SMB Awareness of Breach Notification Laws
IndustryView | 2015
Currently, 47 U.S. states have security breach notification laws, which require organizations that store sensitive information to notify customers and clients if their personal data is breached. In this report, we investigate how aware decision-makers at small and midsize businesses (SMBs) are of the laws that apply to their firms, and examine the contents of those laws. We also provide advice from leading cybersecurity experts on how best to avoid breaches, fines, lawsuits and reputational damage.
In January 2015, President Obama proposed new federal legislation that would require organizations to alert customers within 30 days of discovering that their personal information had been exposed in a data breach. For now, however, no such law exists; instead, businesses must comply with a patchwork of state laws governing breach disclosure.
Since California passed the first such law in 2002, a total of 47 states, the District of Columbia, Guam, Puerto Rico and the Virgin Islands have enacted legislation requiring private or government organizations to notify individuals of security breaches involving Personally Identifiable Information (PII). Definitions of PII vary, but usually involve a combination of the individual’s name plus sensitive data such as their social security number (SSN), credit card number or bank personal identification numbers (PINs).
While large firms may have lawyers on tap who are experts in these laws, we wanted to gauge SMBs’ awareness of their legal obligations in the event of a breach—so we polled SMB owners and decision-makers at businesses that store customer PII. We then spoke to legal, compliance and cybersecurity experts to gain insight into these laws and learn how businesses should prepare for, and respond to, a breach.
After a successful hack, cybercriminals act quickly to cash in on their ill-gotten gains.
“Most of the time, when [valuable] information leaks out of a company, it is instantly being monetized on underground forums,” says Bogdan Botezatu, senior e-threat analyst for antivirus firm Bitdefender. In these situations, he says, businesses should alert their clients and customers as quickly as possible so they can minimize the aggravation and inconvenience that results when sensitive data goes missing.
In addition to an ethical responsibility, however, most U.S. businesses storing sensitive data also have a legal responsibility to inform customers of lost PII. Thus, even if a business owner concerned about reputational damage is tempted to conceal or suppress a breach of PII—as experts believe often happened before these laws were adopted—today, this is illegal in every state but Alabama, New Mexico and South Dakota.
So, how confident are SMB owners and decision-makers that they understand the security breach notification laws of their state?
Only one-third (33 percent) of respondents are “very confident,” while 34 percent describe themselves as “moderately confident.” Another one-third, combined, are largely (19 percent) or completely (14 percent) unaware of their state’s breach disclosure requirements.
This suggests many businesses are highly likely to be caught off-guard if a breach occurs—and according to the most recent security report from Symantec, targeted attacks on SMBs accounted for 30 percent of all “spear phishing” attacks in 2013 (the most up to date figures from 2014 are still pending). In these attacks criminals craft fake emails to dupe individuals into surrendering their credentials, or into downloading malware.
Heather Buchta, partner at legal firm Quarles & Brady and an expert in e-commerce, software and technology law, says that although state laws vary, they do share common features. When defining PII, the statutes “almost always” include a combination of an individual's name together with any “sensitive data elements,” such as SSN, driver’s license numbers, credit card PINs and account passwords, for instance.
However, the definition of a “sensitive data element” may be broader.
“For instance, some states, such as Missouri, include various types of health information, while Nebraska’s law covers biometric data [e.g., retina or fingerprint scans],” Buchta says. “North Carolina considers an individual’s parent’s surnames prior to marriage to be sensitive, while Puerto Rico includes labor evaluations and the Wisconsin law covers DNA.”
Clearly, the laws are complicated. Jeff VanSickel, compliance lead at security consultancy SystemExperts, has conducted a comparative analysis of all 47 laws. He says he’s often surprised at which states are the most stringent in their definitions of sensitive data.
For instance, VanSickel believes that Montana has the “most rigorous” laws in the nation—there, the mere combination of name and address is defined as PII. Not a problem if you’re not based in Montana? Think again, says VanSickel: Businesses must also know the laws where their customers are located.
He uses the example of a company that is based in Florida but has clients in Hawaii to illustrate his point. If that company lost the PII of its Hawaiian customer base, then it would face legal issues in Hawaii, VanSickel says.
The complications multiply: Not only do definitions of PII vary from state to state, but so do other aspects of the laws, such as the amount of time businesses may allow to elapse before informing their customers of a breach. This can range from a loosely defined “without unreasonable delay” to very specific time limits of two to 45 days—and this can also vary between industries.
Failing to abide by a state’s data breach law can result in financial penalties, which, says Buchta, also vary: In Florida, for instance, these can start at $1,000 each day for the first 30 days, maxing out at $500,000. Other states specify penalties ranging from $10,000 up to $150,000 per incident—while still others may specify damages of $250 to $2,500 “per violation,” which may mean per individual not notified.
