While it may be impossible to prevent all cyber-attacks, being prepared will allow for minimal business interruption and limit legal exposure.
The number of cyber-attacks on businesses—and their severity—seem to increase each year. Data breaches at Target, Home Depot, Equifax and numerous other large companies have dominated the news for the last several years. But with the media’s focus on these major attacks, there is a common misconception that hackers do not target small businesses.
However, a 2018 Verizon Data Breach Investigations Report revealed that 58 percent of data breach victims are small businesses. A 2017 report from the Ponemon Institute found that 61 percent of the nation’s 30 million small businesses experienced cyber-attacks in the past 12 months. The threat posed by hackers to small businesses is real—and it carries significant financial and legal ramifications.
NIST Small Business Cybersecurity Act
Acknowledging the growing threat of cyber-attacks on small businesses, Congress enacted the NIST Small Business Cybersecurity Act in August 2018. The Act requires the director of the National Institute of Standards and Technology, a non-regulatory agency of the U.S. Department of Commerce, to issue guidance and a consistent set of resources to help small businesses identify, assess and reduce their cybersecurity risks.
The NIST’s forthcoming resources will be widely applicable and technology-neutral and “include elements that promote awareness of simple, basic controls, a workplace cybersecurity culture, and third-party stakeholder relationships.” While the Act will not render small businesses impervious to attack, the bipartisan measure is intended to strengthen security and assist in fending off future cyber-attacks.
Potential Liability for Companies That Experience a Data Breach
Companies that experience a data breach often find themselves defending lawsuits from those whose personal information has become vulnerable to disclosure. Plaintiffs have successfully stated causes of action for: (1) negligence for failure to protect data; (2) breach of contract (express and/or implied) for failure to protect data; and (3) failure to comply with state statutes.
Illinois has one of the most stringent data breach statutes in the country: the Illinois Personal Information Protection Act (815 ILCS 530/1, et seq.). The Act requires private businesses that “handle, collect, disseminate, or otherwise deal with nonpublic information” to implement and maintain reasonable security measures to protect against unauthorized access, acquisition, destruction, use, modification or disclosure. Nonpublic personal information includes: (a) an individual’s name in combination with a social security number, driver’s license number, credit or debit card number, medical information, health insurance information or unique biometric data; or (b) a username or email address in combination with a password or other method of access to an online account.
In the event of a data breach, the Act requires businesses to notify those affected “in the most expedient time possible and without unreasonable delay.” The disclosure must include toll-free numbers, addresses and websites for consumer reporting agencies and the Federal Trade Commission, along with an explanation for how to obtain fraud alerts and security freezes.
A violation of the Act allows for those affected to file suit under the Consumer Fraud and Deceptive Business Practices Act. A prevailing plaintiff may recover both compensatory and punitive damages, along with attorney’s fees.
Guidelines for Preventing and Handling Cyber-Attacks
The NIST currently recommends that small businesses utilize the Cybersecurity Framework—a continual set of five separate functions in order to defend against cyber-attacks and safeguard personal information:
- Identify: Understand cybersecurity risks by identifying and controlling who has access to business information, conducting comprehensive background checks, requiring individual user accounts for each employee, and creating policies and procedures for information security.
- Protect: Defend against potential cyber-attacks by limiting employee access to data and information, installing surge protectors and uninterruptible power supplies, patching operating systems and applications, installing software and hardware firewalls on all business networks, securing wireless networks, utilizing web and email filters, using encryption for sensitive information, disposing old electronics and media safely, and training employees on policies and procedures.
- Detect: Discover cyber-attacks in a timely fashion by installing and updating anti-virus, anti-spyware, and anti-malware programs, and maintaining and monitoring logs.
- Respond: Contain or reduce the impact of a cyber-attack, once detected, by appropriately handling information and information systems, contacting emergency personnel and other professionals (i.e., cybersecurity, legal, service providers, insurance, etc.), and notifying affected customers in accordance with state law.
- Recover: Resume normal operations after a cybersecurity attack by making backups of important data/information, considering cyber liability insurance, and constantly improving processes, procedures and technologies.
In today’s business environment, it is important for companies of all sizes to understand the threat of cyber-attacks and to take measures to prevent them. While it may be impossible to prevent all cyber-attacks, being prepared will allow for minimal business interruption and limit legal exposure. iBi