by Pat Gordon
March 8, 2017
As if you don’t have enough things to think about while running your own business – ever increasing competition for customers and employees, managing bills and cash flow, learning all the ins and outs of social media marketing and which human resource laws and regulations you need to pay attention to and which ones you don’t – then along comes cybersecurity and data breaches!
Like a lot of business owners, you might be thinking (hoping) that it probably won’t happen to you. After all, you have a small business, a small database of customers and maybe you don’t even collect credit card information – just names and addresses and a little history of purchases.
Identity theft can be accomplished simply with a person’s name and their email address. Once a hacker reaches a friendly customer service representative at almost any place the individual might shop (think Amazon, Wal-Mart, Target), they can simply change the mailing address on the account and the fun begins.
Why would someone want to go after YOUR customers’ information? Why not go after the big guys? Large businesses have legal departments and data security personnel who are well aware of the dangers of security breaches. They have been putting protections in place since the early 1980s when modern day hackers were just getting started. (Watch the film The 414s: The Original Teenage Hackers…those kids were ahead of their time!)
Unfortunately, most small business owners don’t take the time to put protections in place before an incident occurs and they don’t realize what they need to do when their customer information is stolen. And by the way, don’t forget how much information you collected on your employees when you hired them – you are responsible for protecting their information also.
- According to the Florida Information Protection Act, Florida Statute 501.171, which became law in July 2014, a business must send written notice to the Florida Department of Legal Affairs if 500 or more records were potentially breached. (It doesn’t take too long for a business to collect 500 names in their database if they’re doing their marketing well.)
- The written notice must be received within 30 days of realization of a possible breach and include a description of the event, remedies for future protection and services provided to the possible victims.
- The Department of Legal Affairs will then request police reports, possibly computer forensic reports and your business’ previously established policies for protecting data.
- If you do not properly notify the Department of Legal Affairs and all those individuals who might be affected, your business can be liable for fines in the amount of $1,000 each day up to the first 30 days and $50,000 for each additional 30-day period.
- If the violation continues for more than 180 days, the fine can be up to $500,000 per breach.
- These costs don’t include the expense of going to court if you are sued.
- Even if your data breach involves a small number of individuals, your business can still be sued for negligence by individuals, attorneys and the Bureau of Consumer Protection.
For small businesses that don’t have the luxury of an in-house legal department, one of the most critical things for a business owner/manager to do now is to create company policy as to how you are going to protect your customers’ information:
Step 1 – Think about how your data could be better protected.
Step 2 – Decide what information to keep, how long to keep it and how to protect it.
Step 3 – Lock up computers, change passwords often, lock file cabinets and offices.
Step 4 – Put Steps 2 and 3 in writing and add them to your policies and procedures manual.
Step 5 – Ask your insurance agent about the cost of data breach insurance.