Buchta adds that in some cases, state attorneys general may get involved, and that many allow for private rights of action, “which, of course, can lead to class-action lawsuits.”
In short, SMBs that are in the dark about their data breach notification requirements face a potential blizzard of legal woes.
Given the rapidly escalating costs and complexities of a breach, we next wanted to know what SMBs are doing to prepare for a cyberattack. This includes both strengthening their defenses and having a plan for mitigating the damage if—or, as many experts suggest is more likely, when—an attack occurs.
However, less than half of our respondents (49 percent) report having such a plan in place.
In fact, the only options to rank higher than 50 percent among our respondents are security awareness training for staff (74 percent), policy compliance tests (59 percent) and conducting regular vulnerability assessments (58 percent).
Another 29 percent of respondents report having “cyber insurance.” However, dedicated cyber insurance is an expensive, emerging product primarily aimed at large enterprises—so it seems likely that respondents are referring to the cyber-clauses in their general business insurance, which are considerably more limited in scope. Finally, 9 percent don’t have any of these common preparations in place.
The relative prevalence of security awareness training is encouraging, but what qualifies as “training” can mean many things. If it’s just a video employees are required to watch once a year, for example, it’s probably not very effective.
Experts are also divided on the effectiveness of security training. Barry Shteiman, director of security strategy for data security firm Imperva, says that he doesn’t believe in it.
“The reason security is dealt with by technology—for better and for worse—is because of the ability to remove the human factor, which is always the weakest link in the security world,” he explains.
However, Geoff Webb, senior director of solution strategy at security firm NetIQ, argues that by training employees, you reduce the likelihood that they will accidentally expose you to risk, and thus become less reliant “on security tools having to ride to the rescue and close a gap.” In other words: Businesses should seek to become less reliant on software, and put more trust in humans.
Arlie Hartman, security advisor for IT security solutions provider Rook Security, argues that it is a matter of having the right kind of training, which should avoid “textbook best-practices or death-by-PowerPoint.” Instead, he explains, training should “incorporate cautionary tales of what regular users have done that led to a breach. The material must have metaphors that make it relatable to users. Institute a culture of security: It’s not a job position, it is a duty for all employees.”
While experts may debate the effectiveness of security training, nobody doubts the importance of having a breach response plan in place. Buchta notes that not having one is a big mistake.
By planning ahead, the company can focus on the strategic decisions it needs to make at the time a breach occurs, as opposed to spending time trying to figure out the process it should be following or the personnel it should be consulting.Heather Buchta, Quarles & Brady
Bitdefender’s Botezatu says that in his experience, many companies take what’s happening inside their networks for granted.
“They [think they] only have to see off outside threats, and that inside a company, it’s a safe haven where nothing can go wrong,” he says.
But things can go very wrong—and thus, it is crucial that among the precautions businesses take, they encrypt customers’ PII (and all sensitive data).
This is more than simply a good security practice: PII is generally not considered “lost” if it cannot be decrypted and used by the data thieves. In such cases, says Buchta, notification is usually not necessary, or the statute will deem a breach not to have actually occurred.
The good news is that 82 percent of respondents report encrypting their customers’ PII. This stands in contrast to just 9 percent who admit their business does not, and a further 9 percent who are “unsure,” which indicates that encryption is unlikely to be in place.
Of course, it is still concerning that almost one-fifth of respondents’ firms are not encrypting sensitive customer data. These businesses are exposing their customers to risk and leaving themselves wide open to the possibility of fines, lawsuits and reputational damage.
What’s more, even the high figure of SMBs that are encrypting data may not be quite as reassuring as it seems: According to the experts, businesses often struggle with the complexities of getting encryption right. Here, scale is one important factor.
“It’s one thing to encrypt 20,000 records, and a totally different thing to encrypt 40 million records that need to be accessed from 20 different physical locations,” Botezatu says. He adds that in cases where SMBs do not have widely disseminated data, the encryption services that come along with some operating systems (such as Windows or Unix) might be sufficient.
If, however, a business needs to encrypt lots of information and make it available to people in different parts of the world, then “chances are that you’re going to need to use a custom software that matches your business needs, [such as] speed of decryption and so on,” Botezatu adds.
However, according to NetIQ’s Webb, organizations that buy encryption software typically never fully implement the systems due to a lack of technical expertise.
This happens “especially in the case of full-disk encryption, which can require a lot of prep work on the system to be encrypted. As a result, management might think their systems are protected, and then discover the data was never actually protected,” Webb says.
Rook Security’s Hartman adds: “SMBs may stumble when implementing [management of the encryption keys.] Some companies will use full disk encryption for their laptops, but [do not have] central management for the keys. A year later, a user has a password issue, and no one can locate the key to decrypt the hard drive.”
