Protecting against data breach: 6 tips for small business owners
Eric W. Richardson, bizjournals.com
Large companies aren’t the only businesses that have an obligation to protect their client’s security and privacy. Smaller businesses are increasingly encountering the effects of a data breach. The results range from compromise of client or customer data to third-party control over the entire business operation.
Protecting your data not only shields you from financial liability, but also from substantial reputational harm. Thankfully, you can take reasonable precautions to help protect the security and privacy of your business and your customers.
Here are six steps your small business can take to avoid liability under state data security statutes and to protect your business and its customers.
Know what to look for. One important step in preventing a data breach is knowing what to look for to prevent a third party from intentionally compromising your data. Be on the lookout for these two things:
Understand ransomware: An increasing number of stories demonstrate the threat of ransomware — the term used to describe malicious software that will lock your business’ data, offering to provide a password to unlock the data in return for payment of a ransom. One prominent ransomware attack affected Hollywood Presbyterian Medical Center in 2016. The hospital was the subject of a ransomware attempt, whereby third parties were successful in locking the hospital out of its own patient data. The hospital was forced to pay a ransom in return for an access password. Hospitals have unique, immediate data needs — not all business data is life-or-death — but no individual or business wants to find themselves at the mercy of an unknown third party.
- Suspicious or unknown emails: If you receive an email from an unknown address, do not click on any attachments or linked information. Look at the email address of the sender carefully. Scammers can mimic email accounts to look as if you’re receiving email from Google®, Yahoo!®, TurboTax®, PayPal®, or even your business associate. In fact, if your friend is the victim of a phishing scam, the email may come directly from their email account. If something doesn’t seem right to you — go with your gut. Don’t open a link or attachment until you’ve verified it is safe.
- Backup data regularly. Backing up your customer data will put you ahead of the game when it comes to efforts by third parties to ransom your data back to you. The more regularly your business backs up its data, the better positioned you will be to resist third party efforts to hold your data hostage and prevent handing over a hefty ransom.
- Encrypt your data. As simple as it sounds, taking efforts to encrypt your data can provide a significant shield from liability in several states. Even if your business is the subject of a malicious attempt by a third party to extract customer data, many states have a safe harbor provision insulating target companies from liability if they’ve taken this step. A third party may be able to access encrypted data, but ultimately not make use of it.
- Create a computer security policy – and enforce it. Require password protection on your business computers and require the password to be re-entered after a period of inactivity. Set up firewalls, install anti-virus software, and draft an employee policy that sets certain security and privacy standards when using company computers or technology. But remember, for these safeguards to be worthwhile, you must regularly update your programs, set up strong passwords and change them regularly, and enforce your company policies.
- Keep data only as long as you need it. Small businesses often get into trouble by retaining credit card information and former customers’ information longer than necessary. Maintaining customer information longer than necessary increases your chances of becoming a target for a breach and widens your potential liability. You may need to hold onto credit card information until a transaction has been completed, you have been paid, and the period during which a credit card company can reverse the transaction has passed. Once you no longer need the credit card information, it’s time to delete it.
- Prepare an incident response plan. Hackers and scammers are continuously becoming more sophisticated. Even if you take all the suggested precautions, your business could still be the victim of a data breach. An incident response plan is your game plan for dealing with a breach — how the breach should be handled, who will handle it, when counsel needs to be involved, who needs to be notified and what to say about it. Having an incident response plan in place can reduce the stress, and potentially some of the liability, of a data breach.
Here are a few things to consider in creating your plan:
- Prepare a team to investigate any breach.
- Consider who needs to be consulted, such as: a technology expert; credit card companies; and any law enforcement, regulatory agencies, customers, or contractual partners you are required to notify.
- Draft a sample press release that can easily be revised for the specific situation.
- Decide how you’ll notify customers.
Contact a knowledgeable attorney to find out what kind of liability your small business could face, and draft your plan accordingly.
These steps are low-cost and could save you from significant potential liability. With increasing reliance on digital data, it is never too early to protect your small business.