Recent headlines have publicized the expanding duties that courts and governments everywhere are imposing on businesses to take measures to protect against the unauthorized access to and theft of people’s sensitive personal information—whether it be the GDPR ( the EU’s onerous General Data Protection Regulation), the California Consumer Privacy Act (set to take effect in 2020), New Jersey’s nine pending pieces of legislation related to cybersecurity and data, or the Pennsylvania Supreme Court’s recent ruling that an employer has a common law duty to use reasonable care to safeguard employees’ personal information stored on an Internet accessible computer.

Many small to medium-sized business owners assume that such laws do not apply to them, or that data breaches are a “big corporation” problem, but U.S. businesses of all sizes are vulnerable to cyberattacks and privacy violations. While there is no way to totally prevent data breaches, there are manageable, discrete steps that businesses can take to significantly minimize the risks associated with data privacy violations and cybersecurity attacks. Archer’s Data Privacy & Cybersecurity Group can help you assess your current cybersecurity environment and consider taking various steps to mitigate the risk of attack and limit potential liability. The following is a list of a few of the most common issues that prudent businesses address when making these assessments.

1. Understand where your business stores data

The first step to improving your business’s cybersecurity is knowing where it stores data. Is it in the cloud, on servers, on hard drives, etc.? Do you use third parties to store your data? You can’t begin to improve your business’s cybersecurity until you know exactly where your data lives.

2. Understand what types of data your business stores and for how long it stores it

It’s important to understand the categories of data that your business collects and stores to determine which data privacy laws apply to you. For example, if you possess highly confidential health information, or personal data of EU residents, you must comply with HIPAA and/or GDPR in addition to state-specific privacy laws governing personally identifiable information, (commonly defined as information that can be used on its own or with other information to identify an individual, such as name, social security number, date and place of birth, etc.) Moreover, certain privacy laws prohibit businesses from storing data for longer than necessary. Be familiar with your business’s storage policies. If you don’t have a formal storage policy, consider adopting one commensurate with your obligations under applicable privacy laws.

3. Understand your current IT security controls, preventative techniques and incident response plan

Ask your IT department or IT provider how they are protecting your data. Do they use encryption, access controls, or other security mechanisms? Do they routinely apply security patches from your software vendors? You should know how your business investigates cybersecurity incidents and assesses its legal obligations to report them. Each state and other potentially applicable laws have different breach reporting requirements and times, but some impose reporting requirements of 48 hours. If you don’t already have one, create an incident response plan that documents how everyone, from staff to IT to legal to executives to other vendors, should respond to a cyber incident. You may wish to include an outside data breach forensic investigator and/or an insurance broker to create such a plan. Businesses also practice their cybersecurity incident response plans in drills knows as table top exercises.

4. Appoint someone to be in charge of cybersecurity

Appoint someone—commonly called a “Chief Information Security Officer (CISO)—or a number of people within the organization to serve in a leadership position responsible for cybersecurity strategy, and to serve as a contact point for outside vendors. If your business is small, it’s possible to limit costs by outsourcing this position to a professional.

5. Train your employees on cybersecurity

Cybersecurity is not just an issue for the IT department. Your employees offer another line of defense against cyberattack, as well as a vulnerability to cyberattack. Businesses should train their employees on potential threats including ransomware, phishing, SMiShing (SMS phishing), and other social engineering techniques designed to make employees download malware, disclose their login credentials, or cause a business to send money to cyber criminals. Employees should be trained on what to do in the event they receive a suspicious email. Once trained, test your employees through periodic drills to ensure all employees are following cybersecurity policies.

6. Review your internal IT Policies

Do you have a written IT policy that governs your employees? Is it up-to-date and does it address the security ramifications of BRING YOUR OWN DEVICE, working remotely, and social media?

7. Review your external IT Policies

Do you have a current, accurate privacy policy that complies with applicable federal, state, and/or international laws? A privacy policy is a document provided by a business, usually on their website, that describes the types of personal data the business collects, how the business uses that data, with whom the business shares that data, and how the business protects the data. A good privacy policy should be tailored to the nature of your business. Downloading boilerplate language from the internet, or simply copying a policy from another business, could expose your business to liability if the policy does not accurately reflect your business’s data protection policies and procedures.

8. Review your contracts with your customers, vendors and service providers

As data privacy law continues to develop, more businesses are attempting to protect themselves by requiring third-party vendors to represent and warrant that they comply with data privacy laws and provide indemnities for data breaches or privacy violations. You may be assuming liabilities if you sign agreements with these types of provisions. On the flip side, if your business shares data with third parties or utilizes third-party cloud computing services, it’s imperative that your agreements with such third parties address each party’s responsibilities with respect to data protection.

9. Examine your business’s e-mail marketing practices

Does your business send marketing emails to individuals? If so, are you complying with the CAN-SPAM Act’s requirements, such as the “opt-out” (unsubscribe) option? If you market to individuals residing in the EU, do you meet the GDPR’s stringent standard of “informed consent,” one of the six legal bases for collecting and processing personal data? If not, do you have a “legitimate interest” in processing personal data for direct marketing purposes?

10. Obtain cybersecurity insurance

Do you have coverage for cyber security incidents and is it adequate to protect your business? Most general liability policies provide little or no coverage for data breaches and other cyber incidents. Cyber-specific coverages should be strongly considered and updated periodically.

Originally published in Chamber of Commerce Southern New Jersey

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.