increased risk for SMBs in terms of the
damages to their clients/customers affected
by the data breach. Under many applicable
statutes and regulations, companies face
exposure simply for the breach, even
absent evidence of identity theft.
In addition to the potential for
consumer lawsuits, other costs can be
devastating for an SMB resulting from a
data breach:
breach Companies will incur
expenses in their efforts to identify
and determine the scope of the data
breach. This may involve costs to hire
a computer forensic company and legal
fees associated with this process.
business if the community thinks the
company has not taken appropriate
measures to protect client information.
uncommon for SMBs to have to
shut down immediately following
a data breach until the attack can
be remediated. While a company's
operational system is down, it could
lose valuable revenue.
federal rules and regulations require
companies in certain industries to pro-
vide notifications to customers affected
by a data breach, and approximately
47 states have passed some form of a
data breach notification law.
and even many state agencies are
becoming increasingly active in
investigating SMBs following data
breaches. Many of these agencies are
self-funded their budgets consist
of funds obtained through fines they
impose. A government agency (or
agencies) with jurisdiction over the
SMB or the type of data involved may
investigate whether a failure to meet
a regulatory or statutory requirement
was a factor in the data breach or theft.
Additionally, credit card companies
payment impose stringent data
security and notification requirements
the violation of which can lead to
fines, increased fees and even the
termination of the ability to accept
credit card payments.
breach could occur from within the
company, whether as retribution for
perceived wrongs, financial gain, or
both. It is important for SMBs to not only
evaluate the security of their customers'
information, but also evaluate who has
access to that information within the
company itself. Just as a company restricts
its employees' access to checks and
financial information, companies must
also evaluate the appropriate limits for
employee access to information such as
customer or employee personal information
and account information.
SMBs must particularly guard
against two primary mechanisms for
data breaches. First, hackers often target
point-of-sale systems to access customers'
financial information. It is imperative
for companies that receive customer
financial information to ensure their point-
of-sale systems' security measures are
compliant with the credit card industry's
requirements.
Second, companies often find
themselves in data breach situations
because of a lack of precautions regarding
technology (e.g., personal laptops/
computers, employee cell phones, etc.).
Human behavior and errors still account
for about one-third of data breaches.
Companies must evaluate the different
devices where customer information
is stored. Customer and employee
information on portable devices should be
encrypted, and a company should restrict
employees' ability to store customer
information on their own individual
devices, such as personal computers, cell
phones and tablets. The company should
also have the ability to remotely wipe
portable devices.
In light of the emerging data breach
risks and their resulting costs, SMBs
should work with their insurance agents
or brokers to obtain appropriate insurance
cyber attack or data breach. Over the last
couple of years, the number of insurance
companies writing cyber-liability policies
has grown drastically. The protections
and pricing for these policies can vary
greatly, but policies can cover the costs
associated with hiring a security firm to
fix and contain the breach, in sending
notification to affected customers, and
providing defense and indemnity in the
event lawsuits or regulatory investigations
result from the breach. Some policies
also provide coverage for public relations
costs and business interruption coverage.
Companies should not make the mistake
of assuming their commercial general
liability policy (CGL) will provide
coverage for damages resulting from a data
breach. SMBs should proactively work to
protect against coverage gaps, ensuring
appropriate insurance is in place.
SMBs must also evaluate their vendor
contracts. Credit card companies and
other financial institutions are now
allocating the risk of loss upon vendors
and companies whose lax data security
led to a data breach. Lawsuits have been
filed by credit card companies and banks
seeking reimbursement of costs resulting
from a company's alleged failure to act
appropriately in the protection of customer
information.
The costs of a data breach can be
devastating for SMBs, so it is important
for them to evaluate and utilize their
data security practices and processes.
A number of different companies
provide security audits, although their
qualifications vary greatly. These
companies can develop strategies and
evaluate security procedures on how best
to minimize their data breach risk.
Overall, identity theft is the fastest-
growing crime in the U.S. and, despite
technological advancements, data
breaches and cyber attacks are showing
no signs of weakening in their frequency
and sheer magnitude. SMBs should
learn from recent headlines about major
national and international companies by
evaluating their own internal practices and
procedures to minimize these risks.