The recent security breach suffered by Equifax is a good reminder of the importance of data security. This article provides some tips for smaller businesses to have effective policies to help secure data, and how to plan for the legal issues that come from a data breach. Big hacks like Equifax’s receive a great deal of attention, but you may not know that small businesses are frequent victims of ransomware attacks, hacks, and other data security breaches. Please understand that data security is a complex issue and this article only provides you with a limited overview of legal questions.
The impact of a data breach will vary with its scope. For example, a breach to a system that doesn’t contain any confidential data may not have significant consequences. On the other hand, if you store confidential product designs, important customer lists, key financial information, passwords, or private data on your customers or employees, the direct costs and ultimate liability could prove unbearable. Not only could you have liability exposure to your business partners, customers, and employees, but federal agencies, such as the Federal Trade Commission, may conduct an investigation and impose penalties depending on the information that was lost.
The best way to reduce the legal risk of a breach is to prevent one from happening at all. With that in mind, there are a number of employment and IT policies you can put in place to reduce your risk. Properly drafted employee handbooks and other policies, if followed, can prevent problems. For example, policies can require implementing security patches and updates to important programs when they become available. You should require regular security reviews, and maintain both server logs and records of updates to programs you use. Employees should also be required to regularly change passwords, and be prohibited from using the same password for work and personal accounts.
If you don’t have a separate IT department, you can still apply patches and updates to your software when they become available. If you use an outside vendor for IT services, talk to them about automatic security updates and procedures. Reviewing contracts with your partners to be sure that they’re required to update their software and maintain security protocols needed to safeguard your data would also be a good use of your time.
Another technique to reduce potential liability is to limit the amount of data that you store. For example, don’t store credit card data if you don’t need to. If you do have to keep sensitive data, take steps to limit who can access that data. Not all employees need access to every bit of information you have. Even then, encrypting the sensitive data is a good measure, as many state breach notification laws have exemptions for encrypted data.
Most data breaches don’t come from stereotypical hacks. Instead, most are the result of preventable mistakes. For example, a link might come in an email that appears to be from a bank, a business partner, or even someone within your organization. Instead of being legitimate, these so-called phishing attacks are designed to get you to divulge information, most often through a link to a bogus web site that might appear real. The site will ask you to enter your username and password, which the operators will collect and then use for nefarious purposes. Another example, common around tax season, is an email that appears to come from a fellow employee asking for tax information, such as W-2 forms, to be emailed back to them. This can happen in several ways. The account of an employee that would normally ask for that information might be compromised. Or the email address could be just slightly different from the real email address used by someone in your organization. Once the attacker gains the employment information, it can then be used to file false tax returns or other identity theft purposes. Finally, portable hard drives, USB thumb drives, and laptops can simply be stolen. If they contain unencrypted data, the thief can use that data or sell it to others.
Good policies and a healthy dose of suspicion can reduce your potential liability in all of these situations. Your employee policies should prohibit sending extremely sensitive information electronically without some independent confirmation of the request by phone or in person. If the data must be sent, use encryption. If you receive an email asking you to update a password, don’t use the link in the email; instead, go to the applicable site manually. Use encryption on any portable devices that contain sensitive data.
You should also consider how you can mitigate the potential damage to your business that might result from a data breach. Many standard insurance policies won’t provide sufficient coverage if you suffer a significant breach. Consider adding extra coverage for cybersecurity risks through special riders on your policies. Some insurance policies may even provide professional breach response services to assist you if a breach actually happens.
Another method to mitigate the damage of a data breach is to have a response plan in place in advance. Have a list of phone numbers handy for your IT vendors, insurance agent, and legal help. Keep server logs for extended periods so you can review what happened and determine the scope of the breach. For example, the Equifax breach occurred over a nearly three month period. If Equifax had deleted logs monthly, they never would have been able to discover the scope of the attack. Be sure that you have a recent backup in place in case you suffer a ransomware attack, which involves attackers infiltrating your network and encrypting your data so that you can’t conduct business until you pay their ransom request. Being able to simply buy a new computer and access your backup can greatly limit your downtime. Also, review your contracts with credit card processors and other business partners so you know who to notify and when you need to make the notification.
Finally, be aware that you have obligations to report any data breach. In addition to contractual requirements to notify insurance carriers and financial partners, you need to notify consumers. Almost all states have laws requiring notice to the victims of a data breach. For example, if a data breach involved information on customers in Wisconsin, Minnesota, North Dakota, and New York, you’ll need to examine and follow the laws of all four states. Most state laws only require notification if certain details, such as a name along with an unencrypted social security number, credit card number, driver’s license number, or other account information is compromised, along with any required password that would permit access to the individual’s account. Each state will also have a varying timeline to provide notice of the breach. Although statutes normally allows time to identify the scope of the breach, written or email notification of the breach should not be delayed. Many states also exempt data that was encrypted, making it worthwhile to investigate using encryption software for your sensitive data.
Proper preparation now can reduce the risk of a data breach, and if one happens, can help mitigate damage to your business.
John Gasele is an attorney with Fryberger, Buchanan, Smith & Frederick, P.A., practicing in the area of Employment, Utility, Business, Trademark, and Internet law. This article is not intended to provide legal advice. You should always consult with an attorney about your specific circumstances.