WHAT EVERY BUSINESS NEEDS TO KNOW:
Every business that uses, views, stores or otherwise handles personal customer information is at risk. The level of risk is largely determined by the business you’re in and what kind of “personal information” you have in your care, custody and control. If you use the internet to conduct business, you’ve significantly increased your risk of cyber attack. However, there are things you can do to protect yourself and your customers. If your company is hacked and you haven’t adequately protected the data on your devises, you may find yourself in for a costly surprise. Many small and mid-size businesses with high volumes of transactions are often favored targets where hackers have learned cyber security may not be up to snuff allowing them easy access. These smaller incidents don’t usually get the same level of attention as the large breaches; however, the consequences are just as serious. The cost to small and mid-size companies for responding to a data breach can run from $100,000.00 to $500,000.00 or more. In today’s internet business environment, anyone handling credit cards, debit cards or other sensitive information such as a customer’s financial, legal or health information is particularly at risk.
Any business handling “personal information” has the obligation to protect its customers from the illegal use or disclosure of this protected information. The privacy and security protections regulating many industries include administrative, legal and technical requirements. Data breaches are often the result of either insufficient technical safeguards or careless handling of data. A great deal of debate has taken place over the amount of time it took for Target to notify its customers. The difficulty faced by businesses when a breach has occurred (or is suspected) is that steps must be immediately taken to eliminate the intrusion, which often involves a very comprehensive forensic analysis. This first step can take weeks to complete and then must be evaluated with counsel familiar with the many layers of regulation, risk and reporting requirements. The assessment of when and whether a company is required to notify customers typically requires the involvement and consent of local, state and federal law enforcement officials. In many states including Connecticut, the Attorney General must also be notified. These notifications extend to any state or territory where an affected customer resides. To add to the mix of complexity following a breach, forty-eight states now have their own response requirements for known or suspected data breaches. Unfortunately, many of these laws have differing requirements and most don’t specify the timetables for reporting a breach. Connecticut’s statute requires that notice must not be unreasonably delayed, which leaves a great deal open to interpretation. A business might also be compelled to delay publically reporting a breach by the Secret Service or other law enforcement authorities.
The U.S. Senate recently re-introduced a Data Breach Bill in efforts to nationalize data security and reporting standards. Following the recent breach announcements by Target, Neiman Marcus and Michael’s Stores, there will undoubtedly be many more efforts to strengthen cyber security standards. Currently, credit card security standards are primarily privately regulated by the major card brands, including MasterCard, Visa and American Express. These recent major breaches clearly show a need to better protect American businesses and residents. The technical standards required by merchants in America today (known as the Payment Card Industry Data Security Standards PCI-DSS standards) for all point of sale systems (and POS Providers) are not nearly as strong as the EMI standards used by many European nations. By latest counts, the recent Target breach involved over 100 million customers, whose data is now at risk. These pools of ill-gotten gain are typically sold on the black market within a matter of moments leaving the door open to large scale fraud and identity theft problems for those affected.
Businesses handling any type of regulated “personal information” should immediately take steps to evaluate their risk and audit all devises. Responding to a cyber attack is a costly enterprise, which will include the costs of forensics, fines by the card brands, notification costs, legal expenses to evaluate and respond to the breach and mitigate damage, and fall out certain to take place from unhappy customers and many potential lawsuits and claims to follow. The damage to a business’s reputation after a breach is impossible to put a dollar value on. Staying abreast of current and emerging regulations is critical to keep a step ahead of the ever present risk of cyber attack on the internet. If you are notified or suspect that customer data may have been breached, it’s imperative to take this seriously and immediately take steps to evaluate the situation. Numerous states including Connecticut now permit the Attorney General to assess additional fines against businesses that do notify affected customers in a timely fashion. Lastly and most importantly having a comprehensive compliance program in place covering the technical, legal and administrative safeguards necessary to protect data is simply the best way to avoid a costly data breach, which has become a far too common occurrence today.
Attorney Tegan Blackburn frequently provides compliance counseling to businesses across diverse industries on preventing and responding to data breach.