The risk of suffering a data breach has never been higher. Small businesses are three times more likely than larger businesses to be targeted by cybercriminals.[1] The costs of a cyberattack, both in terms of financial and reputational damage, can be devastating to small businesses. Many business owners are aware of the risks of a cyberattack but have not taken the necessary steps to protect their data. It is important to note that all states have laws requiring data breach notifications.[2]
Data Breaches and Small Businesses: Know the Risks
Today’s businesses are increasingly data-driven. In our digital era, data is used to create new (and better) products and services, improve decision-making, and deliver a better customer experience. However, all of that data that businesses collect from customers, such as credit card numbers, email addresses, insurance details, Social Security numbers, and financial information, creates the risk of liability in the event of a breach. Data breaches—a general term that refers to any security incident resulting in unauthorized access to private information—are on the rise. Last year (2023) was the worst year on record for data compromises.[3]
Although the total number of victims from these security incidents was down from 2022, business owners are rightly concerned about data breaches. Around 80 percent say they are anxious about their company’s sensitive data and information. An even higher number (90 percent) believe data protection and compliance training is essential. However, just 60 percent of small business leaders report being proactive about preventing data breaches.[4]
Small businesses that are the victim of a data breach will likely take a financial hit; the reputational damage of a cyberattack can be as bad as direct costs such as investigation expenses, legal fees, business downtime, and fines or penalties. Businesses that suffer a data breach often also experience loss of customer trust, decreased revenue, brand damage, higher customer conversion costs, and lower competitiveness.
Create and Implement a Cybersecurity Plan
From phishing, malware, and ransomware to “man in the middle” attacks, malicious code, and network vulnerabilities, there are a myriad of ways that bad actors can gain access to data. The good news is that having a cybersecurity plan can reduce exposure to cyberthreats and minimize liability if a breach occurs. Every plan should be tailored to the individual company, but the following basic principles can go a long way toward shoring up digital defenses:
- Understand which data protection laws apply to your business and industry. Some federal laws, such as the Health Insurance Portability and Accountability Act and the Gramm-Leach-Bliley Act, only apply to the medical and financial sectors, respectively. However, a growing number of state laws (e.g., California, Colorado, Utah, and Connecticut) and international laws (e.g., Europe’s General Data Protection Regulation) impose security and privacy obligations on companies that collect personal data.
- Train employees. Because employee error is so prevalent in allowing data breaches, workers must be trained in basic security practices, such as using strong passwords and multifactor authentication for all accounts and services and recognizing phishing emails.
- Restrict data and data access. An employee cannot make a mistake that compromises internal data if they do not have access to that data in the first place. Customer data that is not stored also cannot be exploited. Each data point, and every person who can access a database, is a potential security threat. Limit both to the extent possible to minimize risks. Some data privacy laws, such as the California Privacy Rights Act (CPRA) and GDPR, have data minimization and purpose limitation requirements.
- Consider moving data hosting services off-premises. The Cybersecurity & Infrastructure Security Agency (CISA) recommends that small and medium-sized businesses outsource their on-premises mail and file storage services, as most smaller companies do not have the ability to secure them.[5]
- Implement technical defenses. If moving data offsite is not feasible, internal systems should have protective measures in place such as firewalls, intrusion detection and prevention tools, antivirus software, and network segregation.
- Perform regular cybersecurity audits. California’s CPRA and other data privacy laws mandate that certain companies perform annual cybersecurity audits that assess risks and document safeguards. Even if they are not required, such audits should be considered a cybersecurity best practice. CISA, the US Department of Labor, and the Federal Communications Commission offer additional cybersecurity program best practices for businesses.
- Include data privacy in contracts. A company could be responsible for a data breach committed by a service provider, contractor, or other third party. Contractual terms that specify data protection obligations and limit a business’s liability for a third-party breach are now common.
- Have a response plan. How a company responds to and communicates a data breach to its customers can mitigate adverse financial and reputational impacts. Aside from meeting federal and state-level reporting requirements, companies should be forthright about a data breach incident. Delays and obfuscations might only exacerbate the damage a breach causes. Notify customers right away about what happened, the types of data that may have been compromised, and next steps. Consider offering customers free credit monitoring and identity theft services and have a plan to fix network vulnerabilities.
- Obtain cyber insurance. Cyber liability insurance can cover costs related to a data breach, including investigations, litigation, regulatory fines, and business interruption.
Do Not Let a False Sense of Data Security Hurt Your Business
Small businesses that have failed to address cybersecurity concerns might already be in violation of data protection laws. Those with minimal digital defenses in place leave themselves vulnerable to a cyberattack.
If you collect any customer data, you should expect attempts to gain unauthorized access. Our business lawyers can advise you about what the law requires and how to minimize the liability you could face in the event of a data breach. For insights on how to legally protect your business, please schedule an appointment.
[1] Eric Goldstein, Accelerating Our Economy Through Better Security: Helping America’s Small Businesses Address Cyber Threats, Cybersecurity & Infrastructure Sec. Agency (May 3, 2023), https://www.cisa.gov/news-events/news/accelerating-our-economy-through-better-security-helping-americas-small-businesses-address-cyber.
[2] 2022 Security Breach Legislation, Nat’l Conf. of State Legislatures (Sept. 29, 2022), https://www.ncsl.org/technology-and-communication/2022-security-breach-legislation#:~:text=All%2050%20states%2C%20the%20District,their%20personal%20information%20is%20breached.
[3] Phil Muncaster, US Smashes Annual Data Breach Record With Three Months Left, Infosecurity Magazine (Oct. 12, 2023), https://www.infosecurity-magazine.com/news/us-smashes-data-breach-record/.
[4] The hidden costs of data breaches for small businesses, Help Net Security (Oct. 31, 2023), https://www.helpnetsecurity.com/2023/10/31/small-business-data-safety/.
[5] Eric Goldstein, Accelerating Our Economy Through Better Security: Helping America’s Small Businesses Address Cyber Threats, Cybersecurity & Infrastructure Sec. Agency (may 2, 2023), https://www.cisa.gov/news-events/news/accelerating-our-economy-through-better-security-helping-americas-small-businesses-address-cyber.
