Consumer privacy is your responsibility
Recently, Anthem announced that its confidential data was hacked. In March, 11 million customers of Premera lost their information in a security breach. Target agreed to a 10 million dollar settlement over their 2013 data breach. The cost of an average data breach worldwide is around $3.5 million. In the United States, the average cost for each stolen record is $201.
Small and medium sized (SMB) businesses are beginning to realize how important it is to have personally identifiable information (PII) protected. PII can include data such as credit card information or social security numbers, but it’s not limited to that information. There are laws governing what happens when a breach does happen. Forty-seven (47) states have enacted legislation that regulates what businesses must do. The only states that haven’t done so are Alabama, New Mexico, and South Dakota. You can find Texas’ code in the following section of the law: Tex. Bus. & Com. Code §§ 521.002, 521.053, Tex. Ed. Code § 37.007(b)(5).
Most lack confidence that they know the laws
Software Advice conducted a survey of 180 SMBs. Although it was a small group, you can learn from their findings. They discovered:
- Only one-third (33 percent) of SMBs’ decision makers were confident that they knew the law concerning a data security breach.
- Only 49 percent of the businesses surveyed had a data breach security plan in place.
- Eighty-two (82) percent of the businesses said they encrypt customers’ PII.
One problem that businesses face in a security breach is that they often don’t know about the hack until months later. Hackers rely on this and move quickly when they access the PII in a business. Your business has to notify customers as soon as you find out about the breach, but in many cases, it may be too late to protect their information. All you can do is clean-up the mess.
Federal legislation has been introduced
President Obama has introduced federal legislation that outlines a uniform law for the nation, but right now, each state has their own guidelines. Not only do you need to know the law of your state, but where your customers are located.
If your business in Texas has clients in Montana, then you could face legal issues in both states. Just to note, Montana has some of the most stringent laws in the nation.
The rules you must follow to protect your clients’ info
The most important thing your business can do is to have a plan concerning your customers’ PII. Insurance is also available for your business to cover your financial losses in case the worst happens. Here are some steps you can take for your own organization:
- Know the laws. The website of the National Conference of State Legislatures (NCSL) offers a starting place, but it may be a good idea to get legal counsel.
- Classify your data. This can help you in the next step to have protocols set in place for confidential, secret, or public information.
- Control your data. This includes monitoring smartphone, cloud devices, and webmail access. Mobile devices are often the weakest link in the chain.
- Make sure your employees understand “acceptable use” of their work devices.
- Have a response plan. You don’t want to waste time when you do have a breach by notifying the wrong people who need to be involved.
- You should not investigate the breach yourself. Law enforcement should be called in. You can damage evidence when you try to handle things yourself.
- Understand the encryption keys. Don’t leave the keys in the hands of one person. You may want to work with a security consultant to protect to your sensitive data.
Don’t think that because you are a small or medium sized business that you aren’t at risk. Your customers’ PII is very valuable to hackers around the world. They don’t care what the size of your company is. Cyber security threats are very real. Have a plan to make sure your business is protected.