So, given all this, what can SMBs do to mitigate their potential shortcomings in terms of understanding the laws, coming up with a preparedness plan and protecting customers’ PII? On each point, our experts offer some advice.
SMBs first need to familiarize themselves with which data breach laws apply to them. A useful resource is the National Conference of State Legislatures’ website, which includes a list of every law, in every state.
Buchta stresses that businesses should identify where all their data is stored as part of a written information security program. If a business knows what data it has ahead of time, it can quickly confirm what its notification obligations may be in the event of a breach.
This should be a rigorous and thorough process. Hartman points out that data can exist in many places, including mobile devices, cloud storage and webmail.
In order to organize all this data more efficiently, SystemExperts’ VanSickel advocates a rigorous information classification methodology, breaking down data by a scheme of “secret,” “confidential,” “internal” and “public” information. This allows businesses to identify and prioritize sensitive information that they need to “control”—whether through encryption, or other limitations such as using policies and data loss prevention tools to prevent it from being sent outside the network.
Webb stresses that any good breach response plan should clarify which people in the business should be involved.
“Wasting time wondering who needs to be notified is a mistake that can be costly and easily avoided—yet many organizations fail to think through those critical first few hours,” he says.
Since a breach response plan is unlikely to be read widely by general employees, VanSickel suggests that important information, such as who should be notified, should also be included in an “Acceptable Use” policy document. This document outlines how all employees in the organization should use their work devices—thus, it is likely to be much more widely read than a breach response plan, which applies to a more limited set of employees.
Webb adds that it is necessary to have “an escalation path” prepared—that is, to know “who, when and why people need to be notified, and [to] make sure everyone on the list knows what their job is. In addition, businesses should also know when and how to involve law enforcement.”
VanSickel agrees, and says that businesses must also resist the urge to investigate the breach themselves: “You could damage any evidence that [law enforcement is] collecting to prosecute the bad person.”
To handle post-notification customer fallout, Hartman suggests that businesses consider offering “breach services,” such as setting up a response hotline or offering to provide credit monitoring. He also suggests purchasing breach insurance to offset the costs.
In order to manage the encryption keys, businesses should use dedicated hardware solutions, Hartman says. However, this can often be cost-prohibitive for SMBs; in such cases, he suggests that businesses work with a security advisor for advice on key implementation and management.
Hartman notes that it is important for businesses to make sure they have a back-up plan for managing the keys, and that they should not be left in the hands of one all-powerful administrator.
“Think of them as the keys to a missile silo,” he explains. “No one person should be able to launch the missile, and no one person should be able to decrypt a database of sensitive data. The other risk is only having two people who can decrypt the data. In a disaster, locating the two people to decrypt the data can be difficult. This risk can be mitigated with a system where any three of five total keys can decrypt the data.”
VanSickel suggests another way to keep keys secure, via an older, more manual form of technology: Store them in a physical safe.
“You won’t find too many people who are still doing that, but it is definitely an option,” he says.
“At the end of the day, every company is likely to have a data breach of some kind,” says Buchta. Taking the right steps beforehand is what will determine the overall cost to the company of an incident. In her view, the biggest issue that usually results from a breach is negative press and consumer fallout.
Webb agrees that businesses need to think about how their customers will respond to news of a breach.
“A more informed and active customer base [is] becoming more litigious when it comes to sensitive or personal data,” he says. “While fines may be a headache, a slew of lawsuits can cause real damage to any business, large or small.”
SMBs, therefore, cannot afford to be ignorant of the laws that apply to them, or unprepared for the eventuality of a successful hack on their own sensitive information. It is important that they stay focused on the practical task of knowing what PII they have, and where it is stored, as well as on securing it.
It is best, as VanSickel suggests, to take a holistic view. Businesses should be rigorous when it comes to keeping track of their data, and should consider all the legal requirements that apply to them—not just state notification laws, but also (for instance) HIPAA and other industry-specific requirements. It will take time and effort, but ultimately, the business will be stronger for it.
To find the data in this report, we conducted an online survey via Android devices of 180 owners and decision-makers at U.S. businesses that accept and store PII. We asked eight questions, and collected 180 responses per question. All survey questionnaires undergo an internal peer review process to ensure clarity in wording.
Sources attributed and products referenced in this article may or may not represent partner vendors of Software Advice, but vendor status is never used as a basis for selection. Interview sources are chosen for their expertise on the subject matter, and software choices are selected based on popularity and relevance.
Expert commentary solely represents the views of the individual. Chart values are rounded to the nearest whole number.
If you’d like to further discuss this report or obtain access to any of the charts above, please contact firstname.lastname@example.org.