Most small and mid-sized businesses think, “Security breach – that’ll never happen to me! I’m way too small for a hacker to target.” Time to think again.
This kind of thinking has led to a widespread vulnerability in the SMB market. ow that larger corporations have upgraded their defenses, cybercriminals are starting to exploit this weakness by shifting their attention downmarket.
At the same time, legislatures have developed new laws to protect customers in the event of a breach. Even small businesses are required to report any possible identification to their clients. Understanding how the law works will help you defend yourself from a data breach, as well as assess precautionary measures.
By the end of this article, you will be able to define and understand data breaches like a Georgia state legislator. Next week will discuss actions and implications.
Cybercriminals have shifted focus in the last 2 years from large corporations to SMB territory. We covered some of the recent data on security breaches previously on the blog, but new readers should be aware that mid-sized businesses now account for 31% of all cybercrime, up from 19% in 2012. Small business now represents a similarly large piece of the pie.
So yes, knowing what to do when a data breach occurs is important for everyone, particularly smaller firms.
Most states have adopted their data breach statutes from California’s initial SB 1386, so the language tends to be identical or at least very similar.
A data breach is defined as: “The unlawful and unauthorized acquisition of personal information that compromises the security, confidentiality, or integrity of personal information.” The key term is “access,” meaning that if you discover that an unauthorized person has broken into the back end of a website, and could have seen personal information, then you have a security breach on your hands.
Personal information is also important to define. Clearly, if you store usernames only, then that information alone would be worthless to a cybercriminal. Georgia and most states use the following formula to determine when personal information “compromises security.”
The identifying information must include:
First name (or first initial)
And any one of the following:
Bank account, credit card, or debit card with any access code, PIN, or password needed to access the account
*Information is disqualified from being deemed personal when it is publicly available, as by any government agency’s public records, or by widely distributed media.
Come back next week for Part II: what actions a business must legally take in the event of a breach, and the implications of this statute.