Ignoring California’s Stringent Data-Breach Laws Sets You Up for Hefty Fines and Litigation.
Learning about a data breach after the fact can be devastating for organizations, especially when you consider the overwhelming fines for neglecting required notifications.
The thought of a data breach is enough to send information security professionals into a frenzy. And, thousands of small and medium-sized businesses will face this issue in the coming years (if they haven’t already).
There are significant challenges when running a small business IT department. Keeping up to date with the latest security patches and recommendations often falls by the wayside in the daily hustle. The massive focus on new technologies means there’s more pressure on overtaxed IT teams than ever before—And it’s leading to very damaging data breaches.
California has beefed-up their notification requirements in an attempt to provide more transparency to individuals whose personally identifiable information (PII) has been compromised. Here’s how these data breach notification laws will impact your business in the coming months and years.
The Frightening Statistics
Between client records and intellectual property, there are millions upon millions of data points that are of prime interest to cybercriminals. Of the small businesses that are attacked and suffer a severe data breach, almost 60 percent went out of business within six months of an attack. This is even more frightening when you consider that nearly half (43 percent) of cyberattacks are against small businesses.
Few small businesses feel ready to repel an attack, and even less confident about their ability to recover from this type of disaster.
The Types of Cyber Attacks
While you may be familiar with what people generally term “hacking” (unauthorized entry into digital property with malicious intent), you may not be aware of the myriad of ways that cybercriminals can infiltrate your systems.
Malware is a growing concern, and can cause entire systems to be unavailable until you pay the ransom dollars. Payment is often demanded in the form of untraceable Bitcoins or other digital currency, making it even more difficult for law enforcement professionals to track the complex transactions that occur.
While client credit and debit card information is a prime target, employee information and intellectual property are also extremely attractive to criminals who wish you ill. Phishing and social engineering, where cybercriminals attempt to gain access to your systems through means of malware innocently launched by internal users, are also of growing concern, as is the loss of connected devices such as laptops and mobile phones.
California Data Breach Notification Laws
California has taken additional steps in an attempt to provide consumers with more transparent notifications in the event of a cyberattack. While this well-meaning legislation provides protection to consumers, it can be onerous for business owners as they attempt to navigate the legal landscape. Businesses are now required to notify clients if unencrypted personal information is exposed. The following are included in the definition of “personal information:”
Take Heed—You Must Comply with Notification Laws.
There are specific requirements under California law that pertain to even the font size of your notification—It must be no smaller than a 10-point font for legibility. In addition, the notice must contain conspicuous headings such as “Notice of Data Breach,” along with information about the organization making the notification, the date ranges for the breach, the extent of the information obtained by cybercriminals or accidentally released, and any details about a delay in notification.
You must be very clear about the specific steps you’ve taken to rectify the situation, provide remedy recommendations for victims, and details on how to find out more information about the incident.
Consequences of Noncompliance. Negligent failure to comply with the terms of the statute can lead to civil liability damages of up to $2,500 per violation, for a total of up to $500,000 per occurrence, with the damages set “irrespective of the amount of damages suffered by the consumer as a result of that violation.” Knowing and willful violations will likewise be subject to civil damages of up to $2,500 per violation, but there is no limit on the level of damages per occurrence for such violations. In line with the state’s strong stance toward protecting against identity theft, all fines can be doubled in instances where violation results in the identity theft of a consumer. From: FindLaw For Legal Professionals
What You Can Do to Protect Your Business.
Regardless of your industry or size, businesses are increasingly vulnerable to cybercriminals who intend to steal personal information or lock up your systems. In 2016, some of the largest brands in the world were hacked. However, what you may not know is that thousands of smaller businesses were also impacted by cybersecurity incidents. There are no safe spaces anywhere. Hackers seek to gain access to valuable information stored in company databases both onsite and in the cloud.
While there’s no way to protect your business from all forms of cybercrime, there are some key ways to minimize your risk:
Following these guidelines can reduce the chance that your organization will be infiltrated by criminal elements.
Understanding California’s laws will help you stay within the current data-breach notification requirements. This is exceptionally important as there are strict and costly penalties for noncompliance, and legal consequences when victims make a claim against your business for damages caused by improper notification.
Need to strengthen your IT security perimeters? We can help to keep your business and data secure. Contact intivix in San Francisco at (415) 543 1033 or firstname.lastname@example.org. Our information security professionals understand how to establish a system of compliance that will help your organization stay well-protected in the event of an attack.