The steps are extensive and can't be answered here with any measure of complete authority. You need to hire a business attorney with experience in data breaches as almost every state (and New York City) has notification statutes. Failure to notify as required is costly and opens the business to a slew of government actions and private suits.
I hope you have a written data breach plan. That is the first document to review and follow those steps. If you don't have one, that is something else for your attorney to implement. The plan and your steps should include notification of the person responsible for the plan, investigation of the breach, actions to stop the breach, investigation of your legal requirements (this will involve the residency of each affected person), develop the strategy on the communication, notify the affected persons, and then review and implement policies on your next information security incident. In short, you have lots to do and this will require legal advice.
Here is a brief overview by the FTC http://www.ftc.gov/bcp/edu/microsites/idtheft/business/data-breach.html. Sorry about the problems and good luck. Make sure to implement a written plan after this matter is resolved and notified as required.
This answer is for informational purposes only and is not legal advice regarding your question and does not establish an attorney-client relationship.
I think my colleague here offered an excellent overview. While there are certainly regs on the books in many places that will require you to notify, you should not need the law to tell you that it is only proper to let those affected know in case it may matter to them.
If the hacker is located abroad there is little you can do to stop them at this point other than implementing your own better safeguards. You may need to report the matter to the authorities in any case as well as putting your insurance carrier on notice if you carry any.
The law firm of Natoli-Lapin, LLC (Home of Lantern Legal Services) offers our flat-rate legal services in the areas of business law and intellectual property to entrepreneurs, small-to-medium size businesses, independent inventors and artists across the nation and abroad. Feel free to call for a free phone consultation; your inquiries are always welcome: CONTACT: 866-871-8655 Support@LanternLegal.com DISCLAIMER: this is not intended to be specific legal advice and should not be relied upon as such. No attorney-client relationship is formed on the basis of this posting.
Let's think about what can happen after you notify your customers. I suppose they can band together and institute a class action against you for failure adequately to: 1) protect their info and privacy and 2) failure to notify promptly--
The class in both cases might be limited to a state by state basis due to a difference in state laws.
If you failed to adhere completely to your agreement or disclosures to them, that cold be a problem. If you failed to meet the standards in the industry for protecting this info, that could be an issue--I do not know how your website was targeted and hacked.
Damages might include losses that were unrecovered on their credit cards, cost of canceling and re-opening accounts, other ID theft issues, cost of credit reports, cost to correct credit reports, damage to credit and reputation etc. As these might differ from case to case, it could undermine a class action.
You might consider shutting down the website as the hacking could be continuing- this could become an issue in litigation- how quickly could you either put in additional protections or get a new website up?
It sounds like you did not have a data protection plan. Hopefully you had insurance to cover liability that might arise from hacking of your web-site. Even if you have insurance, you have to take immediate steps, in coordination with law enforcement, to minimize your losses and the losses of your customers. Your first step must be to retain experienced intellectual property/business/privacy counsel to represent and advise you. You cannot handle this properly without counsel, and your investment in counsel will without question save you from potentially disastrous financial liability.
One of the most important issues is whether you have taken immediate steps to protect your web-site from hacking----this may require you to take down your web-site until you can rebuilt it with appropriate security protections. You have a duty to mitigate not only your own damages, but the damages of your customers. This means you need not only legal counsel, but expert technical support to help guide you as to how to mitigate the loss.
Sorry that this happened to you---this is an epidemic, particularly among businesses that have not worked closely with IP and business counsel to adequately develop the legal foundation for their web-site operations. Going forward, you need a data protection plan, you need to procure insurance that covers you in such situations, and most importantly, you need to bring in a team of IP/business/corporate lawyers to review the entire legal foundation for your business---it certainly seems from your question that you set up this web-site without appropriate safeguards, and if you want to stay in business you can no longer afford such short cuts.
I recognize that this is not your fault---you are a victim. My sympathy is with you. But from a cold business and legal perspective, you need to get your house in order in order to minimize the possibility that this happens again.
Ask your IT person, or if none, try a new US based host and let them know your problem and your need to be more secure. Be pro-active. If you don't know this stuff hire an Internet security professional. There are thousands available. They need to be good because the hackers are usually even better, but the hackers usually go for the low hanging fruit, so make yours harder and they will like bypass it for easier prey.
I am not your lawyer and you are not my client. Free advice here is without recourse and any reliance thereupon is at your sole risk. This is done without compensation as a free public service. I am licensed in IL, MO, TX and I am a Reg. Pat. Atty. so advice in any other jurisdiction is strictly general advice and should be confirmed with an attorney licensed in that jurisdiction.