Small Businesses Unprepared for Data Breach
By Anne Rosivach
- Seventy-three percent of small and medium-sized businesses say a safe and trusted Internet is critical to their business' success, and 46 percent of which say very critical.
- Seventy-seven percent of small and medium-sized businesses think having a strong cybersecurity and online safety posture is good for their company's brand.
But despite their reliance on the Internet and the importance they attach to online safety, 87 percent have no Internet policies and procedures, and 75 percent do not have policies for employee social media use on the job.
- Background screening
- Data breach risk management
- Information governance
- Information technology and security
- Privacy and security law
- Social media risks
"In the event of a breach, small businesses do not have the same protection as consumers," Pribish said. "While the assets of customers with personal bank accounts are protected under federal law, commercial bank accounts are not. In court cases, the burden is on small businesses to prove that a bank or other financial institution is liable under the Uniform Commercial Code (UCC)." Pribish referred to a recent case in which People's United Bank agreed to reimburse a construction company $345,000 that was lost to hackers, but only after a court ruled that the bank's security system and practices had been inadequate under the UCC.
- Be familiar with the Health Information Portability and Accountability Act (HIPAA) , the Federal Trade Commission Red Flags Rule , and the multiple data breach liability laws that have been enacted in forty-six states.
- Put an enterprise risk management (ERM) program in place that includes information security and governance. "There is a tendency to delegate information security to the IT guy, but that is the last thing you should do," Pribish said.
- Establish a client document retention and destruction policy.
According to the eBook, while each small business is unique to its industry group or business sector, the foundation of a small business data breach incident response plan should include the following components:
- Breach source - determine the source and make sure the data compromise is isolated and access is closed. If you cannot determine the source of breach you should engage a forensic investigation company.
- Breach assessment - determine the scope of the data breach event and the privacy and data security regulatory requirements associated with the type of records in addition to the state of domicile.
- Response plan - include internal employee education and talking points; public relations press releases, customer education, and resources; the small business or consumer solution(s) to be considered; and the content and timely release of notification letters.
- Protection plan - include the small business or consumer protection services to be offered to the compromised record group and the confirmation of professional call center and recovery advocate support services.
- Breach victim resolution plan - provide access to professional certified identity fraud recovery advocates that will work on behalf of the victims to mitigate and resolve the issues caused by breach.
Proper notification, planning, and professional execution of the plan will help mitigate possible fines, penalties, class actions, brand damage, and loss of revenue.
- Billions in ID Theft Tax Fraud Go Undetected 
- New Directive to Fight Stolen Identity Fraud 
- TIGTA Report: IRS Taxpayer Data Is Vulnerable to Hackers