One of the scariest nightmares business owners have is experiencing a data breach at their company. Whether a small business or a multinational corporation, no one wants their customers to think their information can’t be trusted with your business.

A data breach is the release of secure or private information to an untrusted environment. Data breaches can be intentional, like a hacker attacking the system, or unintentional, like a company employee losing his laptop.

Data breaches are costly and potentially disastrous. According to the Ponemon Institute the average cost of a data breach was $148 per record in 2017. The biggest costs are related to losing customers and it could take years to regain that trust, if regained at all.

Naturally, your best bet is to avoid a data breach by investing in strong security measures and making privacy and security core tenants of your business. This is particularly important if your business deals in sensitive information, like Social Security numbers.

If your company is the victim of a security breach, your company’s response can make a huge difference in potential losses. Read on for steps to take after a data breach.

Step One: Evaluate your legal and ethical responsibilities

Before doing anything else, take some time to evaluate your legal obligations. In the U.S. Virgin Islands businesses are required to report the security breach to customers as soon as possible, without unreasonable delay. Businesses also need to notify the software company who manages the data, if any, and local law enforcement.

Legal requirements may not be enough to restore trust with your customers. You’re required to notify customers in a timely manner, but if you want to maintain their trust you may offer free services like credit reporting for the next year.

Step Two: Thoughtfully craft your response

The Ponemon Institute study found that companies who react quickly and notify their customers immediately lose more per compromised record. This is because they often don’t have all the facts yet, so customers ask questions the company is still unable to answer. They report too many or too few customers impacted, and spend just as much time cleaning up the notification error. Make sure you have a thorough understand of the breach first.

Note that while it takes time to gather the facts, companies should still move quickly. Legal regulations are more important than public relations.

Step Three: Evaluate what went wrong, and fix it

A postmortem evaluation will help you discover what went wrong, and how it can be avoided in the future. An outside consultant is a great investment to identify exactly how the breach happened and where your company can improve.

Most data breaches occur when technology wasn’t applied properly. Businesses need to prioritize privacy and security, and ensure their employees are properly trained and understand the repercussions of failing to use secure systems.

Step Four: Keep customers informed

Your customers want to know you’re avoiding future breaches and working to keep their data safe. You don’t need to let them know all the details, but let them know you’ve invested in new tools and have developed new policies. You’ll likely still lose customers because of a data breach, but those you’ve retained or you hope to attract in the future want to know how you’ll make their private information a priority.

For more information on data security in the U.S. Virgin Islands, contact an experienced attorney today.

Tom Bolt is Managing Attorney of BoltNagi PC, a full-service business law firm on St. Thomas U.S. Virgin Islands.