Data Breach 101
Consequences of a Breach
The cost of a security breach is always higher than the cost of prevention.
State and Federal Compliance
There are laws in all 50 states and federal law that require companies to incorporate reasonable safeguards to prevent data breaches and to compliantly respond if a data breach occurs.
Know Your Risk Factors
Probably the biggest risk we see today is that small business owners are not addressing the risk of data breach.
How Data Breaches Happen
The best way to protect a business from a data security breach is to include thorough IT safeguards, policies and procedures, and effective employee data breach security training.
What is a Data Breach?
Most states and federal law generally define a data breach as the loss of or unauthorized access to an individual’s personal, sensitive information. Small businesses are particularly vulnerable because they don’t have the resources or don’t believe they will be a target.
The technical definition of a data breach varies between federal and state laws, and state to state, but in general, a data breach is the unauthorized acquisition or access of unencrypted personal information by an individual. This could result if the information systems are hacked, or the personal information is lost, such as in the case of a lost laptop. The kind of personal information that, if accessed or acquired, could trigger a breach includes a person’s full name together with Social Security number, credit card number, or medical information.
There are different types of data breaches, including:
PII breach: PII is Personal Identifiable Information, such as social security numbers, credit card information, date of birth, and even email addresses in some states. A PII breach is the unauthorized access to this data. This information can be found on your payroll records, employment applications, credit card numbers, and it could be at your accountant’s office or your payroll company’s office.
PCI breach: The term “PCI” refers to the Payment Card Industry standards established by the credit card companies. A breach of payment card data includes information that is accepted, transmitted or stored as a result of any customer paying an organization directly using a credit card or debit card. All businesses that store, process, or transmit payment cardholder data must maintain a secure environment and take a number of other steps to be PCI Compliant. An unauthorized access or acquisition of this data likely constitutes a breach.
HIPAA breach: The Health Insurance Portability and Accountability Act (HIPAA) defines a HIPAA breach as, generally, an impermissible use or disclosure under the Privacy Rule that compromises the security or privacy of protected health information. The law requires HIPAA covered entities and their business associates to provide notification following a breach of unsecured protected health information. Common identifiers of health information include names, social security numbers, addresses and birth dates.
What are the consequences of a data breach?
Lack of compliant preparation and response can result in:
- $38,000 average cost plus assessments, fines and penalties for a small business to respond to a data breach
- $20,000 average cost to a small business for forensic investigation
- 57% of customers lose trust in the brand
- 31% terminate the relationship
- Governmental fines and penalties
- Merchant – PCI assessment $5,000 to $50,000
How Does a Data Breach Happen?
Most companies actively protect their IT with robust security measures, but invest less when it comes to policies and procedures, and employee data breach security training. Having a robust IT system may help protect your business from hackers but the vast majority of damaging data breaches aren’t caused from outside attacks. A variety of studies show between 63% and 90% of all data breaches are caused by employees, whether accidental or malicious.
No business owner can watch every employee, every moment of every day. And since not all employees have the same talent and dedication, the security of any business truly rests in the hands of its employees.
Consider these statistics:
63% of all data breaches occur at businesses with 100 employees or less.
50% of those data breaches were malicious or criminal (insider employee involvement 32%)
23% caused by negligent employees
27% due to system glitches (IT failures and business process failures – employees)
State & Federal Compliance
Requirements apply to all businesses and organizations – small, medium, large, profit, and non-profit. Each entity has its own particular compliance requirements based on factors such as the regulations applying to that member, the states in which the member operates and the kind of data that the member maintains.
If you have a data breach, the obligations vary between federal and state laws, as well as state to state. There also may be different standards in different countries. Your obligations also will vary depending on whether you own the information, or maintain it one behalf of another.
In general, if you or your business owns the information, you will be required to:
- Take steps, where necessary, to stop the unauthorized access or acquisition.
- Investigate the incident and determine if there is a reportable incident.
- Provide notification to affected individuals that may need to meet certain notification requirements.
- In some states, and depending on the number of affected persons, notify certain federal or state agencies, and/or the credit reporting agencies.
If you maintain the personal information on behalf of the owner, you will be required to notify the owner of that information. You also may have contractual obligations with your clients/customers to notify them of certain data incidents, even if there is not a requirement under federal or state law to provide notification.
- A business owner who chooses to ignore a breach has potential exposure on a number of different fronts.
- With regard to penalties, the state laws vary. Some states treat the failure to comply with the breach mandate as an unfair or deceptive trade or business practice for which the attorney general can impose civil penalties. In other states, the statues provide a set penalty amount that applies depending on the number of persons affected and/or the type of failure (for example, the length of the period the notice was not provided). Penalties are rarely criminal in nature.
- Some states also permit individuals affected by a breach to file private causes of action against the entity that suffered the breach. In some cases, a plaintiff can recover punitive damages and attorney’s fees.
- In addition, if it comes to light that a business ignored a breach there may be significant harm that results from damage to the company’s reputation and its relationship with employees and/or customers.