Your Breach Notification Obligations


Think your small business is immune to a data breach? Think again! More than half of all data breach victims are small businesses, just like yours. And since cyber attacks happen approximately every 39 seconds, it would be best to plan for the unthinkable now.

In past blogs, we have discussed preventing data breaches and how to deter cyber criminals from getting into your network, data, and system to begin with. Now, let’s talk about what your obligations are in the event this happens to your company.

Let’s start by saying what a colossal headache a data breach can be for small business owners, especially those who do not have a dedicated IT team to help them navigate the regulations – both state and federal – after an attack occurs. If a breach happens at your company, talk to an expert as soon as possible to get you back on your feet and seal up any vulnerabilities immediately.

With that being said, here are some steps you should take post attack. Depending upon your industry and service, your breach may have some different scenarios, but here are general guidelines along with some resources that can help.

Secure Your Operations

Once you have become aware that a breach has, in fact, occurred, move quickly to fix any vulnerabilities that initially caused the breach. Containing the breach could take shape in a couple of different ways. One method is to isolate any system(s) accessed by the attacker so you can prevent the breach from spreading to the entire network. Disconnect the breached user’s account. Once contained, start eliminating the threat by reformatting the affected assets and restoring them, or blacklisting an IP address from where the attack originated.

Assess the Damage

Now that the initial threat has been taken care of, it is time to get to work with your legal obligations. It is during this stage of the situation that you will want to talk to some experts who have experience with this type of event. Some businesses hire legal counsel with privacy and data security expertise. In addition to legal help, you may want an IT security team to evaluate the damage.



When your business experiences a data breach, notify law enforcement, other affected businesses, and affected individuals as is required by law. Here is a link that can take you directly to the obligations required under Massachusetts State Law. Your legal counsel can help you with notification including whom to notify, the type of notification, and the time frame that it needs to be completed. For federal laws here is a quick link to your obligations.

Keep in mind that the way that your legal team and potentially your public relations specialist handles the notification process can determine your reputation for years to come as either a company that dealt with a data breach well or one that fumbled the ball.


Once all the parties are notified, it is time to consider recovery. One of the first steps to recovery for many businesses is having a security audit completed. Not only will this tell you where vulnerabilities still lie, but will also help with restoring trust between your brand and your clients. Once all risks, both internal and external, have been identified, your business can reevaluate your security protocols and update where needed.

Have you discussed a plan of action in the event that your business is attacked? Talk to our specialists about what your risks are and how you can both prevent and prepare for a cyber attack. Call Spectra Networks at 978.219.9752 or visit our website.