Ashley Shaw

New Cyber-Security Survey Shows Why Businesses Need to Do More

There is a good chance that you have heard about some major data breaches at companies all across the country over the last several years.

Major Data Breaches

If not, here is a refresher:

In fact, according to the Identity Theft Resource Center, between 2005 until April 2016, there have been 6,079 breaches and 862,527,023 number of records taken.

Ponemon Institute and Experian Survey

In addition to those scary numbers listed above, a recent cyber-security survey conducted by the Ponemon Institute and Experian Survey found some surprising numbers of their own.

  • 60% of surveyed business leaders thought that their employees did not know enough about protecting personal information.
  • 55% said that they had a breach because of employee negligence.

In fact, if you want some solid proof of this, think about the Erin Andrew’s story. In that case, the hotel chain where Andrew’s was staying was liable in part for the actions of the ESPN host’s stalker because their employee did not know how to properly handle the personal information and willingly gave out the guest’s room number.

What This Means

All of the above should be cause to give you pause. Data breaches cost businesses a lot.

  • It cost actual money because of liabilities to those who had info stolen (think Target’s 67$ million settlement with Visa) and because the actual cost of giving notice to employees and consumers.
  • It costs legal fees and consequences because there are many laws you need to be following in order to avoid and limit damage of security breaches.
  • It costs time – from giving notice to answering questions to consumers, employees and the press, to legal actions, etc.
  • It costs reputation – because people hear about these stories and are wary to give their own personal information to a company they do not know if they should trust.

Yet, despite all of the bad things that we all know happen because of data breaches, they are still happening all the time with worse and worse consequences.

It seems like people are simply not doing enough to fix the problem.

Why?

There is really no reason for you not to take the proper steps to eliminate these concerns. However, if the reason you aren’t doing enough is because you don’t know how, then hopefully the rest of this post will help you.

  • How Ambassadors Can Ruin Your Brand and How to Deal With Disasters

    January 21, 2016

    The name brand ambassador says it all. Similar to an ambassador for a foreign country, the goal of that person is to represent the brand in a positive light and bring consumers closer to the …

  • Should You Finance the Sale of Your Business?

    September 30, 2014

    Truthfully, most sellers don’t want to take back paper. An all-cash deal often looks like the easiest and cleanest way to get on to the next venture, much preferable to waiting for another 5 to …

  • The Consequences of Scraping Data From A Competitor [e221]

    September 07, 2015

    The guys discuss the lawsuit filed by PhantomAlert against Waze concerning accusations of data scraping a database. Transcript: NASIR: All right. Welcome to our podcast where we cover business in the news and add our legal twist. …

  • Diversity, Employment Discrimination and Inclusion

    September 17, 2015

    Diversity in the workplace, a totally laudable goal, is actually harder to achieve than many employers appreciate, and ill-conceived or badly executed efforts can actually make things worse, opening the door to legal liability.  To …

  • 10 Tips to Prevent Business Litigation

    September 24, 2015

    An ounce of prevention, as they say, is really just sound business practice. Litigation can be ruinously expensive and may force a business into liquidation. Even a “win” can devour the time and energy you need to …

  • What Should I Pay My Employees?

    October 21, 2014

    If your small business is about to begin to hire its first employees, you may be puzzled about how much to pay them. If you offer too little, you won’t be able to hire who …

  • Must-Reads if You Are Thinking About Buying a Business

    September 18, 2014

    If you are thinking about buying a business, you must have lots of questions. Of course, you should get some help with this process -- from your banker, your attorney, your accountant, and possibly a …

  • How to Avoid Age Discrimination

    November 05, 2015

    Employee Performance Evaluation If you scan through the national newspapers you will find article after article about managers and supervisors who are agonizing over the behavior of employees. Sometimes this agony is brought about by the …

  • Advertising & Marketing: A Legal Guide for Small Business

    December 16, 2014

    Staying compliant with advertising and marketing is simple if you focus on just being truthful and clear with your customers. The rest is just understanding some subtleties on how to navigate the common legal traps in …

  • When the Boss Sells the Company

    December 11, 2014

    I once worked for a company that had been rumored, maybe, at some distant time in the future, possibly, but not certainly, perhaps in connection with a potential sale or not, to be tentatively considering …

Before a Breach Occurs

You do not want to wait for a breach to occur before you start doing anything. You will save yourself a lot of legal and reputational trouble if you take all of the proper steps to protect information before a breach even occurs.

