Cyber security is a major issue for any business that keeps digital records of customer and employee data. If a hacker worms his way into your system and pilfers your data, you’re in for more than embarrassment. Victims of the breach can sue you for negligence. Whether you are liable depends on two major factors:

• Were your security protocols reasonable? Courts compare your protocols to similar companies in your industry. If you are found lacking, the court could say you were unreasonable.
• Did you respond responsibly after learning of the breach? Once a breach occurs, you have a duty to notify the affected people, so they can take the steps necessary to limit the damage.

If a breach has occurred, it’s too late to do anything about the first factor. At this point, it is what it is. But you can limit your liability by keeping a cool head during this crisis and taking these five steps:

• Call your lawyer. It may not usher in a feeling of serenity to be advised of the potential legal ramifications, but a savvy business lawyer will be able to get you started on your emergency response plan. It’s always better to have a plan in advance, but if you haven’t pre-planned you need to get clear instructions ASAP.
• Retain a digital forensics investigator. Breon & Associates can put you in touch with a qualified professional who can perform an examination and tell you how your systems were breached and what data the hackers accessed. Knowing the extent of the damage helps as you go forward.
• Fortify your IT systems. If you’re a soft target, you can expect to be hit again. Strengthen your controls by changing all passwords and adding firewalls.
• Communicate strategically. At this point, the reputation of your company is at stake. You cannot put out a rash, panicked statement. But you have a duty to customers, employees, investors, creditors and other stakeholders to provide accurate information in a reasonably timely manner. It is sometimes wise to issue a statement that an incident has occurred, but to wait until you have gathered greater information before issuing a detailed statement.
• Activate or adjust IT monitoring services. In consultation with your IT team, you might consider implementing an early warning system against future breaches by setting up a monitoring service. Having an IT consultant periodically check your systems for unauthorized or suspicious activity can be helpful. If you had already taken this step before the breach, you could ratchet up the intensity or frequency at this time.

A data breach is an inevitable risk in our digital age. That’s why you should also consider data breach insurance. In fact, an insurer is likely to have vital information on preventative steps you can take, and may even require those steps before issuing a policy.