What Business Owners Should Know About Security Breaches
Friday, August 8th, 2014
The news has been full of stories about data breaches at major retailers including Target, Neiman Marcus, and Michaels. According to the Internet Security Threat Report, breaches increased 62 percent in 2013 and more than 552 million identities were exposed. Another study found the average data breach in the United States now costs $201 per lost or stolen record, 15 percent more than 2013’s costs.
These are frightening statistics for any business, not just nationwide chains. Small, privately owned businesses are just as vulnerable to data breaches as major retailers. Here are a few ways companies can be proactive about protecting assets both before and after a security breach:
Have a plan in place. According to the Ponemon Institute, having an updated response plan can save a business nearly 25 percent per customer record. A successful response plan should include both an internal response team and external consultants in the areas of legal counsel and crisis communications. Steps to investigate, mitigate, and respond to the breach should be put in place ahead of time and practiced regularly.
Make sure everyone has individual user IDs and passwords. Because many software vendors charge by the user, some businesses try to save money by assigning the same sign-in credentials to multiple employees. Not only is this often a violation of a license agreement, but this compounds problems when there’s a security breach because it makes pinpointing the exact security gap much more difficult. The liability exposure alone is not worth the savings.
There is no legal requirement to have insurance, but it is becoming industry standard. One in three companies now has insurance to specifically protect against such losses; in fact, cyber insurance policies sold to retailers, hospitals, banks, and other businesses jumped 20 percent last year. In addition, if a breach occurs, consider buying data protection coverage for the individuals affected by the breach. Although there is no legal requirement to do so, it is becoming industry standard because it reduces risks and improves public relations, often for a very low cost. (Typically, companies are only charged for the customers who take the insurance.)
Local customers may not be Georgia residents, and data breach rules are state-specific. Just because a customer’s address is in Georgia does not mean they are considered a Georgia resident. In Savannah, for example, some people are part-time residents or retain legal residency elsewhere. If a customer is a Pennsylvanian resident and their privacy is breached through a Georgia company, that company will have to comply with the security breach laws in Pennsylvania.
Communications with customers following a data breach can impact the future of a business. Customers want open and immediate communication about security breaches so they can begin to protect themselves and monitor their accounts. To discourage litigation, business owners should employ professionals who understand the rules of reporting (there are times a business is not legally required to report a breach) and to explain the measures being taken to ensure customer information is safe. A professional experienced in this area can help write a security breach notice that is less likely to cause additional litigation.
It only takes one mistake by an employee, unauthorized access by a former employee, theft of a company laptop, or a system breach by a skilled hacker, and your company could be facing significant legal and financial challenges. Business owners committed to safeguarding company assets and those of its customers should reach out to an attorney with experience in data privacy and security breach notification laws before a security breach happens to put a proactive plan in place and to be ready when a security breach occurs.
Diana J.P. McKenzie is a partner and chair of the Information Technology and Outsourcing Practice Group at HunterMaclean.