Small Business

Small Business

Should Your Business Have a Privacy Policy?

Tags: , , , Privacy, Privacy Policy, Small Business No comments

Small business owners often ask me the following questions about privacy policies:

  1.   What is a privacy policy (notice, statement, etc.) (“Privacy Policy”)?
  2.   Does my business need one?
  3.   What should be included in a privacy policy?

I am usually surprised by 1, although I should not be since ½ of online Americans don’t know what a privacy policy is.  But that question is reasonably straightforward to answer:

Privacy Policy (df): Statement or document about how a company or website collects, uses, and discloses, information about a visitor. It usually declares what specific information is collected, the purpose for collecting it, how a company uses the information, and whether it is shared with others.

The purpose of a Privacy Policy is to give notice to an individual that the business is collecting information about the particular consumer, the types of information being collected, and what’s being done with that information. For example, check out Target’s privacy policy.

2 and 3 require a little more consideration as the answers are not clear-cut, and some businesses may be better off without a Privacy Policy.

DOES MY BUSINESS NEED A PRIVACY POLICY?

As with many things in life, the answer to this question for businesses in the United States is “it depends.” There is no federal law that requires every business to have a privacy policy that discloses how the business collects, uses and discloses information collected from potential customers.

Some types of businesses, however, are required to have Privacy Policies because of specific federal or state laws that apply, as well as certain business activities they engage in.

Businesses Required to have Privacy Policies

There are several ways a business can be forced to have a Privacy Policy:

Federal and State Laws

California Online Privacy Protection Act California Bus. & Prof. Code §§ 22575-22578: Requires an operator, defined as a person or entity that collects personally identifiable information from California residents through an internet website or online service for commercial purposes, to post a conspicuous Privacy Policy on its website or online service (which may include mobile apps) and to comply with that policy. Among other things, the law requires the Privacy Policy to identify the categories of personally identifiable information collected about consumers and the third parties with whom the operator may share the information.

Connecticut Gen. Stat. § 42-471: Requires any person who collects Social Security numbers [presumably of Connecticut residents] in the course of business to create a privacy protection policy. The policy must be “publicly displayed” by posting on a web page and the policy must (1) protect the confidentiality of Social Security numbers, (2) prohibit unlawful disclosure of Social Security numbers, and (3) limit access to Social Security numbers.

Children’s Online Privacy Protection Act of 1988:  Requires (1) operators of websites and online services directed at children under the age of 13, including mobile app developers, and (2) operators of general audience websites and online services, who know that they are collecting personal information about children under the age of 13, to post a Privacy Policy on the homepage of their website and a link to the Privacy Policy on every page where personal information is collected.  Very detailed requirements of what needs to be included in Privacy Policy. See e.g. Relay Recess COPPA Privacy Policy.

Gramm-Leach Bliley Act:  Requires financial institutions to provide clear and conspicuous privacy notice to consumers initially and annually about the institution’s information-sharing policies and practices.  Privacy notice must contain the following: what information the financial institution collects about its consumers and customers; with whom it shares the information; how it protects the information; and an explanation of how a consumer can opt out. See e.g. Chase U.S. Consumer Privacy Notice.

Health Insurance Portability and Accountability Act of 1996:  Requires covered entities (Healthcare providers, Health plans, and others) to provide a detailed privacy notice at the date of first service delivery. Very specific detailed elements that must be included in the privacy notice, including detailed statements about individual’s rights with respect to their personal health information.  See e.g. Health and Human Services Model Notice of Privacy Practices.

If any of these statutes apply to your business, you must have a Privacy Policy or face the penalties for non-compliance.  Consult with an attorney or the applicable statute and regulations to ensure that your Privacy Policy contains the required elements as each of the statutes differs.

International Law

Your business also must have a Privacy Policy if you conduct business or collect information about citizens in the European Union, Canada, and many other countries.   Many countries have more universally applicable laws regarding data privacy than the United States and every business that collects personal information about individual citizens needs to have a Privacy Policy.   Consult with a local attorney in the specific country where you conduct business to ensure that your Privacy Policy and other aspects of your business comply with applicable data privacy laws.

