Each year, thousands of small businesses are hit with data breaches, but unlike those that impact some of the nation’s largest companies, these incidents often don’t even make headlines in local newspapers. However, that doesn’t mean that there aren’t significant problems that can arise from them even for the smallest companies, and for this reason it’s important for such enterprises to have comprehensive plans in place for dealing with them if and when they take place. This may be particularly important for small businesses that deal primarily with other companies, such as book and magazine distributors, because of just how much liability can arise from even a small data breach.
The fact of the matter is that small businesses are often required to do a lot in the event that they suffer a data breach, a reality that is more likely all the time, according to a report from the National Law Review. Today, 47 states plus Washington, D.C., require that companies which suffer data breaches follow very specific protocols, and these are going to vary from one state to the next. But what often happens here is that if a data breach impacts people living in multiple states, compliance becomes a complicated matter, because what’s required in, say Rhode Island, could possibly vary significantly.
When is this required?
The ways in which each individual state will define what kind of information exposure must lead to a data breach notification varies, but nearly all of them with data breach laws in place (with the sole exception of the District of Columbia) state that things like Social Security numbers, driver’s license or state ID numbers, and financial account data qualify, the report said. Some states may also carry these requirements for things like passwords, routing codes, biometric data, tax ID numbers, email addresses, and so on.
“Because privacy is a politically popular topic for legislators, laws continue to evolve and change,” the authors of the report wrote. “It is important to confirm that no changes have been made to relevant laws whenever you deal with a data breach. While this summary focuses on data breach notification obligations, many state laws also impose specific data security requirements for companies that handle personal information, which should also be consulted.”
What can companies do?
The more small business owners can do to make sure their companies are adequately protected from the fallout of a data breach, the better off those firms are likely to be. The reality is that the cost of dealing with a data breach in accordance with state law is likely to be in the tens of thousands of dollars or more, and that’s a cost that can cripple or destroy even a successful small business. Consequently, it may be wise for owners to invest in a type of small business insurance known as “cyber liability insurance,” which specifically helps to insulate companies from these costs whenever possible.