increased risk for SMBs in terms of the damages to their clients/customers affected by the data breach. Under many applicable statutes and regulations, companies face exposure simply for the breach, even absent evidence of identity theft. In addition to the potential for consumer lawsuits, other costs can be devastating for an SMB resulting from a data breach: breach Companies will incur expenses in their efforts to identify and determine the scope of the data breach. This may involve costs to hire a computer forensic company and legal fees associated with this process. business if the community thinks the company has not taken appropriate measures to protect client information. uncommon for SMBs to have to shut down immediately following a data breach until the attack can be remediated. While a company's operational system is down, it could lose valuable revenue. federal rules and regulations require companies in certain industries to pro- vide notifications to customers affected by a data breach, and approximately 47 states have passed some form of a data breach notification law. and even many state agencies are becoming increasingly active in investigating SMBs following data breaches. Many of these agencies are self-funded their budgets consist of funds obtained through fines they impose. A government agency (or agencies) with jurisdiction over the SMB or the type of data involved may investigate whether a failure to meet a regulatory or statutory requirement was a factor in the data breach or theft. Additionally, credit card companies payment impose stringent data security and notification requirements the violation of which can lead to fines, increased fees and even the termination of the ability to accept credit card payments. breach could occur from within the company, whether as retribution for perceived wrongs, financial gain, or both. It is important for SMBs to not only evaluate the security of their customers' information, but also evaluate who has access to that information within the company itself. Just as a company restricts its employees' access to checks and financial information, companies must also evaluate the appropriate limits for employee access to information such as customer or employee personal information and account information. SMBs must particularly guard against two primary mechanisms for data breaches. First, hackers often target point-of-sale systems to access customers' financial information. It is imperative for companies that receive customer financial information to ensure their point- of-sale systems' security measures are compliant with the credit card industry's requirements. Second, companies often find themselves in data breach situations because of a lack of precautions regarding technology (e.g., personal laptops/ computers, employee cell phones, etc.). Human behavior and errors still account for about one-third of data breaches. Companies must evaluate the different devices where customer information is stored. Customer and employee information on portable devices should be encrypted, and a company should restrict employees' ability to store customer information on their own individual devices, such as personal computers, cell phones and tablets. The company should also have the ability to remotely wipe portable devices. In light of the emerging data breach risks and their resulting costs, SMBs should work with their insurance agents or brokers to obtain appropriate insurance cyber attack or data breach. Over the last couple of years, the number of insurance companies writing cyber-liability policies has grown drastically. The protections and pricing for these policies can vary greatly, but policies can cover the costs associated with hiring a security firm to fix and contain the breach, in sending notification to affected customers, and providing defense and indemnity in the event lawsuits or regulatory investigations result from the breach. Some policies also provide coverage for public relations costs and business interruption coverage. Companies should not make the mistake of assuming their commercial general liability policy (CGL) will provide coverage for damages resulting from a data breach. SMBs should proactively work to protect against coverage gaps, ensuring appropriate insurance is in place. SMBs must also evaluate their vendor contracts. Credit card companies and other financial institutions are now allocating the risk of loss upon vendors and companies whose lax data security led to a data breach. Lawsuits have been filed by credit card companies and banks seeking reimbursement of costs resulting from a company's alleged failure to act appropriately in the protection of customer information. The costs of a data breach can be devastating for SMBs, so it is important for them to evaluate and utilize their data security practices and processes. A number of different companies provide security audits, although their qualifications vary greatly. These companies can develop strategies and evaluate security procedures on how best to minimize their data breach risk. Overall, identity theft is the fastest- growing crime in the U.S. and, despite technological advancements, data breaches and cyber attacks are showing no signs of weakening in their frequency and sheer magnitude. SMBs should learn from recent headlines about major national and international companies by evaluating their own internal practices and procedures to minimize these risks. |