Companies often hire professionals to help achieve compliance with various data protection laws in the US and around the world. Surprisingly, the professionals hired to assist with legal compliance are not always lawyers. Thus, leading to situations where companies are left without basic protections recognized exclusively in attorney-client relationships.
Read MoreSmall and medium-sized businesses (“SMBs”) are not immune from cyber liability and can be held responsible, not only for a cyber breach, but for laxed cybersecurity. Laxed cybersecurity will inevitably result in financial harm in the form of penalties or lost business.
Historically, SMBs may have thought of themselves as too small to be noticed in matters involving cybersecurity. Perhaps, the idea that SMBs could go unnoticed was reinforced by an assumption that only big businesses could be monitored or held accountable for a data breach. After all, why would anyone care to monitor the cybersecurity of a SMB?
With the strictest laws in data privacy and, effectively, cybersecurity, taking effect in May 2018, the days of going unnoticed are over. While the new laws might not directly affect SMBs, the indirect affects will be just as significant to the SMB’s existence.
For example, businesses directly impacted by the new laws will have a duty to ensure its third-party vendors have adequate security measures to protect data. The third-party vendors are often SMBs. The SMBs’ failure to use adequate security will cost the business substantial amounts of money. Rather than risk millions or billions of dollars (i.e. GDPR fines), the business directly affected by the strict laws will have a great incentive to trade the unsecure SMB for more secure alternatives.
As if a threat to a company’s existence is not sufficiently compelling, there are also U.S. laws that directly impact SMBs. Depending on the SMB’s industry and the type of collected data, laws that dictate data privacy might require strict security. Violations of such laws may subject SMBs to financial penalties, fines and other civil punishment.
To demonstrate that no business is small enough to go entirely unnoticed, imagine a boutique hair salon. The salon regularly purchases hair products from an international distributor. The salon uses an online portal to order supplies and since orders are fairly regular, they are scheduled automatically every few weeks. Imagine that the salon also accepts credit card payments and stores customer information to track a salon-awards program. The awards program offers customers credit at the salon for each fifty dollars spent. The salon has no cybersecurity policy because the owner believes the salon doesn’t work with “technical stuff” or “secrets” that a hacker would want. There is one administrative password shared by the staff. It is “password123”. The same password is used to login to the distributor’s portal. The company has been in business for ten years and has had to buy more computer storage for all of the customer information. The salon has never purged information.
For the salon, it is business as usual until one day, the computers are down. The salon can’t process credit card and it the computers seem to have a glitch. The salon will eventually realize that its systems have been breached. Credit card and customer information have been stolen, and the salon’s portal to the distributor is compromised. As a result, the international distributor is also breached.
Laws involving cybersecurity, data, and privacy directly and indirectly can have a devastating impact on SMBs. It is more important now than ever that SMBs implement an adequate cybersecurity program. There are many online guides to help you get started. There are also cybersecurity consultants, experts, and attorneys who can help you understand how to protect your data, comply with laws, and ultimately minimize your liability. Cybersecurity is an investment in the future of your business. For SMBs, it is survival at the securest.
Will all businesses eventually need to be in the business of technology? Will a user be liable for his or her actions or inactions with regard to technology? As data protection laws are created and impose duties on users, it seems that a technology responsibility course could become part of education’s core curriculum: math, science, language arts, social studies and technology responsibility (tech res). Once upon a time, technology was an elective; these days, it seems like a necessity.
You might wonder who really needs to know about technology. The answer to this question used to be something along the lines of “leave it to the IT department”. These days, the correct answer to the question is, “everyone”. I am confident that everyone is using a computer or smart phone to access data. Thin about all of the Word documents, PDFs and emails you have access to. “Data” is a broad category and includes information that is personal, confidential, related to the company and/or used for entertainment. In the past, even if this information might have been accessible to people, it was not so easily accessed and shared. Entering a filing room to pull a confidential file still required more steps than selecting “send as attachment” or “post” or “tweet” or……you get the point. Basically, everyone is using technology in some form and should know something about the technology they are using. At a bare minimum, users should know about the major risks and liabilities. Unfortunately, in practice, many people ignore warnings about risks and liabilities by scrolling down and clicking “accept”. Blind acceptance could result in the release of rights to your photos, agreeing to share your list of contacts or numerous other things. It wouldn’t hurt for everyone to be more informed before they select “accept”. Hence why “everyone” is included in the need-to know category.
As individuals, most people aren’t going to care who shares their vacation photo or who sees their grocery list. For the most part, if individuals have any information worth worrying about, a breach of information, while unfortunate, would be miniscule and likely only harm that individual. Besides, most individuals willingly divulge information regularly via social media. No one is wondering what’s on your grocery list because we all saw pictures of your meals for the past few weeks.
Then there is the camp of individuals guarding their credit card and social security numbers. Such individuals would be correct that these pieces of information are important, but on a small scale. Credit card companies are great about finding fraudulent charges. Everyone should be monitoring their bank account anyway. Maybe this is harsh, but no matter how many selfies you take, you probably aren’t as important as you would like to think. Of course, feel free to care, but know that you probably do not make the cut for the “need-to-care” group.
Those that really need to care about responsibility using technology are typically those in possession of other people’s information. Don’t get me wrong, it is a great habit for an individual to be cautious and protect his or her own information. This is sort of like locking your doors. It’s your house.
However, if you are holding a lot of my belongings and fail to lock the doors, I will be very upset if my stuff is stolen. The same concept applies to the data. If you have the information or access to data, you have a responsibility to provide security. The people who really need to care are those involved with business. Businesses tend to have information including contact information, financial information and confidential information. I use the term “business” very broadly because all types of businesses are included. This even includes non-profits, education, consumer goods, healthcare, sales, services, etc. Do not assume you are exempt. Businesses must have security in place to protect the information of others. Think of it as if your house is holding their valuables. YOU, the business, should ensure that the doors are locked.
For fear of a tragedy of the commons, an elaboration about who within the business should be accountable for caring about data protection.
The structure is flexible and could include a variety of different models depending on what works best for your business. If there is a board of directions, the responsibility could begin with them. If there is a partnership, the partners could be accountable. The important point is that someone is made accountable for monitoring and implementing protection. What you don’t want to happen is that everyone assumes someone else is dealing with it. (A tragedy of the commons.) You don’t want to assume that your partner password-protected his computer. As a business owner, it is your duty to think through these issues and plan ahead. Either monitor things yourself or assign the duty to another person or to an entire department. Perhaps hire a technology expert to report back to you. Create a policy and follow a particular procedure. Educate each of your employees about what is expected and precisely how they can follow protocol. As a partner in a business, ask questions and raise concerns if you do not see these policies in place. Regularly check to see if the policies are being executed correctly. After all, just because a door has locks doesn’t mean people are always using them.
Reasonable care standards are already being incentivized, if not implemented. It would be wise to create good habits now. If tech responsibility is eventually added to the elementary school curriculum, it is only a matter of time before a failure to use basic protections will constitute gross negligence, from which there will be little insulation from liability.
You should care earlier rather than later.
A blog about cyber law including cyber liability, cybersecurity, data privacy, and cyber insurance.
I encourage you to comment and share opinions, ideas, and suggestions, However, please be courteous and use respectful language when commenting. I will try to post all comments to encourage a discussion, but I reserve the right to discard comments I find distasteful or inappropriate.
This blog is not legal advice and does not create an attorney-client relationship. DO NOT share confidential information in the comments of this blog. I will not provide legal advice based on your comments. If you need legal guidance, please consult an attorney and keep in mind that your issue may have an approaching deadline.
Powered by Squarespace.
