Smaller businesses who keep data are a major target.
In this day and age the risk of a data breach remains an ever-increasing issue. Smaller businesses who keep data are a major target, especially if that small business deals with client finances, banking information or social security information. As small businesses are trying to compete with the larger companies they open themselves up to additional avenues in which data breaches might occur. This can include, but by no means is limited to, a lost or stolen device, hacking, fraudulent activity, improper disposal of data, errant e-mails, failure to encrypt sensitive data, and even failure to have the appropriate operating systems and data storage.
It is key to take the appropriate steps to protect both your small business and your clients. This can include, but is not limited to, making sure that not only are any mobile devices password protected, but that you can wipe the device if it is lost or stolen. Companies, such as Apple and Microsoft O365, offer systems in which this can be done at the click of a button. Furthermore, there are firewalls and encryption services that can be added to any system to make it harder for hackers to steal important and sensitive information.
Another way to help keep your information safe is to have a plan in place to back up your files and secure information. Whether that be storing your information on site on a server, off-site or in the cloud, make sure the company you decide to utilize has strict and secure protocols and procedures to prevent against hackers.
Legal costs to defend a data breach can be substantial.
If commercial information is compromised, the related damages can also be significant. Ponemon Institute’s “2011 Cost of Data Breach Study: United States” indicated that the cost per record of a data breach was $194 in 2011. This includes the average of both direct and indirect costs. The U.S. Government Accountability Office’s 2012 report “Identity Theft: Total Extent of Refund Fraud Using Stolen Identities Is Unknown” indicated that during the first three quarters of 2012 the IRS identified 642,000 incidents of identity theft.
Stealing information is not just to obtain refunds from the IRS. Cybercriminals are searching for information to gain control over existing financial accounts, steal trade secrets, assume identities for credit or health insurance, engage in third party fraud or access other systems providing more lucrative information. Take for example a CPA’s records; they are a virtual treasure chest for cybercriminals.
What Steps have you taken to manage and limit your potential exposure?
It is important to implement data protection protocols regardless of the size of your business and the type of business. Do you have a Data Breach Response Plan? Here are some things to consider when either developing or revamping your Data Breach Response Plan:
- Do you have compliance documents in place?
- Do you have privacy policies in place?
- Do you have breach notification policies in place and do they comply with state regulations?
- Do you have a Written Information Security Program (WISP)?
- Do you keep proof of employee training?
- Do you keep a comprehensive Defensible Breach Plan?
- Do you properly dispose of all documents and information such as using a reputable shredding or disposal company?
- Are your systems and devices password protected?
- Do you have on-site or off-site backup systems in place?
- If you are using a third-party company to maintain or destroy your sensitive information do you know if they have policies and procedures in place and can you obtain a copy for your records?
When selecting cybersecurity insurance keep in mind that policies which include coverage from the earliest part of an investigation are preferable. Furthermore, when selecting an insurance provider, the following questions are good to keep in mind:
Does your policy cover:
- Privacy liability?
- Regulatory actions?
- Notification costs?
- Crisis management?
- Call center costs?
- Credit/identity theft monitoring?
- Transmission of viruses?
- Theft/fraud charges?
- Forensic investigation?
- Network/business interruption?
- Data loss and restoration?
- Trigger – loss or claim?
- Trigger – defense?
- Choice of counsel for defense?
- Retroactive coverage?
- Acts & omissions of third parties?
- Unencrypted devices?
- Corporations/other entities?
- Territory – outside the U.S.?
- Limitations on location of security failure?
- Exclusions for generalized acts or omissions?
- Exclusions for acts of terrorism or war?
For further questions regarding the protection of your business, please do not hesitate to contact Hunter Business Law.
DISCLAIMER: This blog is for educational purposes only and does not offer nor substitute legal advice. Additionally, this blog does not establish an attorney-client relationship and is not for advertising or solicitation purposes. Any of the content contained herein shall not be used to make any decision without first consulting an attorney. The hiring of an attorney is an important decision not to be based on advertisements, or blogs. Hunter Business Law expressly disclaims any and all liability in regard to any actions, or lack thereof, based on any contents of this blog.