One thing that a mom-and-pop small business and a giant corporation like Target have in common is that they are both potential victims of data breaches as a result of cyber criminals taking advantage of poor security protocols. It is no longer a matter of the company’s size; rather, it depends upon whether or not criminals think that there is juicy data to be had. If so, they will attempt to seize it, or possibly prevent you from using it through a lockout type hack. It is now imperative for any business to have a data security plan in place to make it as difficult as possible for these attackers to access sensitive information. This includes having a proactive and reactive plan in place for any such scenario.
What is Data Security?
Data security is the protection of data stored on computers, databases, and websites. This data can be anything from credit card information, personal client information such as e-mails and passwords, medical records, social security numbers, or any other sensitive information about a client or employee that your business collects and stores.
But, as we all know, such security measures are not as simple as wrapping a chain around a computer and clicking a padlock shut then calling it a day. There are many variables that can affect the overall data security of a business ranging from weak passwords, vulnerable Wi-Fi connections, email scams, out of date operating systems, failing to install necessary software patches, or even disgruntled current or former employees.
Why is it data security important for businesses?
Unfortunately, many small businesses feel that their small size will make them less likely to be targeted by cyber-criminals. Fox Business states, “Almost half of cyber-attacks worldwide, 43%, last year were against small businesses with less than 250 workers, Symantec reports.”
The Texas Identity Theft Enforcement and Protection Act requires any person or business conducting business in the state to safeguard such sensitive information otherwise they can accrue massive penalties of up to $250,000.
Naturally, such penalties could destroy a small business practically overnight. But, even if you were able to take such a hit, the reputation of your business is at stake. Any client confidence will instantly evaporate not to mention current and potential employees who will feel less safe about their information being handled by your company. For example, as a result of Target’s 2013 massive data breach, consumer confidence was crippled and profits dropped by 46% during their fourth quarter. If this had happened to a smaller business it’s safe to assume what the result would be. In addition, Target may still be facing millions in additional fines and legal fees for years to come as the various states, yes each state has its own laws, penalties and enforcement mechanisms, sift through the damage caused by the breach and either reach a settlement with Target or begin legal proceedings against Target.
What can I do about my data security?
A lawyer’s best advice may be to protect data with cost-efficient but highly effective solutions like risk-reducing policies, practices (See my previous blog on Best Practices for Protecting Customer Data), training, and organizational structures.
Many data protection rules provide road maps to compliance. A lawyer can use these roadmaps and guidelines to develop data protection plans to meet the related obligations that depend on the business and their respective industry. A necessary first step toward meeting data obligations is for both the lawyer and client analyze specific compliance material and guidance offered by the entity charged with enforcing certain data security obligations. Whether it’s the PCI DSS, SEC, FFEIC, HHS, FCC, FTC, or the states where you operate, these entities will give the most specific instructions on how to comply with relevant data security requirements.
The U.S. government also publishes its own set of standards for data security, published by the National Institute for Standards in Technology. NIST provides useful protocols, sample security regimes, and white papers on important data protection practices. While often too detailed and expensive to be implemented in whole cloth by smaller companies, the NIST standards are a good place to learn how to think about data security, and to see how to protect vulnerable aspects
Some of the helpful NIST publications include guidelines for securing wireless local area networks, supply chain management practices, and how to use cryptographic key management systems.
An experienced attorney’s insight is critical in designing a protection plan that meets the client’s obligations, including preparation of the policies, procedures, and worker/ executive training necessary to carry out the plan, and documenting the decisions that make up that plan, while taking into account the practicalities that are unique to each client.
Nearly every U.S. state and territory have laws regulating the treatment of consumer data and imposing obligations upon businesses who expose such data so that anyone regularly interacting with consumers should be aware of the applicable laws and what these laws require. States interpret these laws to protect the data of their residents, so the residency of the affected consumer will determine which laws apply, not the location of the business exposing the data. In fact, some states not only impose penalties if the data is taken but also require that you notify clients/customers when you detect a mere system breach even if the data was not accessed. Fortunately, Texas law requires notice when “covered data” is compromised – generally personal identifiable information, such as social security number, or bank account information.
The U.S. Federal Trade Commission (FTC) has starkly argued that failure to protect consumer data is “an unfair and deceptive” act on behalf of a business, and state attorney generals have also sued to compensate the consumer victims of data theft. Banks and credit card companies nearly always fine a business for exposing card data.
As small businesses begin to understand their roles when it comes to protecting consumer data, proper research should be conducted before selecting a service, and then work with that service to migrate client data into a secure, safe environment. However, without a data security policy in place, your business will still be open to vulnerabilities.
Should you have any other questions or concerns regarding your data security policies, please contact me.