Less than two months ago, Equifax Inc. reported a data breach, which potentially impacted over half of the U.S. population. Because Equifax is one of the three major credit reporting agencies, the scope of the cyberattack was unprecedented. The data breach spurred multiple class-action lawsuits, legislative action and public outrage.

The Equifax breach was not the first major security breach involving confidential personal information, and it certainly will not be the last. For the perpetrators of these cybercrimes, the financial incentives are too great to pass up. Among other things, hackers profit from stolen personal information by selling it to third parties. Particularly valuable are Social Security numbers and driver’s licenses.

According to CNN Money, packaged information of the type stolen from Equifax potentially sells for as much as $30 per identity. Considering both the breadth and quality of the data compromised in the Equifax breach, the perpetrators could be looking at a major payday.

Cybercrimes like the Equifax data breach generally have two primary victims. Consumers are the obvious victims, but the company or entity entrusted with the data is also a casualty in this criminal act. Although both parties are victims, a business’s position between the hacker and the consumer impacts how it can and should address such a theft.

At this time, federal oversight over many aspects of data privacy is relatively limited, focusing primarily on specific sectors or federally regulated industries. Laws designed to address and counteract cyber threats more generally, like the Cybersecurity Information Sharing Act of 2015, have been criticized for potential invasions of privacy. In Hawaii, businesses should be aware of the state’s breach and consumer notification laws that outline when a cyberattack is reportable.

Preparation is key

To help institutions identify risks and determine cybersecurity preparedness, the Federal Financial Institutions Examination Council has published a Cybersecurity Assessment Tool. Although designed primarily for financial institutions, the basic principles apply to many businesses.

Key components of the assessment include the ability to identify connections made to the internet, determine when a breach may have occurred and assess what data was compromised.

Businesses should consider putting the following into place to prepare for a cyberattack:

>> Incident response or crisis plan. Response plans provide for business continuity, a process for notification of the data breach, and a media and public relations plan.

>> Vendor management program. These programs ensure vendors have strong data privacy controls, give the business the right to inspect vendors’ cybersecurity programs and require timely notice of cyber breaches.

>> Cyberattack drills. Businesses should run periodic drills to test their cyber defenses.

In today’s world, it likely is not a matter of whether you will be the victim of a data breach, but a matter of when. If you are a business owner, taking steps to protect yourself and the private information your company holds can help keep you ahead of the curve when it does happen.

William Harstad is a partner in the litigation and alternative dispute resolution practice group at Carlsmith Ball LLP. He can be reached at wharstad@carlsmith.com.