Information technology experts agree that small businesses are at high risk for hacking and other cyber security risks. Alan Wlasuk, managing partner of 403 Web Security, explains the details of why small businesses are not immune from attack. Contrary to the impression left by frequent media reports of hacking and data security breaches involving large multinational companies, small businesses experience security breaches at a higher rate than large corporations. That’s because small business owners may be less cognizant of the risk and have fewer resources available to prevent, identify and remedy security breaches.
What are the legal risks faced by any business if their website is hacked and customer data is compromised? The answer depends on the type of customer data collected and maintained by the business and the agreement between the business and its customers about how the data will be used. The business’s response to the hack matters, too. Did the business discover the breach quickly, disclose the breach to its customer, and take steps to remedy the situation?
If your business collects confidential customer information (for example, medical records or social security numbers), federal law specifies how you must protect that information from disclosure or misuse.
The Federal Red Flags Rule requires “creditors” with “covered accounts” to implement programs to identify, detect, and respond to patterns, practices or specific activities that could indicate identity theft.
The Federal Trade Commission’s Bureau of Consumer Protection offers tips on what should be in a data security plan to protect your customers’ information.
Federal law also requires mandatory disclosure of transaction records – to victims and to law enforcement of certain security breaches, by strict deadlines. Businesses Must Provide Victims and Law Enforcement with Transaction Records Relating to Identity Theft.
These regulations apply to anyone who accepts consumer payments online – an increasing number of businesses every day. Any business with an interactive website that captures customer data electronically should have a data security plan. In addition, your contracts should accurately reflect what your business will do with and how you will safeguard your customers’ data and make sure the agreement does not promise more protection than you actually provide.
If you’d like help drafting or updating a data security plan, or to have your contracts reviewed for data security issues, please contact our Business Law Group attorney, David A. Closson at [email protected].