Businesses that want to limit their exposure to cybercrime can restrict the amount of information they collect electronically. But in today’s digital world, that doesn’t seem like an option for most companies.
Instead, they run the risk every day that hackers, or even disgruntled employees, will gain access to and acquire encrypted personal information.
Such breaches can cost a business thousands of dollars. Worse, companies can jeopardize public trust and their very existence when they fail to properly secure and protect client information from cyberattacks, experts said
“For a small- or medium-sized business, you’re looking at the cost of notification alone that could put you out of business,” said Max Harris, chief business development officer at Netizen Corp. of Upper Macungie Township. “And when you talk about the damage outside of breach notifications to your brand, the erosion of consumer trust, more often than not for a small- or medium-sized business, it means either the loss of jobs or shuttering of a business in entirety.”
The first line of defense is limiting the information a business collects and stores from customers and vendors.
“It is uncommon that a company – big or small and regardless of the type of business – really needs to collect and keep the type of sensitive information that triggers a notification if there is a breach,” said Jack Gross, attorney at Allentown law firm Gross McGinley LLP.
But in a connected marketplace, even that does not offer complete protection.
“Even if they’re not collecting those things, every business now needs to understand that they are a target,” Gross said. “It doesn’t matter whether they are small or medium or large because computer networks are so interconnected. You cannot afford to be in business without the proper firewalls and proper security.”
Several studies, meanwhile, have found the most effective ways for companies to prevent cyberattack or limit liability is to develop a data-security policy and a data-breach response plan, so that company leaders will know who to call and what steps to take after discovering a data breach.
“Ten years ago, this was hardly an issue on anyone’s radar. Five years ago, your Fortune 500 companies were just coming to grips with these issues,” said Devin Chwastyk, an attorney with the Harrisburg-based law firm McNees Wallace & Nurick.
“Today, your medium to large companies are just coming to grips with cyber issues.”
In Pennsylvania, one of the final buffers is a state law known as the Breach of Personal Information Notification Act. It offers businesses some guidance in initiating, managing and processing a security breach notification.
The law requires businesses to notify any resident in Pennsylvania whose “unencrypted and unredacted personal information was or is reasonably believed to have been accessed and acquired by an unauthorized person or parties.”
The legislation applies to businesses and vendors that collect and maintain personal information and to entities that destroy records.
In some instances, when notification extends to more than 1,000 people at one time, for example, businesses are required to also notify “without unreasonable delay” consumer reporting agencies that collect and maintain files on consumers nationally.
In the absence of federal legislation establishing national guidelines for cybercrime responses, most states, including Pennsylvania, have passed legislation to protect confidential personal information that businesses collect and store electronically and to notify consumers of any security breaches.
The protected information includes Social Security numbers, driver’s license numbers, financial account numbers and credit or debit card numbers, in addition to security codes, access codes or passwords enabling access to financial accounts.
Pennsylvania enacted its security breach notification law in 2005. It took effect in 2006.
Reports of hacking during the 2016 presidential election underscore the need for more action at the federal level, Chwastyk said.
Observers, however, are taking a wait-and-see approach as President-elect Donald Trump assembles a staff.
“If he chooses someone who is hawkish on cybersecurity, then we can see an increase, or an amplified push, into cybersecurity regulation,” Harris said. “Right now, the frameworks that have been developed at the federal level are only digestible to a large, large enterprise.
“They’re not enforceable. They’re not implementable to small- and medium-sized business. That’s kind of where we are right now, trying to get small- and medium-sized businesses to understand there is a way to do this stuff without bankrupting a company.”