Some are calling 2014, “The Year of the Data Breach”. Every business, regardless of size, needs to be concerned with breaches of private information. It is the fastest growing risk for all businesses in every industry. Data breaches can cost companies millions of dollars. (The Target data breach costs reached $148 million.) However, it’s not just the direct costs related to the data breach and resolution that are of concern. The damage to a company’s reputation and lost sales can be devastating.
Over the past year, there have been a number of high-profile data breaches including Apple®, Home Depot®, Target®, UPS® and Yahoo®; however, these are only a few of the data breaches that have occurred. The Identity Theft Resource Center® lists over 600 breaches in 2014 with over 77 million exposures.
Because many high-profile cases involve large companies being hacked, smaller businesses may believe that they aren’t at as great a risk due to their size. However, many data breaches involve far more basic security lapses such as employee mistakes, inadequate system monitoring or the use of weak passwords. Smaller companies may also be targeted due to having less sophisticated security measures. Beyond system issues, breaches of private information can occur due to improper disposal of hard copy records, loss of a laptop, mobile device or transportable data storage device.
Steps to better manage data and cyber risks
Get organized – Inventory and document the risks your business faces. Identify all the places where your business acquires, uses and stores sensitive information such as website, marketing/sales databases, client/prospect records and human resources. Determine who is in charge of the information and who has access internally as well as third-party vendors. Don’t collect or retain private information that you don’t need.
Get educated – Know the federal and state laws that govern information security and privacy including CAN-SPAM, COPPA, FACTA, US Patriot Act, and Massachusetts General Laws 93H, 93I and 201 CMR. You may even have contractual requirements for data security. Know whether you are in compliance or need to develop new strategies.
Get a handle on business relationships – Do outside vendors have access to your company data and systems for support functions? Does your company work with sensitive client information? Be clear on how agreements and contracts outline responsibility for data protection, confidentiality and privacy. Periodically audit and inspect to ensure ongoing compliance of your vendors. Ensure that you are meeting contractual requirements with your clients.
Get covered - When considering high-profile data breach costs, smaller companies may feel helpless in being able to recover financially; however, cyber insurance aka privacy insurance is available, which can help with the costs of recovery and claims should a breach occur despite your security efforts. Most liability policies provide little if any protection for a data breach situation. Businesses should sit down with their agent to review their current protection and discuss privacy/cyber insurance options. Not all policies are the same, and your agent can help you find the solution that works best based on your level of risk.
Get a plan together – Once you understand the risks, build a plan and establish procedures for how data is collected, stored, accessed and shared. The Massachusetts Privacy Laws require that all businesses that receive, store, maintain, process or have access to personal information have a written information security program(WISP) on how they will protect such data. Having a data breach without having a WISP in place, will only exacerbate the issues a business faces.
Also, develop a plan for how your company will monitor, detect and respond should a data breach occur. Create plans in terms of information technology, legal, financial and public relations so that there is a clear action plan in the event of a breach. The FCC has a helpful online tool called
Small Biz Cyber Planner that can help businesses develop a data security plan.
Through better procedures, training and making reasonable investments to protect electronic systems, you can help your business avoid a data breach. While the specific challenges of data privacy and security are ever changing, the need for having a plan in place will remain constant. No business can afford to ignore the risks because virtually every business maintains some type of personal information. It’s not enough to plan to protect the information; you also need a plan for the financial resources it will take to respond and recover should a data breach occur.
1 The Verizon® 2014 Data Breach Investigations Report
2 The Verizon 2013 Data Breach Investigations Report
3 2013 U .S. House Small Business Subcommittee on Health and Technology, “Protecting Small Businesses Against Emerging and Complex Cyber-Attacks”