According to entrepreneurial news outlet The American Genius, a small survey found that small- and medium-sized businesses are uniquely positioned to be absolutely blindsided if they ever experience a data breach. Why?
- Only 33 percent of small business respondents know their state's data breach laws.
- 51 percent don't have a data breach security plan in place.
- 82 percent don't encrypt customers' personally identifiable information – you know, the stuff that most state laws require you to protect.
Do these numbers reiterate that you're ahead of the curve or remind you that it's time to figure out once and for all what your business is responsible for when it comes to customer security? If you're in the latter camp, this guide is for you.
Data Breach State Laws: Fines and Notification Regulations
Perhaps the first step toward shoring up your data security plan is to figure out what information you are responsible for protecting. Though credit card numbers and Social Security numbers may immediately spring to mind, that's not the only valuable information to potential hackers.
Some states have broadened the definition of personally identifiable information to account for this fact, and those laws may consider names, email addresses, physical addresses, and pin numbers as protected information that if exposed qualifies as a breach.
At this point in time, 47 states have some form of data breach legislation on the books (Alabama, South Dakota, and New Mexico continue to be holdouts, though New Mexico may join the fold soon enough). A federal data breach law that would supersede state laws is in the works, but for now, you must follow your state's regulations.
Here's what a few states' laws entail:
- California: The Notice of Security Breach Act in California requires business owners to notify customers when their personal information is breached.
- Florida: The Florida Information Protection Act of 2014 requires businesses to notify affected Florida residents within 30 days of the breach. If more than 1,000 people are affected, credit-reporting agencies must also be notified. Failure to comply means a fine of $1,000 per day per breach or up to $50,000 per 30-day period (but caps at 180 days and $500,000).
- Illinois: The Personal Information Protection Act also requires business owners to notify affected parties and give them information about the appropriate consumer reporting agencies. Those who don't comply with these regulations can be fined $100 per affected individual, or up to $500,000 in total fines.
- New York: New York businesses must notify affected residents about the breach as soon as possible. The state attorney general, Department of State, and Office of Information Technology Services must also be informed. Compared to Florida and Illinois, New York's noncompliance fines are relatively small: either $5,000 or $10 per affected resident (whichever is greater, but can't exceed $150,000).
- Texas: The Identity Theft Enforcement and Protection Act requires businesses to notify customers about a breach that compromises their information. Businesses can be fined up to $100 per affected person per day, or up to $250,000 per breach.
For all these laws, an exposure of a name or identifier coupled with a data element (e.g., SSN, driver's license number, account number, or credit card number) can constitute as a breach. The subtext for most of these laws? You're responsible for protecting data you collect from customers.
An Ounce of Data Security > A Pound of Data Recovery
You don't want to be caught off guard when you face a data breach, lest you face fines on top of other data breach costs. Moreover, you should do what you can to prevent a breach in the first place because it's your responsibility to do so. Here are some pointers that might help:
- Understand your state's data breach notification laws. Get your research underway with this guide from the National Conference of State Legislatures (NCSL).
- Encrypt personal data your business collects. Only authorized parties should have encryption keys. Work with a data security consultant to figure out who should have access to encrypted information.
- Create a data breach response plan. Know which parties you need to notify in the event of a breach and which professionals you need to call in to help you clean up the breach. Carrying Cyber Liability Insurance is also a smart move because this policy may provide funds for notification and cyber repair costs.
- Train your employees. Unfortunately, employees are often the weakest link in the data security chain. Combat the trend by training your employees on how to spot common cyber threats (e.g., phishing emails) and how to stave off these risks (e.g., not opening malicious links on work devices or accounts, using protected WiFi to access work files, etc.).
For more data security tips, stay current on our data breach blog series.