Consumer privacy is your responsibility: What most small businesses don’t know

[Audrey McNeil <audrey () riskbasedsecurity com>]

http://agbeat.com/tech-news/consumer-privacy-is-your-responsibility-what-most-small-businesses-dont-know/

Recently, Anthem announced that its confidential data was hacked. In March,
11 million customers of Premera lost their information in a security
breach. Target agreed to a 10 million dollar settlement over their 2013
data breach. The cost of an average data breach worldwide is around $3.5
million. In the United States, the average cost for each stolen record is
$201.

Small and medium sized (SMB) businesses are beginning to realize how
important it is to have personally identifiable information (PII)
protected. PII can include data such as credit card information or social
security numbers, but it’s not limited to that information. There are laws
governing what happens when a breach does happen. Forty-seven (47) states
have enacted legislation that regulates what businesses must do. The only
states that haven’t done so are Alabama, New Mexico, and South Dakota. You
can find Texas’ code in the following section of the law: Tex. Bus. & Com.
Code §§ 521.002, 521.053, Tex. Ed. Code § 37.007(b)(5).

Most lack confidence that they know the laws

Software Advice conducted a survey of 180 SMBs. Although it was a small
group, you can learn from their findings. They discovered:

- Only one-third (33 percent) of SMBs’ decision makers were confident that
they knew the law concerning a data security breach.
- Only 49 percent of the businesses surveyed had a data breach security
plan in place.
- Eighty-two (82) percent of the businesses said they encrypt customers’
PII.

One problem that businesses face in a security breach is that they often
don’t know about the hack until months later. Hackers rely on this and move
quickly when they access the PII in a business. Your business has to notify
customers as soon as you find out about the breach, but in many cases, it
may be too late to protect their information. All you can do is clean-up
the mess.

Federal legislation has been introduced

President Obama has introduced federal legislation that outlines a uniform
law for the nation, but right now, each state has their own guidelines. Not
only do you need to know the law of your state, but where your customers
are located.

If your business in Texas has clients in Montana, then you could face legal
issues in both states. Just to note, Montana has some of the most stringent
laws in the nation.

The rules you must follow to protect your clients’ info

The most important thing your business can do is to have a plan concerning
your customers’ PII. Insurance is also available for your business to cover
your financial losses in case the worst happens. Here are some steps you
can take for your own organization:

- Know the laws. The website of the National Conference of State
Legislatures (NCSL) offers a starting place, but it may be a good idea to
get legal counsel.
- Classify your data. This can help you in the next step to have protocols
set in place for confidential, secret, or public information.
- Control your data. This includes monitoring smartphone, cloud devices,
and webmail access. Mobile devices are often the weakest link in the chain.
- Make sure your employees understand “acceptable use” of their work
devices.
- Have a response plan. You don’t want to waste time when you do have a
breach by notifying the wrong people who need to be involved.
- You should not investigate the breach yourself. Law enforcement should be
called in. You can damage evidence when you try to handle things yourself.
- Understand the encryption keys. Don’t leave the keys in the hands of one
person. You may want to work with a security consultant to protect to your
sensitive data.

Don’t think that because you are a small or medium sized business that you
aren’t at risk. Your customers’ PII is very valuable to hackers around the
world. They don’t care what the size of your company is. Cyber security
threats are very real. Have a plan to make sure your business is protected.

_______________________________________________
Dataloss Mailing List (dataloss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://lists.osvdb.org/mailman/listinfo/dataloss
For inquiries regarding use or licensing of data, e-mail
        sales () riskbasedsecurity com 

Supporters:

Risk Based Security (http://www.riskbasedsecurity.com/)
YourCISO is an affordable SaaS solution that provides a comprehensive information security program that ensures focus 
on the right security.  If you need security help or want to provide real risk reduction for your clients contact us!