection
Involve Law Enforcement if There’s Criminal Activity
If the breach involves criminal acts, like a ransomware attack or theft, get law enforcement involved. Local authorities can coordinate with federal agencies like the FBI’s Internet Crime Complaint Center (IC3) to investigate and prevent further harm.
Reach Out for Guidance—Don’t Go It Alone
Handling a data breach is stressful and complicated. Your initial instinct towards containment might be to downplay the incident, but as soon as you’ve been made aware of a breach, involve your IT partner, attorney, and insurance agent, and have a PR guy/gal on standby (and get moral support from friends and family).
Log each step of your response, who you contacted, and when. This way, you’ll have a clear record of your response efforts if you need to show compliance. Plus, reporting and transparency show your clients that you’re a professional who has their best interests at heart as well as the greater good. Without reporting, law enforcement won’t be able to investigate the breach, identify the perpetrators, and help recover your data. The bad guys go unpunished, and cyber crime, theft, illegal data sales, and profit-making will continue.
Don’t go at it alone! If you’re a business owner in Orange County, NY, or surrounding counties, Meeting Tree Computer can help you strengthen your defense, help you respond to a cyber attack, and meet compliance requirements. From preparation to prevention, we’re here to keep your business secure. Reach out to us today; together, we can prep your company and team for the “what if.”
