Cyber security breaches of large companies such as Equifax and Target have made national news, but small businesses also often have to contend with security breaches.
In addition to suffering the operational difficulties caused by a breach, a breached business often then becomes burdened with the expense of responding to the breach and the defense of legal actions related to the breach. Cyber security can be complicated and difficult to navigate, and even the best security programs are not guaranteed to prevent a breach. However, there are some things that every small business should before do before a breach to limit its potential liability in the event of a breach.
Understand your data. The nature of the data in your possession will affect what you may be required to do to protect the data, and so you should take an inventory of the type of data you have. For example, do you have tax information regarding employees? Financial information regarding clients? Usernames and passwords that will permit access to customers’ online accounts? If you have sensitive or confidential information, or personally identifiable information, you would be wise to take careful steps to protect that information from disclosure, and you may be required to take or avoid certain action depending upon applicable law. Therefore, you should assess what data and information you have on your system, so you can then identify your legal obligations.
Identify which laws and contracts affect your security decisions. Businesses in highly regulated industries (such as health care and finance) are governed by legislation addressing security measures, but small businesses outside those industries often are not subject to any comprehensive federal data security law. If your business has personal information regarding residents of some states and foreign countries, those jurisdictions’ laws may require certain steps be taken to protect that information, and failure to take those steps can subject your business to liability in the event of a breach. Moreover, your business may be bound by its contracts with third parties to protect data privacy and security, and if you fail to comply with your contractual obligations, you could end up on the wrong end of a lawsuit claiming breach of contract.
Take reasonable security measures. The FTC has filed more than 60 actions alleging that companies engaged in deceptive or unfair practices related to data security, and private lawsuits alleging damages based on negligent data security practices are on the rise. Defense against these actions will include a showing that the business has implemented and followed appropriate security measures. So, every business should evaluate and implement appropriate security measures. Obviously, if your business is subject to a law or regulation requiring that certain security measures be used, you should be using those security measures, because your failure to do so will expose you to liability. Even if a business is not subject to a law that requires specific security measures, every business should at a minimum use “reasonable security measures.” The question of what is “reasonable” depends on each particular situation, but the following practices are recommended:
- Mindfully take steps to physically and electronically secure data, including by encrypting data, updating/patching software, restricting access, requiring authentication, securing remote access, monitoring for breaches and vulnerabilities, etc.
- Educate employees, including instruction regarding security and privacy policies and plans, tips on how to identify scams and risks, etc.
- Require vendors in writing to use security procedures, and to notify you of security incidents they experience.
- Keep only the data and information you need, pursuant to established information disposal practices.
- Review and update security measures regularly and as needed to address vulnerabilities that may arise.
Make a breach response plan. Just as a business may have an emergency evacuation plan, each business also should make a plan for how it will respond to security breaches. This plan will include not only who to call when a breach is first discovered, but also how to determine whether and how notification of the breach should be sent to individuals whose personal information has been affected. Putting this plan in writing can save much hassle after a breach, as many state laws require that breach notifications be sent shortly after discovery of the breach. Moreover, many states will forgive failure to comply with specific requirements of their individual state data breach response statutes if your response has been in compliance with your business’ pre-established response plan. Your plan should be in writing and should identify the members of the response team, such as particular internal staff members, attorneys, IT professionals, and insurers who will need to be notified immediately upon discovery of a breach.
Check your insurance coverage. Not all insurance policies cover cyber security breach, but most insurance companies offer products that will cover much of the cost of addressing and responding to a breach. Even if a breach doesn’t negatively impact your business’ operations, sending required notices to affected individuals, providing credit monitoring, responding to governmental inquiries and actions, and defending against third-party actions can become incredibly costly. Take the time to review your business insurance policy, and purchase additional coverage if needed.