Data Is Your Greatest Asset and Biggest Liability
If you have sensitive or protected data in your care, custody or control, you have obligations to safeguard that data and can be held liable for its disclosure. Data that is crucial to your company’s success is also highly valuable, and easily monetized.
Calculating criminals are looking for your personally identifiable information, protected healthcare information, payment card information, intellectual property, authentication credentials, insider information, and more. Disclosure of sensitive data can put your balance sheet and small business in serious jeopardy. In fact, 71% of security breaches target small businesses1 and a staggering 60% of small businesses will close within six months of a cyber attack2.
Identifying the data you have is the first step to truly understanding your exposure to data breach liability. It can be an onerous exercise but is very necessary – e.g. You should identify paper and electronic records for active and inactive clients and customers, employees and their family. You may be surprised to know that the majority of privacy laws include paper data as a trigger for non-compliance.
Obscurity Is Not Security
The single biggest oversight of most small businesses is the belief that they will not be the target of a cyber attack because of their size.
Here’s the reality: Hackers enjoy a big payout but they are also opportunistic, they prey on the weak and are in business to make money. Hackers do not discriminate; your small business data is just as valuable to them and fetches the same black market price as the data found at large companies.
You would have to live under a rock not to be aware of the mega-sized data breaches that have occurred in the past few years. News stories are splashed across the front pages of our newspapers and reported like the baseball scores on our cable news networks. They are big, sensational and lead us to believe that it is only the largest of companies that have been breached. This is simply not true.
Nano-organizations experienced the most data breach incidents (29%), followed closely by small organizations (25%). Further, extremely large breaches occurred in nano, small and large organizations3.
Still think you are relatively unnoticeable and not a target? Ask yourself these questions:
- Does your business have an online presence?
- Does your business connect to the internet?
- Does your business transact credit cards?
- Does your business email clients or vendors?
- Does your business provide an e-portal for your clients or vendors to connect with you?
- Does your business have a bring your own device (BYOD) policy?
If you answered yes to any one of these questions, trust that malicious actors can identify your business as a potential target.
Your Vendors Want Your Business but Not the Liability
As a small business owner you have to wear a lot of hats to ensure the success of your business. In many instances, delegating responsibilities to a third party who specializes in a particular professional service can provide your business more expertise, functionality, security, freedom to grow and, hopefully, peace of mind. However, you need to read your contract carefully – even down to the small prints.
Indeed, whether you engage a cloud service provider, an internet service provider, a payroll processor, a POS vendor or any number of professionals, to assist you with the day-to-day functionality of your business, you need to understand the liability of the contracted services.
The first thing you must know before entering into any contract is that privacy laws hold the “store front” (not the contracted service provider) responsible for a data breach. This means that if your business engages a third party provider access to any protected data in your care, custody or control, and the third party provider discloses this data, your business will be subject to privacy laws, compliance with data breach requirements and resulting regulatory investigations, fines and penalties.
It will be important to understand what liability your business can shift away to the third party service provider for their acts, errors or omissions. Unfortunately, the majority of the service provider contracts provide little in the way of indemnification for the service providers’ acts, errors or omissions. Even if any indemnification is provided, it typically will limit any liability to the value of the contract, which will likely not extend to the burdensome costs ($221 per record cost of a data breach in the US4) to comply with privacy regulation. Additionally, many service provider contracts have language that requires your business to indemnify them for their acts, errors or omissions.
Considering third party service providers accounted for 25% of the data breach claims submitted5 in 2015, service provider contracts should be carefully reviewed and considered.
The Human Factor
If small businesses are the lifeblood of our economy, it certainly holds true that the success of any small business relies heavily on its employees. But beware, employees are also a hacker’s best friend and they may not be aware of this ongoing relationship.
Hackers will take advantage of any opportunity and even the best cyber security in the world can be breached by human negligence. Lost or stolen laptops and mobile devices, clicking on dubious links embedded with malware, replying to a phishing email with password information, transferring money based on a compromised email address, and more, have all lead to large data breaches and significant costs that have had a major impact on a company’s bottom line.
In 2015 nearly one third (25%) of all data breaches were caused by human error6. While business owners have to be vigilant in their IT cyber security, not addressing this vulnerability with employee awareness, education and training will leave your business susceptible for a breach.
Small business exposures are really no different than their larger business counterparts. However, unlike their larger business counterparts, small businesses often do not have the resources to allocate and adequately address these exposures. Further, they may not have the leverage to amend contractual liability in their favor.
So, what a small business should do? Prevent security breach before it happens. Identifying your data assets and correlating them to your exposures and liability is a necessary first step in assessing your balance sheet vulnerabilities and proactively creating steps to prevent or mitigate potential harm.
1# US Small and Medium-Sized Business 2014-2018 forecast by IDC
2# Staysafeonline.org Small Business Online Security Inforgraphic
3# NetDiligence® 2015 Cyber Claims Study—eRiskHub® Exclusive Expanded Edition i
4# 2016 Cost of Data Breach Study: Global Analysis
5# NetDiligence® 2015 Cyber Claims Study—eRiskHub® Exclusive Expanded Edition i
6# 2016 Cost of Data Breach Study: Global Analysis