Google AdSense

Another business activity that requires your business to create a Privacy Policy is displaying Google AdSense advertising on your website.  As part of the  terms and conditions, Google AdSense requires you to “have a clearly labeled and easily accessible privacy policy that provides end users with clear and comprehensive information about cookies, device-specific information, location information and other information stored on, accessed on, or collected from end users’ devices. . . .”

Failure to do so may lead Google to suspend or terminate your account, and prohibit you from creating a new account or monetize content on other Google products.  Consult with an attorney to make sure that your privacy policy contains all of the elements required by Google AdSense.

Mobile App Developers

Another business activity that requires a Privacy Policy is developing mobile applications (“Apps”).   In 2012, California struck an agreement with the six largest platforms for mobile apps (Apple, Google, Microsoft, Amazon, Hewlett-Packard, and Research in Motion), where the platforms agreed to a set of principles for mobile apps that would ensure compliance with California Online Privacy Protection Act.

These platforms will require developers of apps that collect personal information to include Privacy Policies in their apps that can be reviewed before consumers download the app. Thus, if you want your app downloaded from these platforms, your app needs a Privacy Policy that complies with California’s laws. Consult with an attorney to make sure that your Privacy Policy includes all of the elements required by California law.

Businesses Not Required to Have Privacy Policy

If none of the above situations apply, your business does not need a Privacy Policy. Many businesses, however, choose to adopt a Privacy Policy, particularly on their website.  These businesses want to create a competitive advantage for their business and believe that customers value their privacy and will choose businesses that care about privacy.  Also, for some businesses – such as social media – customers expect to have a Privacy Policy before turning over their personal information and want to know what the company is going to do with it.

It’s unclear whether these are valid reasons for adopting a Privacy Policy.   First, not many consumers actually read and/or understand the privacy policies included on websites.   A recent study by Internet Society revealed that less than half (42%) of U.S. citizens read Privacy Policies most of the time or all of the time on websites or internet services used.  I actually think that it’s probably much less than 42%, since I have yet to find anybody (except for a privacy attorney) that has read a Privacy Policy more than once!  That’s not surprising, since a recent study found that it would take approximately 76 working days to read all of the Privacy Policies from websites visited in a single year. Thus, it’s hard to see a Privacy Policy can show customers that a business cares about privacy since customers are not even reading them.

Second, Privacy Policies create an enormous risk for a lawsuit or government investigation if your business does not accurately represent your information collection, use, or disclosure practices. For example, the FTC recently brought a case against Snapchat, in part, over alleged misrepresentations made in Snapchat’s Privacy Policy about Snapchat’s information collection practices.

Snapchat apparently transmitted geolocation data from users of its Android App, despite a Privacy Policy that says that Snapchat did not track or access such information. Snapchat also allegedly collected contacts information from iOS user’s address book despite claiming that the app only collected the user’s email, phone number and Facebook ID for the purpose of finding friends.  Snapchat ultimately settled with the FTC and is required to implement a comprehensive privacy program that will be monitored by an independent privacy professional for the next 20 years.

The Snapchat case, as well as other cases, shows that statements and promises made in your Privacy Policy can come back to haunt your business.  The statements made in a Privacy Policy are promises made to users about what your business is doing with their information.  If the Policy does not reflect your businesses’ actual information collection or use practices, then you can be sued or investigated for misrepresentations.  And if your business ever suffers a data breach, any lawsuit over the data breach will invariably raise a claim for making misrepresentations in your Privacy Policy.  See e.g. In re: Target Corp. Customer Data Security Breach Litigation, MDL No. 14-25222, Consolidated Class Action Complaint, D. Minn. 2014, at ¶¶127-134.

So if you are considering whether to adopt a Privacy Policy, consult with an attorney to see whether it makes sense for your business. And if you decide to adopt a Privacy Policy, make sure the Policy accurately reflects your information collection, use and disclosure practices. Below are some best practices about what would be included in a Privacy Policy and where it should be displayed on your website.

BEST PRACTICES IN CONNECTION WITH PRIVACY POLICIES

Conspicuously Display Privacy Policy

If you need a Privacy Policy, or decide to have one, post a link to this document on your website in a conspicuous, easy-to-find location.  The home page of your website is the best place as it will be available to site visitors before they ever submit any private or personally identifiable data on your website.  The font used should be large enough for site visitors to view easily.  Also, if you own an e-commerce website, the link to the Privacy Policy should also be prominently displayed on any products page and in the shopping cart.

Disclose Information Collection and Use Practices

One of the most important aspects of a Privacy Policy is to explain the types of information collected on your website and how your business uses the information. The following should be clearly explained regarding your information practices:

  • Types of Information: The types of information collected and used;
  • Purpose: The purpose of collecting this type of information;
  • Cookie Policy: Your practices regarding cookies, including any tracking cookies;
  • Do Not Track Policy: Many browsers have a “do not track” feature that lets users tell websites that they do not want to have online activities tracked. Make sure and state whether your website will respond to browser “do not track” signals.
  • Sharing/Selling Practices: Information about all parties, including third-parties, that you will share or sell information to;
  • Contact Information: Your contact information and the contact information of all third parties who receive the information from your website in case customers have a question or want to make a complaint.

Choice

Your Privacy Policy should explain what options the consumer has with respect to how/whether her data is collected and used by your website. For any choice, provide the customer with a way to opt-out of the information collection or use practice. For example, you may give customers the choice of not receiving any promotional materials, so you would provide them with an email or phone number by which they can opt-out of receiving this material.

Access

Your Privacy Policy should explain how a customer can see what data has been collected by your business about him/her and how the customer can change or correct the data if necessary. Provide a way that a consumer can contact you to make any changes and then be sure to honor any requested changes.

Security

Your Privacy Policy should state the security measures that you have implemented and how any data that is collected or stored is protected. Be accurate about your security practices and give an honest assessment. Far better to under promise and over deliver. Don’t say that your organization follows all applicable laws regarding data protection if you are uncertain about all legal requirements or that your business is actually following them. These promises can come back to haunt you if you have a data breach.

Redress

Your Privacy Policy should provide a way that a customer can contact you and seek redress if the Policy is being violated.  It should also include a limitation of liability for any damages that may be suffered by any breach of your Privacy Policy or for use of your website.

Updates

Your privacy Policy should inform users about how changes to the Privacy Policy will be communicated.  Document all changes to your Privacy Policy over the years and keep all versions of your Privacy Policy.  You never know when a regulator or individual will ask questions about a particular Privacy Policy version.

That’s it for this week.  Hope everyone is not getting buried in snow like me.  Please let me know if you have any questions or comments about Privacy Policies or anything else related to privacy.

Credit Card Security for Small Business (Pt. 2)

PCI DSS, Preparation, Prevention, Privacy, Security, Small Business 1 comment

In the last blog post, I discussed the first 2 steps of the 4 step process that small businesses need to follow to comply with the Payment Card Industry Data Security Standards (“PCI DSS”):

1.  PCI DSS Scoping – Determines what organization system components and computer networks are in scope for PCI DSS assessment.

2. Assessing – Exam and assess the compliance of system component and computer networks in scope following the testing procedures for each PCI DSS Requirement.

3. Reporting – PCI DSS Qualified Security Assessor (QSA) and/or business submits required documentation to validate compliance with PCI DSS, including documentation of all compensating controls.

4. Clarifications – QSA and/or business clarifies ROC and/or SAQ, if needed, at the request of the acquiring bank, or payment card brand.

This week I’ll look at the remaining 2 steps.

III. REPORTING

Reports are the official mechanism by which a business validates compliance with PCI DSS to your acquiring bank or payment card brand. Depending on the payment card brand and the acquiring bank, any of the following reports may be required:  Report on Compliance (ROC); Self-Assessment Questionnaire (SAQ); Quarterly scanning reports from Approved Security Vendors (“ASV”), if required; and possible others.

The form and extent of your validation reporting is made by your acquiring bank in accordance with the validation requirements set by the payment card brands. Visa, for example, divides merchants into 4 different risk levels based on the aggregate Visa transaction volume over a 12 –month period.  The more transactions a merchant handles, the greater the validation reporting requirements:

 

Level/Tier Merchant Criteria Validation Requirements
Level 1 Merchants processing over 6 million Visa transactions annually (all channels) or Global merchants identified as Level 1 by any Visa region  • Annual ROC by Qualified Security Assessor (“QSA”) or Internal Auditor if signed by officer of the company

o The internal auditor is highly recommended to obtain the PCI SSC Internal Security Assessor (“ISA”) certification.

• Quarterly network scan by ASV
• Attestation of Compliance Form

Level 2 Merchants processing 1 million to 6 million Visa transactions annually (all channels) • Annual SAQ
• Quarterly network scan by ASV
• Attestation of Compliance Form
Level 3 Merchants processing 20,000 to 1 million Visa e-commerce transactions annually • Annual SAQ
• Quarterly network scan by ASV
• Attestation of Compliance Form
Level 4 Merchants processing less than 20,000 Visa e-commerce transactions annually and all other merchants processing up to 1 million Visa transactions annually • Annual SAQ recommended
• Quarterly network scan by ASV if applicable
• Compliance validation requirements set by merchant bank

 

A merchant that suffers a data breach is automatically increased a level and may be required to fulfill the Level 1 validation requirements, even though it does not handle over 6 million Visa transactions.  MasterCard, Discover, and American Express also base validation requirements on transaction volume, although American Express breaks down the numbers a little differently.

Report on Compliance (ROC)

ROC’s are the most detailed and complicated of the validation reports required by the PCI Security Standards Counsel. ROC’s provide details about the organizations’ environment, assessment methodology, and documents the organization’s compliance for each PCI DSS Requirement.

The Official Template of the ROC for use with PCI DSS v.3.0 needs to be used by any QSA completing a ROC PCI DSS assessment for a business. The template includes the following sections:

  • Executive Summary – Description of organization’s payment card business and high level network diagram.
  • Description of Scope of Work and Approach Taken– Description of how the assessment was made, environment, network segmentation used, details of each sample set selected and tested, wholly owned or international entities requiring PCI DSS compliance, wireless networks or applications that could impact security of cardholder data, and version of PCI DSS used to conduct the assessment.
  • Details about Reviewed Environment – Diagram of each network, description of CDE cardholder data environment (“CDE”), list of all hardware and software in CDE, service providers used, third party payment applications, individuals interviewed, documentation reviewed, and details of managed service providers.
  • Contact Information and Report Date
  • Quarterly Scan Results – Summary of four most recent ASV scan results
  • Findings and Observations – Detailed findings on each requirement and sub-requirement, including explanation of all N/A responses and validation of all compensating controls.

As you can likely tell, the ROC is enormously complicated and expensive.  ROC’s are usually only required for entities that handle a significant number of transactions (over 6 million for Visa, MasterCard and Discover) or who have previously had a data breach.  They should only be completed by a QSA or ISA.  If you need a QSA, check out this list of approved QSA’s here.

Self Assessment Questionnaires (SAQ)

Most small businesses have less than 6 million credit card transactions and only need to file an annual SAQ rather than a ROC. A SAQ includes a series of yes-or-no questions about your security posture and practices with respect to each applicable PCI DSS requirement. If you answer “no” to a question, the business may be required to document the remediation steps that will be taken to correct the defect and when the remedial steps will be complete.

The type of SAQ that you business needs to complete depends on the manner in which you accept credit cards:

 

SAQ Description
A Card-not-present merchants (e-commerce or mail/telephone-order) that fully outsource all cardholder data functions to PCI DSS compliant third-party service providers. No electronic storage, processing, or transmission of any cardholder data on the merchant’s systems or premises.Not applicable to face-to-face channels.
A-EP E-commerce merchants who outsource all payment processing to PCI DSS validated third parties, and have a website(s) that doesn’t directly receive cardholder data but that can impact the security of the payment transaction. No electronic storage, processing, or transmission of any cardholder data on the merchant’s systems or premises.Applicable only to e-commerce channels.
B Merchants using only:
• Imprint machines with no electronic cardholder data storage; and/or
• Standalone, dial-out terminals with no electronic cardholder data storage.Not applicable to e-commerce channels.
B-IP Merchants using only standalone, PTS-approved payment terminals with an IP connection to the payment processor. No electronic cardholder data storage.Not applicable to e-commerce channels.
C-VT Merchants who manually enter a single transaction at a time via a keyboard into an Internet-based virtual terminal solution that is provided and hosted by a PCI DSS validated third-party service provider. No electronic cardholder data storage.Not applicable to e-commerce channels.
C Merchants with payment application systems connected to the Internet. No electronic cardholder data storage.Not applicable to e-commerce channels.
P2PE-HW Merchants using only hardware payment terminals that are included in and managed via a validated, PCI SSC-listed P2PE solution, with no electronic cardholder data storage.Not applicable to e-commerce channels.
D SAQ D for Merchants:  All merchants not included in descriptions for the above SAQ types.SAQ D for Service Providers: All service providers defined by a payment brand as eligible to complete a SAQ.

 

Each SAQ is only intended to be used by the merchant that fits the description, and the questions are tailored to the PCI DSS requirements suitable to that type of credit card processing.  As such, some of the questionnaires have fewer questions and are easier to complete than others because the merchant has less contact with credit card data.  Choose the questionnaire that fits your business.  If you’re not sure what type of SAQ to fill out, check with your acquiring bank that can provide guidance.  Many processors will even fill out the self-questionnaire for you (usually for a fee), but you should make sure to review to ensure that it is the right one.

Quarterly Network Scans

As discussed last week, an organization usually has to have quarterly scans of their systems by an Approved Scanning Vendor (ASV) to check for internal and external vulnerabilities.  See Credit Card Security for Business (part I) at no.11, see also PCI DSS Requirements and Assessment Procedures at Req. 11.  Hire an ASV to conduct your quarterly scanning and follow the recommendations of your acquiring bank regarding the form and process for reporting compliance.

Attestation of Compliance

The Attestation of Compliance (“Attestation”) is your organization’s declaration that the relevant PCI requirements have been met.  There are 9 different versions of the Attestation, depending on which specific SAQ or ROC use.  If your business uses a ROC, use the Attestation for ROC’s.  If it uses SAQ A then use Attestation for SAQ A. And so on.

Each Attestation requires your business to provide:

  • Details about the business and the individual conducting the PCI DSS Assessment;
  • Executive summary of the manner in which your business accepts credit cards, the CDE covered by the assessment, third-party service providers, and your eligibility to use the validation report being used (ROC, SAQ A, SAQ A-EP, etc.);
  • Date that validation report was completed;
  • Whether your business complies with all of the PCI DSS requirements specified in the validation report;
  • Action Plan for any Non-Compliant Requirements.

The Attestation should be accurate and without misrepresentations regarding that status of your PCI DSS compliance. It’s far better to identify certain deficiencies and develop a plan for mediating them, rather than making a false statement to secure compliance.

IV. CLARIFICATIONS

Occasionally, the acquiring bank or credit card brand will ask for a clarification regarding some aspect of your PCI DSS compliance. Do not panic! This is not uncommon. Cooperate fully and be as helpful as possible to understand and solve the problem. Forward copies of any documents requested, and make sure to properly document any request, your answer, and any documents that are sent.

If your acquiring bank wants to conduct a PCI DSS Audit, comply fully. A PCI DSS Audit usually occurs when a data breach is suspected. If notified of an upcoming audit, gather all relevant information related to PCI DSS compliance and have it ready for the inspectors when they arrive. You want the audit team to rest assured that you take PCI DSS compliance seriously and are on-board for full cooperation. This will make the process smoother and get your business up and running again as soon as possible.

The audit team comes in and checks to see whether a security breach has occurred and the circumstances of the breach. The auditors also determine whether your business is actually compliant with PCI DSS requirements. If your business meets PCI DSS requirements, you are not responsible for any fines, credit card replacement fees, or fraud refunds that result from the breach. If your business is not compliant, you are potentially on the hook for any of these costs.

That’s it for this week. Thanks for reading. Let me know if you have any questions regarding PCI DSS or anything else.

How to Prepare for A Data Breach (Part 2)

Tags: , , Business, Data Breach, Preparation, Small Business, Uncategorized 1 comment

In addition to the steps discussed last week, a business should take the following steps to prepare for a data breach:

Step 5: Arrange Possible Remedies for Customers

A recent study shows that 25% of individuals notified of a data breach go on to suffer identity theft.  To combat this, most companies now offer – and consumers expect – some form of credit monitoring services for affected individuals.

Credit monitoring services are directed at fraud in connection with new financial accounts.  This fraud occurs when a criminal uses a victim’s personal information to open a new credit card or other financial account.  Credit monitoring does not prevent the opening of new accounts, but notifies an individual when a new account is opened, so that the individual can determine whether it is fraudulent.

Although credit monitoring service is nice, it is not that effective at actually preventing identity theft and is often a waste of money.  See Brian Krebs “Are Credit Monitoring Services Worth It?”  Notably, there are at least five types of identity theft fraud not covered by credit monitoring services:

Existing account fraud:  Occurs when a criminal uses an individual’s current financial account, such as a credit card account or bank account, to make a purchase from a vendor or withdraw money from the individual’s bank account.

Social Security number and tax refund fraud:  Occurs when a criminal uses an individual’s SSN to obtain employment, for tax reporting purposes, or for other illegal transactions.  Tax refund fraud is a rapidly growing problem and the IRS is attempting to combat it.

Criminal identity theft:  Occurs when an imposter provides another person’s name and personal information to a police officer during an arrest.  The imposter often fraudulently obtained a driver’s license in the victim’s name and provides the identification document to law enforcement.

Medical Identity Theft:  Occurs when a crook uses an individual’s name and/or other information, such as insurance information, to obtain or make false claims for medical goods or services.  Medical identity theft may result in false entries being entered into a medical record, or the creation of fictitious records in the victim’s name.

See Privacy Rights Clearinghouse, Fact Sheet 33: Identity Theft Monitoring Services.

To try and combat some of these other types of identity theft, many vendors now offer expanded identity theft monitoring services that provide additional monitoring services, such as monitoring commercial and public databases and online chat rooms.  These services vary widely, so you’ll need to investigate carefully to determine what service is best for your customers in the event of a data breach.  The Consumer Federation of America provides some helpful guidance about selecting an identity theft service provider and some assessments of the services offered.  See Consumer Federation of America: Best Practices for Identity Theft Services: How Are Services Measuring Up? Things may have changed since 2012, so make sure to update the information and look for additional identity theft monitoring service providers.

By looking into remedies now, you will be able to evaluate and assess the complete range of available remedies, and select the one that makes the most sense for your customers and business in the event of a data breach. You may also be able negotiate the best price and gain service concessions. None of this could be done in the middle of a data breach crisis.

Step 6: Draft Incidence Response Plan

You can now be begin drafting your Incident Response plan (the “Plan”). As a word of warning, this document can get very long and detailed, depending on the size and complexity of your organization. There are a lot of available on-line guides that can give provide guidance, such as the guides at the SANS Information Security Resources, However, to ensure the Plan is done properly, you may want to consult with a privacy and data security attorney or some other third-party vendor.

