According to an article by the Brattleboro Reformer, a small gift store in Vermont was fined $3,000 by the attorney general’s office. The offense? The Shelburne Country Store didn’t inform its customers of a credit card security breach. Turns out, the shop’s website was hacked last year, exposing 721 online shoppers’ credit card information.
If nothing else, this story reminds small-business owners of two important things:
- Any business – of any size – can face a data security breach.
- According to many state laws, it’s not enough to simply fix the breach.
Let’s take a look at how some states are attempting to address the rising problem of data breaches by creating stricter reporting requirements (and fines for businesses that don’t comply).
States Buckle Down on Data Breach Reporting Requirements
Though the Shelburne Country Store did promptly fix their security vulnerabilities, it failed to comply with Vermont’s Security Breach Notice Act. Under this law, businesses must…
- Inform the attorney general of the breach within 14 business days of its discovery.
- Notify customers about the breach within 45 days.
When businesses neglect these reporting obligations, they can be fined. And Vermont isn’t the only state enforcing these types of policies. SecurityInfoWatch.com reports that Kentucky recently enacted two laws that tighten the belt on data breach reporting.
Both state and private sectors in Kentucky have to alert the following entities when a data breach occurs (depending on which is directly involved):
- Kentucky State Police.
- Auditor of public accounts.
- Attorney general.
- Kentucky Department of Education.
- Council on Postsecondary Education.
Unlike Vermont, Kentucky’s laws don’t specify a time period for alerting individuals affected by the breach.
Also worth noting is that the new legislature doesn’t regulate the already regulated health industry. As you may already know, the Health Insurance Portability and Accountability Act (HIPAA) requires health agencies to report data breaches. (Learn more about HIPAA, HITECH, and data breaches here: “HIPAA Has Teeth: What Accountants, Lawyers, and Other Professionals Need to Know When Working with Clients in Healthcare.”)
How Small Businesses Can Manage Data Security Risks
In addition to knowing your state’s reporting laws, the best way to stay on the right side of the law is to avoid a breach altogether. Easier said than done, right?
Perhaps these tips can help:
- Don’t keep highly sensitive data on your databases. Unless you’re a healthcare professional and you must allow your patients online access to their health records, it’s best to keep confidential information offline as much as possible.
- Encrypt everything. This includes security codes, access codes, passwords, and personally identifiable information. Though this is an extra step most businesses don’t take, it puts another obstacle between the hacker and your valuable information.
- Enact companywide data handling procedures. Outline policies for handling sensitive information, and train your employees on these policies. Your protocol should also detail how and when to notify affected parties after a breach per your state’s regulations.
Of course, even your best efforts to improve your data security might not be enough to keep a persistent hacker at bay. That’s why small-business owners should always have a backup plan in place. Luckily, Cyber Liability Insurance can help your business recover from a data breach by covering the cost of notifying affected parties, investigating and repairing the breach, and more.