Small Businesses and Cyber Attacks

Avoid being liable for security breaches.

By Jerry Gabriele, Senior Director, IDShield On May 2, 2016

The reality of a cyber attack has become more of a “when” as opposed to an “if.” All companies are vulnerable to a breach regardless of their size. The Federal Trade Commission has advised that “information security should be a priority for every business in America.” There are five types of identity theft: financial, driver’s license, social security, medical and character/criminal. Employers can be held liable for any or all of them. Obviously, it is important for companies to take steps to protect employee’s and customer’s information.

Michael Hall, a certified identity risk management specialist, says an employer can be subject to criminal liability for data theft as well as civil liability to employees whose personal information has been stolen. So what can you, as an employer, do to prevent these breaches? Hall suggested some basic steps:

• Develop a written data protection plan. The plan should be designed to protect all data throughout the company.
• Appoint a security manager. This should be an upper level managerial employee.
• Provide training for employees. Employers should implement a training schedule and ask every employee to sign an agreement that he or she will follow the company standards.
• Before you outsource any company function, investigate that firm’s data security practices.
• Consider offering identity theft protection as an employee benefit. This typically would include restoration
  services.

Employers cannot prevent all breaches. However, showing that you took all the steps that you reasonably could have taken will go a long way toward defending a legal action and mitigating fines and penalties.

Cyber attacks can be extremely harmful to employers not only for the legal implications, but also the potential loss of reputation, customer trust and loyalty. While no policy can completely insulate an employer from a cyber attack, measures can be taken after a breach to limit the damage. A swift and effective response to a breach is a vital component of restoring a company’s reputation and complying with the legal obligations imposed by state law.

BLR’s (Business & Legal Resources) Top 10 Best Practices in HR Management suggests employers take the following steps should a breach occur:

• Do not cover up the breach. Report it in a timely manner and offer help to affected individuals.
• Investigate the breach and determine its scope.
• Contact law enforcement officials.
• Determine the organization’s notice obligations under applicable state law and prepare the required notice.
• Contact CERT (Computer Emergency Response Team) immediately.
• Have the employee that detected the possible breach take notes on what he or she observed.
• Notify upper management via telephone or in person rather than e-mail.
• Notify employees of a possible breach on a need-to-know basis.
• Contact legal counsel or the legal department.
• Contact public relations specialists, if necessary.
• Follow up after the breach by conducting meetings and briefings, taking appropriate remediation action, and improving your security policy, if necessary, to prevent future breaches.

Many states have laws that mandate what employers must do when a breach occurs. The demand for cyber risk insurance is on the rise and a company can select a policy that best fits its needs.

NJBIA is having a Cybersecurity Summit on May 10th at the Bridgewater Marriott. The keynote speaker is Timothy P. Ryan, managing director, cyber security and investigations at Kroll Associates, Inc.

 

Related Articles: