• What steps does your small business take to protect employee social security numbers?

  • What steps does your small business take to protect customer credit card information?

These are just two questions of many we could ask, as personal information can also include driver’s license or state ID, account numbers, passwords, etc. If a cyberattack occurs at your small business, can you honestly say you made a reasonable effort to protect employee and customer information?

The media often places way too much emphasis on security breaches of large organizations. In the news recently you’ve seen JP Morgan Chase, Target, Home Depot, OPM, etc. However, what about the security breaches for the small main street businesses? A cyberattack for these small businesses might not have as big of an impact on society, hence not as newsworthy, but a cyberattack does have a huge impact on these small businesses, including completely shutting them down. In fact, cybercriminals are increasingly targeting small businesses due to their lack of resources to thwart an attack.

However, a small business’ lack of resources does not diminish their responsibility to protect customer and employee data.

You are held to the same level of credit card security standards and employee data standards as the big organizations. In the instance of a security breach, your small business will be held liable if you have not made a reasonable effort to protect that data. But how do you do that?

  • Know the laws: Delaware Code 6, § 12B-101 et seq.
  • Know the standards: Any small business that suffers a cyber security breach and is found to be non-compliant to credit card security standards, is fully liable for charges related to the breach. 1Read and understand the PCI (Payment Card Industry) Data Security Standard Quick Reference Guide
  • Know your data:
    • What types of data do you collect? Do an inventory of every type of data you collect. Decide what types of data you actually need to store.
    • How is that information collected? Do you collect information through a credit card machine? Through a mobile device? Over a secure network?
    • Where is it stored? For instance, if your data is hosted or stored in the Cloud, take a look at your contracts. If a data breech occurs due to the Cloud provider you use, you can still be held legally liable.)
  • Know your policies: Have you established policies for handling employee and customer data? Do employees understand what is and isn’t acceptable uses for their work devices?
  • Know your response plan: What will you do if a cyberattack occurs?
  • Know your insurance options: Cyber liability insurance is not new. However, it is increasingly important as cyberattacks on small businesses become more frequent. Work with your insurance provider to integrate cyber liability insurance with your regular business insurance and employment liability policy.
  • Know how to get help: A good first step would be to attend the State of Delaware’s cybersecurity conference on September 29th. It’s free and will have a track for small businesses, industry expert speakers, cyber security resources and sources of help.