Cybersecurity is an increasing risk for businesses and consumers. A simple glance at the recent news headlines, and Congressional Testimony by Mr. Zuckerberg, drive home the ever-increasing peril that businesses face because of the data that they collect, and store through the normal course of operations. The United States relies on a state-by-state framework for most cyber laws and regulations, meaning, they allow individual states to determine laws and regulations to protect consumer data and cybersecurity for both consumers and for businesses.
New, cutting-edge technology isn’t enough to protect your business – it must be paired with a strong data management policy and cyber breach policy to sufficiently protect your business and work to minimize liability. The policies your business adopts should include data management, data disposal and data breach response plans to name a few.
1. Identify your business’s most important assets.
Not all businesses are the same. This is equally true for the type of information they obtain and store or use in daily operation. By identifying which information your business collects and maintains in all operations, you can identify where your vulnerabilities lie and assess how to properly safeguard your business from risk. Some often overlooked data includes employee social security numbers and birth dates, customer credit or debit card numbers and ECH payment information.
2. Draft procedure for properly storing and disposing of information.
In your business’s data management policies, the procedure for storing, handling, maintaining and disposing of data properly should be clearly defined. Implementing a universal, standard practice for these procedures can get all employees and partners on the same page and prevent uncertainty in executing data management tasks in the future.
3. Define responsibilities, training, and compliance.
It’s best for everyone to understand exactly who is in charge of the security of your business and the protection of your consumers’ information; otherwise, things are often left “up in the air.” Once it’s understood which teams or members are in charge, ensure they receive the proper training and stay up to date with legal regulations and laws regarding compliance and safeguarding and handling of your company’s data.
4. Prepare a plan of action to respond to data incidents.
The only thing worse than thinking that nothing bad could ever happen isn’t when it happens – it’s being unprepared to handle that bad scenario. Even if you think your security systems are top-notch, it’s naïve to believe that a data breach can’t or won’t happen. Detail specific scenarios and prepare written responses and step-by-step plans of action to avoid a messy PR crisis later – and to ensure it complies with state law.
Common ways businesses mishandle sensitive information:
1. Mishandling disposal of information and data
Businesses can face liability simply because they improperly dispose of information, including failing to shred receipts and other documents before throwing them away. Even if a business throws away a document containing information that has since expired, the business can still face legal action – from the state or from private parties. According to Chapter 35 of the Texas Business and Commerce Code, businesses are required to develop retention and disposal procedures for their clients’ information.
2. Improperly safeguarded databases
In addition to potentially mishandling information, businesses can be liable for negligence for failing to properly safeguard databases and web pages where customers submit personal information. Privacy policies and terms of use policies for your business and website are items a credible business attorney can provide to help protect the business.
Liability for Texas businesses for data mismanagement and cyber breaches
Businesses of all shapes and sizes should review their current practices for handling and disposing of data so they can prevent personal information landing in the wrong hands – and to avoid strict penalties.
According to the Texas Identity Theft Enforcement and Protection Act, any entity conducting business in Texas must inform customers when data has been compromised as a result of a data breach. For data breaches involving more than 10,000 consumers, businesses are required to inform consumer reporting agencies.
Violating this act makes a business to be liable for a civil penalty, ranging from $2,000 to $50,000 for each violation (up to $250,000 in total civil penalties can be imposed – this is in addition to any damages one faces from a lawsuit). Additionally, businesses that give consumers specific reassurances about the protection of their privacy can face penalties of up to $20,000 per violation if they fail to live up to their promises.
Texas law requires businesses to implement and maintain reasonable procedures, including taking appropriate and corrective action to protect consumers against unlawful use or disclosure of “sensitive personal information” collected and maintained during the course of business. “Sensitive personal information” is defined as a person’s name in combination with his or her social security number, driver’s license number, financial account information, or healthcare information if the information has not been encrypted.
However, a problem exists within the statute – there exists no definition for “reasonable procedures” or “appropriate corrective action,” leaving businesses to interpret the law’s wording without any legislative guidance. As such, you need to follow industry best practices for the particular area involved – for credit card data that means following PCI standards.
Without concrete guidance from Texas courts, businesses should take extra precautions, given the size of statutory penalties. It’s recommended that businesses consult with other parties, including an attorney, and seek guidance in implementing policies, safeguarding information, and obtaining business insurance. Feel free to contact me if you need assistance reviewing your current policies or for a referral to an IT professional.