By Robert J. Munnelly, Jr., Esq.
Data security measures are critical for all businesses to implement, but pose challenges for small businesses and entrepreneurs in particular. These data security threats are multiplying, as recently highlighted by the worldwide spread of the “WannaCry” and “Petya” ransomware viruses, but small businesses often lack the resources to retain specialized staff dedicated to implementing top-line protective measures.
In order to minimize chances of a harmful cyber breach, small businesses should focus on the following prioritized actions:
- Identify and technically lock down all sensitive electronic information. Small businesses should determine what data is retained, review existing computer protections, and consider upgrading these protections to ensure that the data will remain protected against various possible threats. This review should include personal information (PI) of employees, customers, and vendors such as names and sensitive numbers (i.e. social security, credit/debit card, bank account and driver’s license numbers). It should also include competitively sensitive, non-PI information, such as trade secrets and customer lists. If the data is essential to your business, be prepared to devote management attention and resources to reflect that importance.
- Secure hard copy PI and other sensitive documents. Paper copies of PI and sensitive records should be locked down through sound physical security and operational practices. Files should be kept in locked cabinets or offices when not in use. Operational practices should include:
- Front door security (receptionist or keyed entry only);
- Mandatory escorts for guests;
- Prohibition on paper records leaving the office; and
- Denied access to terminated employees of company computers or paper records and immediate return of all company-owned computer and remote access devices.
- Review vendor security practices. Vendors holding a company’s PI and sensitive information are often the proverbial weakest link and root cause of major breaches. Accordingly, you should review the security practices of your vendors almost as closely as you review your own, including:
- Conducting due diligence on new vendors to determine the extent of their data security programs/practices and their history of security breaches;
- Sending periodic questionnaires to existing vendors; and
- Requesting specific data-related provisions in vendor contracts that would include: required maintenance of a data security program, providing notice to you if they experience a security breach, and possible indemnification for losses caused by breach of business-critical data.
- Encrypt laptops. Loss or theft of unencrypted laptops and other devices has been a significant source of breach liability. Encryption technologies are becoming increasingly inexpensive, and implementation is critical to securing PI on laptops. The same holds true for PI transmitted over emails. Email encryption programs are inexpensive – and oftentimes included on many email or perimeter defense platforms – and should be implemented to minimize opportunities for electronic access while sensitive data is “in motion.”
- Review insurance coverages, including cyber coverage for data intensive businesses. Due to security breaches and breach-related losses, most general liability policies now provide only limited coverage for losses or harms due to a data breach. If your business heavily uses PI (i.e. retail and data processing businesses), consider supplemental cyber insurance coverages that cover breach-related harms, including:
- Costs of breach counsel;
- Computer forensics and audits;
- Mailed notices to affected customers;
- 800 number service to answer customer questions;
- Credit monitoring offers;
- Regulatory and litigation costs and/or;
- Business interruption expense.
Costs and coverages may vary, so find a broker who can help select the right coverages tailored to your business needs. If you do not know a broker, contact your attorney or another trusted advisor for referrals.
- Implement a strong WISP and other security policies. Developing and maintaining a comprehensive written information security plan (WISP) is increasingly important for small businesses. By using this plan to address the sensitive data you keep, how you will protect it, and who at the business will take personal responsibility for maintaining and updating a strong security program, you will ensure sound cyber fitness. The WISP should be shared throughout the organization, thereby minimizing chances for obvious security holes and/or data losses resulting from ignorance of existing policies.
Small and start-up businesses should create and implement other key security policies, including:
- A disaster recovery plan that covers data back up and prompt recovery in cases of fire, cyberattack, or natural disasters; and
- An incident response plan that:
- Identifies internal and external resources needed to address security breaches (e.g., internal it personnel, external breach counsel, external computer forensics consultants, insurance broker for cyber and conventional coverages, etc.),
- Identifies statutory and contractual disclosure obligations if a breach occurs, and
- Lists recommended action items in the event of a potential breach.
- Train Staff on a regular, at least annual, basis. Staff must be knowledgeable of WISP requirements and operational practices needed to avoid security problems (good passwords, email phishing avoidance, wire transfer manual confirmations, destruction of PI upon disposal). Conducting annual training on the anniversary of WISP adoption is recommended to assure good practices and defend against any post-breach claims.
- Review security policies annually and commission third-party reviews periodically. WISPs must evolve to account for new threats and protective measures, as well as changing business needs. We strongly recommend reviewing WISP and other policies annually in order to account for new business lines, new office locations, and any security-or breach-related incidents over the prior year. Additionally, WISPs and electronic security measures should be periodically reviewed by third parties – including outside counsel and breach audit firms – to test the quality of your protections and identify any additional priority action items.
As cyber threats continue to increase, small businesses are becoming easy targets for cyber criminals. Implementing the practices listed above will help ensure that you are well prepared in the event of a breach, and will help protect your company’s financial resources, customer loyalty, and reputation.
Robert J. Munnelly, Jr. practices in the Regulatory area at Davis, Malm & D’Agostine. His data security and information privacy practice focuses on advising and working with companies to develop written plans, improve security-related polices, support compliance training, and respond to potential security breaches. He also has substantial experience working with companies in other regulated industries and in appellate practice in state and federal courts. Robert can be reached at firstname.lastname@example.org.