By Anne Rosivach
Data breach events are a growing risk management issue for small businesses as they accumulate an ever-increasing volume of customer, employee, and proprietary information. Most small businesses are aware that threats exist, but only a small percentage of companies with fewer than 250 employees have policies and procedures in place to protect against online intrusions, according to a National Cybersecurity Alliance/Symantec survey conducted in September 2012.
The survey found that:
- Seventy-three percent of small and medium-sized businesses say a safe and trusted Internet is critical to their business' success, and 46 percent of which say very critical.
- Seventy-seven percent of small and medium-sized businesses think having a strong cybersecurity and online safety posture is good for their company's brand.
But despite their reliance on the Internet and the importance they attach to online safety, 87 percent have no Internet policies and procedures, and 75 percent do not have policies for employee social media use on the job.
"No one can prevent ID theft", Mark Pribish, vice president and ID theft practice leader of Merchants Information Solutions, said in a recent conversation with AccountingWEB. "It is extremely lucrative. Small businesses have multiple relationships with multiple customers and providers, and those relationships are constantly changing. Education is the number one tool to protecting data."
The Merchants ID Theft Advisory Board, which includes Avnet, KPMG, the FBI, Cox, BBB, and Merchants Information Solutions and which supports education for small businesses, has published A Small Business ID Theft and Fraud Best Practices eBook. The free eBook, which can be downloaded in its entirety or by topic, presents best practices on:
- Background screening
- Data breach risk management
- Information governance
- Information technology and security
- Privacy and security law
- Social media risks
"In the event of a breach, small businesses do not have the same protection as consumers", Pribish said. "While the assets of customers with personal bank accounts are protected under federal law, commercial bank accounts are not. In court cases, the burden is on small businesses to prove that a bank or other financial institution is liable under the Uniform Commercial Code (UCC)." Pribish referred to a recent case in which People's United Bank agreed to reimburse a construction company $345,000 that was lost to hackers, but only after a court ruled that the bank's security system and practices had been inadequate under the UCC.
Pribish recommended three steps small businesses and their CPA advisors should take to prepare for a breach:
- Be familiar with the Health Information Portability and Accountability Act (HIPAA), the Federal Trade Commission Red Flags Rule, and the multiple data breach liability laws that have been enacted in forty-six states.
- Put an enterprise risk management (ERM) program in place that includes information security and governance. "There is a tendency to delegate information security to the IT guy, but that is the last thing you should do", Pribish said.
- Establish a client document retention and destruction policy.
According to the eBook, while each small business is unique to its industry group or business sector, the foundation of a small business data breach incident response plan should include the following components:
- Breach source - determine the source and make sure the data compromise is isolated and access is closed. If you cannot determine the source of breach you should engage a forensic investigation company.
- Breach assessment - determine the scope of the data breach event and the privacy and data security regulatory requirements associated with the type of records in addition to the state of domicile.
- Response plan - include internal employee education and talking points; public relations press releases, customer education, and resources; the small business or consumer solution(s) to be considered; and the content and timely release of notification letters.
- Protection plan - include the small business or consumer protection services to be offered to the compromised record group and the confirmation of professional call center and recovery advocate support services.
- Breach victim resolution plan - provide access to professional certified identity fraud recovery advocates that will work on behalf of the victims to mitigate and resolve the issues caused by breach.
Proper notification, planning, and professional execution of the plan will help mitigate possible fines, penalties, class actions, brand damage, and loss of revenue.
About the Merchants ID Theft Advisory Board:
The Merchants' Identity Theft Advisory Board, which is supported by 100-year-old Merchants Information Solutions, was founded in 2009 with a community outreach initiative to support small business ID theft and fraud education and awareness, child ID theft, and Internet safety and security.