Even Small Businesses Need To Pay Attention To Data Security

[Audrey McNeil <audrey () riskbasedsecurity com>]

http://www.jdsupra.com/legalnews/even-small-businesses-need-to-pay-60312/

When people think about data breaches, corporate giants like Target, Home
Depot and Michael’s spring to mind. But even small businesses holding
personal information can face costly consequences if a breach occurs.

In the past, cases only proceeded in the courts if plaintiffs could show
actual harm (such as money stolen by identity thieves) – the mere exposure
of personal information was not enough to file a lawsuit.

But, after the 2013 Target breach, a Minnesota federal judge accepted the
plaintiffs’ claims of potential future harm and allowed a class-action suit
to move forward. Target promptly offered $10 million to reimburse consumers
for any harm they could eventually show – but that amount was rejected by
the plaintiffs, and Target could be on the hook for substantially more.

Whether the Minnesota ruling is a harbinger of other courts allowing these
claims to proceed is an open question, but it underscores the importance of
doing everything possible to prevent data breaches.

Small businesses must also be careful to satisfy data protection laws of
any state where they do business.  Many people are surprised to learn that
Pennsylvania and most other states, except Massachusetts and California,
don’t already require that businesses protect personal information.

However, Pennsylvania does require any business that suffers a breach of
personal information to notify all affected state residents and provide
phone numbers of credit reporting agencies.

Any business that accepts credit card payments must also comply with the
Payment Card Industry Data Security Standards, which requires regular
system updates and data-breach response policies. Failure to comply could
lead to a business facing fines, higher transaction fees and even losing
the ability to accept credit cards – what I call a “death penalty’’ in
today’s commercial environment.

And Congress is now considering the Data Security and Breach Notification
Act of 2015, which would authorize the Federal Trade Commission to enact
guidelines requiring that businesses adopt “reasonable” measures to protect
personal information and mandate the reporting of any breaches.

In general, personally identifiable information is defined as an
individual’s first name or initial and last name, plus one or more of these
elements:

- Social Security Number
- Driver’s license number or other government-issued identification number
- Financial account number and/or credit card number, in combination with
any required access codes or passwords.

No matter the size of your business, I recommend three basic steps:

1. Get professional help: All businesses that collect personal information
should talk to their attorneys, and attorneys should work closely with IT
staff or contractors. Companies need appropriate data security policies in
place that include what to do in case of a breach.
2. Perform audits: The agreement for businesses that accept credit cards
require self-certified audits of systems. Overlooking this step can be
risky, leaving the system exposed and opening the business to harsh
penalties from credit card companies.
3. Get insured: Breaches are expensive. It costs money to draft and issue
notices, offer credit card monitoring, defend against lawsuits, and pay
settlements or fines. Insurance companies offer data privacy policies,
generally separate from standard commercial liability.

The bottom line is that most businesses, no matter their size, hold
personal information and need to guard against data breaches – or run the
risk of expensive consequences.

Keep in in mind that in a settlement, if several thousand people want even
just a few dollars apiece, the out-of-pocket cost quickly adds up.

_______________________________________________
Dataloss Mailing List (dataloss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://lists.osvdb.org/mailman/listinfo/dataloss
For inquiries regarding use or licensing of data, e-mail
        sales () riskbasedsecurity com 

Supporters:

Risk Based Security (http://www.riskbasedsecurity.com/)
YourCISO is an affordable SaaS solution that provides a comprehensive information security program that ensures focus 
on the right security.  If you need security help or want to provide real risk reduction for your clients contact us!