For starters, make sure you are doing all of the following even if you have never had a security threat:

Check Your IT Systems

Many breaches will occur because of insufficient security measures. That is why you want to make sure your technology is secured in the most appropriate manner for your business.

If you do not have internal IT to help secure your system, think about bringing in outside help to make sure you are protected. Remember, you may not want – or think you can afford to – invest in this help now, but it will cost you a lot more in the long run if you do get breached.

Train Your Employees

As the Ponemon Institute and Experian Survey points out, most employers are aware that their employees do not know enough about protecting personal information. They also put many of their own security irregularities onto the hands of their negligent employees.

What this should tell you is that employees need more training in this area. If they are handling personal information – from point of sale all the way down to destruction of that information – then they need to be trained in how to properly handle it.

Redact and Encrypt Information

When you do keep information, make sure you properly code, encrypt, or redact it. In fact, the safer you keep it, the less likely it is that you will have any problems later on if someone does get it.

Some states put requirements for how you must protect information and others only include unencrypted or redacted information in their notice requirements. So make sure you know the law in your state.

Keep Information on a Need to Know Basis

As is always the case, the fewer people to know something, the less likely it is that employee negligence will be the cause of a problem. So, if you are collecting personal information, try to limit the amount of people who have access to said info.

Destroy Information Properly

At some point, you might decide to get rid of some of the personal information that you keep. If you decide to do this, make sure you do it properly.

Once again, you need to be aware of applicable laws. If the law dictates when or how you can destroy information, you need to make sure you are doing it correctly.

As Soon as You Notice a Breach Has or Potentially Has Happened

The second you notice an irregularity in your system, you should be taking steps to fix it. Here are some things you should do as soon as possible:

Catch Breaches Early

Monitor your systems. If you know what is normal for you, you will know what is not normal. This means that as soon as something out of the ordinary happens, you will spot it and be able to fix it.

Take Proper Steps to Curb Damage

Once you see something, do something. Talk to your IT experts to get the hack fixed. Investigate what happened. Then, start preparing for the next steps, which might include giving notice.

Talk to a Lawyer

Talk to a lawyer about what you should do now. Sometimes, you will need to have a police investigation before providing notice. Maybe, the breach was caught early enough of you protected the information well enough that you don’t even need to provide notice.

The best thing to do, though, to make sure you are taking the right steps, is to get legal counsel when you think a breach has occurred.

The Aftermath of a Security Breach

After you have been breached, and you have taken the immediate first steps to fix it, you should start taking care of all your legal obligations, meaning providing accurate notice, as well as taking steps to make sure that a similar situation does not happen again.

Notice

When a breach does occur, the odds are you will likely have to provide notice to anyone affected by it.

What notice is required – and how you provide notice – will be determined by state law. However, there are some pretty standard things we can say about what that state law will likely include.

You will likely have to provide written notice directly to the person the breach affected. That notice will probably say things like what information was taken, what is being done to protect it, and how the consumer can learn more information.

In bad breaches that will cost a lot of money to provide notice or will be given to many people, you may be able to provide secondary notice, which will likely require you to provide notice to major media outlets, put it on your website, and notify major credit bureaus.

Again, though, the standards for secondary notice are dictated by state law, so it is best to get legal help when you are determining whether you can use it.

Legal Actions

Once you have given notice, you may want to start preparing for any legal actions that might be taken against you.

Here, take into account financial concerns, as well as time and legal defenses.

Reputation Damage Control

If the breach is bad enough, it will garner some press. So, you will want to take some time to make sure you are on top of reputation control.

Re-Evaluate

Finally, once this is all in your back mirror, make sure you evaluate and learn from the whole process.

In Conclusion

There are a lot of legal and business considerations to take when it comes to protecting your employees’ and customers’ personal information. Don’t wait until a problem occurs to try to come up with a solution.

Talk to an employment lawyer, and perhaps an IT professional, in order to make sure you are taking the appropriate steps to protect and monitor the personal information that you collect. When you get rid of information, do so in the correct manner.

Then, make sure you have steps in place to spot hackers or breaches as soon as possible. If a breach does occur, talk to your employment lawyer as soon as possible to make sure that you get this delicate matter taken care of in the legally compliant manner that will best eliminate the negative consequences of a breach. Remember, the earlier you spot and correct a problem, the less damage it will cause.

Finally, when a breach occurs or periodically without a breach, evaluate your policies and procedures to make sure that you are continuing to do the best you can to protect any personal information you may have in your system, from employee files to consumer credit card numbers to anything else you might have in order to effectively run your business.

Read More