Small Businesses Unprepared for Data Breach
By Anne Rosivach
Data breach events are a growing risk management issue for small businesses as they accumulate an ever-increasing volume of customer, employee, and proprietary information. Most small businesses are aware that threats exist, but only a small percentage of companies with fewer than 250 employees have policies and procedures in place to protect against online intrusions, according to a National Cybersecurity Alliance/Symantec survey conducted in September 2012.
The survey found that:
- Seventy-three percent of small and medium-sized businesses say a safe and trusted Internet is critical to their business' success, and 46 percent of which say very critical.
- Seventy-seven percent of small and medium-sized businesses think having a strong cybersecurity and online safety posture is good for their company's brand.
But despite their reliance on the Internet and the importance they attach to online safety, 87 percent have no Internet policies and procedures, and 75 percent do not have policies for employee social media use on the job.
"No one can prevent ID theft," Mark Pribish, vice president and ID theft practice leader of Merchants Information Solutions, said in a recent conversation with AccountingWEB. "It is extremely lucrative. Small businesses have multiple relationships with multiple customers and providers, and those relationships are constantly changing. Education is the number one tool to protecting data."
The Merchants ID Theft Advisory Board, which includes Avnet, KPMG, the FBI, Cox, BBB, and Merchants Information Solutions and which supports education for small businesses, has published A Small Business ID Theft and Fraud Best Practices eBook. The free eBook, which can be downloaded in its entirety or by topic, presents best practices on:
- Background screening
- Data breach risk management
- Information governance
- Information technology and security
- Privacy and security law
- Social media risks
"In the event of a breach, small businesses do not have the same protection as consumers," Pribish said. "While the assets of customers with personal bank accounts are protected under federal law, commercial bank accounts are not. In court cases, the burden is on small businesses to prove that a bank or other financial institution is liable under the Uniform Commercial Code (UCC)." Pribish referred to a recent case in which People's United Bank agreed to reimburse a construction company $345,000 that was lost to hackers, but only after a court ruled that the bank's security system and practices had been inadequate under the UCC.
Pribish recommended three steps small businesses and their CPA advisors should take to prepare for a breach:
- Be familiar with the Health Information Portability and Accountability Act (HIPAA), the Federal Trade Commission Red Flags Rule, and the multiple data breach liability laws that have been enacted in forty-six states.
- Put an enterprise risk management (ERM) program in place that includes information security and governance. "There is a tendency to delegate information security to the IT guy, but that is the last thing you should do," Pribish said.
- Establish a client document retention and destruction policy.
According to the eBook, while each small business is unique to its industry group or business sector, the foundation of a small business data breach incident response plan should include the following components:
- Breach source - determine the source and make sure the data compromise is isolated and access is closed. If you cannot determine the source of breach you should engage a forensic investigation company.
- Breach assessment - determine the scope of the data breach event and the privacy and data security regulatory requirements associated with the type of records in addition to the state of domicile.
- Response plan - include internal employee education and talking points; public relations press releases, customer education, and resources; the small business or consumer solution(s) to be considered; and the content and timely release of notification letters.
- Protection plan - include the small business or consumer protection services to be offered to the compromised record group and the confirmation of professional call center and recovery advocate support services.
- Breach victim resolution plan - provide access to professional certified identity fraud recovery advocates that will work on behalf of the victims to mitigate and resolve the issues caused by breach.
Proper notification, planning, and professional execution of the plan will help mitigate possible fines, penalties, class actions, brand damage, and loss of revenue.
About the Merchants ID Theft Advisory Board:
The Merchants' Identity Theft Advisory Board, which is supported by 100-year-old Merchants Information Solutions, was founded in 2009 with a community outreach initiative to support small business ID theft and fraud education and awareness, child ID theft, and Internet safety and security.
- Billions in ID Theft Tax Fraud Go Undetected
- New Directive to Fight Stolen Identity Fraud
- TIGTA Report: IRS Taxpayer Data Is Vulnerable to Hackers
Voice of the Editor
Even though any accounting auditor would tell you it seems like there are an awful lot of tax accountants out there, surely one-third of the country isn't made up of tax preparers, so it's rather startling news to learn that one-third of Americans like to do their taxes. Who knew?
This Week on AccountingWEB
Bill Walter of Gross, Mendelsohn & Associates and Harold Gaar of TravisWolff LLP weigh in on mobile technology use while employees are at work.
WestArk RSVP and Fayette County Community Action Agency – organizations that received grant funding through the IRS Tax Counseling for the Elderly (TCE) program – spoke with AccountingWEB about how they assist senior citizens in their communities.
CPA Robert Raiola, who heads the Sports & Entertainment Group of Fazio, Mannuzza, Roche, Tankel, LaPilusa, LLC, talks NFL player income taxes with AccountingWEB.
Retiring KPMG Centennial Professor of Accounting at the University of Texas at Austin McCombs School of Business Robert May, PhD talks with AccountingWEB about his rewarding forty-three-year career.