Small businesses need to understand their obligations regarding data breach. They need to understand the legal requirements for securing data and notification requirements in the event of breach. In this article we’ll explore why it matters, what laws exist, and how data breach occurs in the first place.
I am just a small business. Why do I even need to worry about data breach?
Unfortunately Cyber Crime is a big business. One that doesn’t care that you are a solopreneur barely scraping together enough to pay the rent, or a small business that is just on the cusp of growth. While the data breaches you hear about in the news are all big companies, don’t let that give you a false sense of security. As a small business, you are not immune to the interest of cyber criminals Quite to the contrary, because they typically do not have as many security protocols in place, small businesses are enticing targets. Because they are easier to hack!
If you experience a breach, the response cost alone could put you out of business. The cost isn’t just upgrading technology, restoring lost information, and notifying clients. It’s the reputational damage to your business that has the potential to kill your sales for years after the incident.
As a small business, are there any laws that affect me?
YES!
According to the National Conference of State Legislatures (NCSL), all 50 states, the District of Columbia, Guam, Puerto Rico and the Virgin Islands have enacted security breach notification laws that require businesses to notify consumers if their personal information is breached.
Under these laws you must disclose a breach without unreasonable delay. This applies to every type of business – sole proprietor, LLC, C Corp, non-profit – regardless of size. The laws specify how the notice must be made and most require that if the data of over 1000 individuals is involved, you must also notify the credit reporting agencies. New Jersey law requires you to notify law enforcement. Pennsylvania law appears to assume you will notify law enforcement without expressly requiring it. Because these laws vary widely from state to state, I encourage all small business owners to look up the data notification requirements for your state.
What if I’m an online business?
Online businesses may gather information from across the United States and even other countries. This definitely complicates breach notification! Rather than trying to meet differing requirements from 50 states and multiple countries, look to the most stringent requirements and follow those for everyone on your list. This may be California laws or the General Data Protection Regulations from the European Union. In fact, the GDPR requires that businesses take action to protect data from the outset, not just notify of breach after the fact.
How does a data breach occur?
Data breaches happen when user behavior and technology weakness is exploited. There are three primary sources of data breach:
- Insider Job – when an employee either inadvertently or maliciously causes a data breach. Approximately 30-40% of breaches are a result of employee error. Often from unknowingly clicking on phising emails.
- Lost/Stolen Data – loss or theft of paperwork, laptops, phones, and even portable storage devices such as external hard drives and USB drives can put data in the wrong hands.
- Criminal Activity – phishing emails, direct attacks (using manual or automated processes to guess passwords), and malware such as viruses and ransomware allow criminals to gain access to data.
What happens when a data breach occurs?
There are many things a cyber criminal can do once they have data. These include:
- Direct stealing – logging into and emptying an individual’s bank accounts, charging on their existing credit cards, using medical benefits, etc.
- Identity Theft – using the personal information of the victim to open new credit cards and rack up huge bills, steal tax refunds, even sell their home
- Sell the information on the dark web for use by other cyber criminals.
How can I prevent a data breach?
The best, perhaps the ONLY, way to avoid a data security breach is to put protocols in place to PROTECT your data. In next week’s blog article, we’ll discuss the PROTECT PROTOCOL™. Using the acronym PROTECT, we’ll discuss many of the ways you can significantly reduce the risk that your business ever falls victim to a data security breach. The majority of these protocols apply to your personal data as well and can help you prevent becoming a victim of identity theft!
If you are a small business owner in Pennsylvania or Maryland and would like to be able to discuss data breach and many other small business concerns with a small business attorney for a flat monthly rate, check out our Business Counsel Membership!