The basic elements to include in the Plan are:

Overview:  The Plan should have an overview section that outlines the goals, scope, purpose and assumptions of the Plan.

Roles and Responsibilities of Incident Response Team members:  The Plan should identify each incident response team (the “Team”) member, their contact information, and his/her role or responsibility.  It is better to have this information in writing so each Team member knows exactly what he/she is responsible for when a data breach occurs.  This information should be continuously updated, especially if one member leaves the organization.

Incident Definition and Classification:  The Plan should create an event classification system that defines what constitutes an incident, when an incident is serious, and the specific types of incidents that will set the plan in motion.  For example, port scans are not usually particularly serious, and it is doubtful that these events will set the Plan in motion. But a web security breach or a malware infection should warrant a more urgent response and the Team may need to be notified and the Plan set in motion.

Notification:  The Plan should identify the specific triggers to notify and procedures to follow when notifying the following:  the Team, insurers, law enforcement, outside attorneys, third-parties and customers.  Depending on the type and severity of the event, these groups will be notified at different times, and there will be specific procedures that need to be followed.  Include all statutory and contract breach notification requirements in the Plan.  Also include all insurance notification requirements.  If you choose to use a third-party vendor to notify customers, include all relevant contact information and details of any negotiated deal in the Plan.

Current Network Infrastructure & Payment Processing Systems:  The Plan should also identify, diagram, and include all supporting documentation regarding your organization’s web system architectures, network infrastructure, information flows, payment processing systems, and any other applicable system that contains or processes sensitive personal information.

Existing Security Safeguards:  The Plan should identify all currently operating safeguards that can assist with detection and prevention, including an intrusion-prevention system (IPS), firewall, web-application firewall (WAF), and endpoint security controls for the web, applications, and database servers.

Detection, Investigation and Containment:  The Plan should outline the procedures for detecting, investigating and containing the incident.  Keep in mind that these procedures should vary by the type of incident, the system involved, and may involve contacting third-parties such as law enforcement and forensic investigators.  Identify the circumstances when these third-parties will be brought in and include all potentially relevant information in the Plan.

Customer Remedies:  If your organization chooses to offer remedies to customers, such as identity protection service, then your Plan should identify the specific circumstances when the remedies will be offered. It should include the contact information of the third-party service provider and the terms of any deal that was negotiated.

Eradication, Cleanup and Recovery:   The Plan should also contain the procedures to follow to get the infected system back up and running.  The cleanup will vary depending on the type of system and the type of attack, but you want policies and procedures in place about how to handle it.  In order to preserve other parts of your IT system, you also want to have procedures about the steps to take before putting the infected system back into production.

Post-Incident Review and Follow-up:  Your Plan needs to include the date for a mandatory follow-up meeting with the Team in order to learn from the incident.  The purpose is to process all of the information that was learned from the incident and figure out if your security posture needs modification to prevent future attacks.  There are likely several questions that will need to be addressed, but try to avoid spending the meeting finding someone to blame. It will be a waste of time and energy and will not improve the security of your organization.

Step 7: Employee Awareness and Readiness Training

As part of your organization’s privacy program, your employees are probably already trained on privacy fundamentals like data collection, retention, use and disclosure.  Your organization should also train every employee about basic breach response procedures and protocols, like what constitutes a data breach and whom to call if a data breach is suspected.  You should also require third-party vendors to do the same.  Team members should receive regular in-depth training about how to investigate a data breach, report findings, and communicate with media and regulatory authorities.  Any completion of required training should be documented and reported to management for internal policy compliance.

Step 8: Crisis Simulation & Revision

It is important to know how your organization will fare during a breach crisis and identify and correct any gaps.  The best way to assess your organization is by running two types of breach crisis simulations: a table-top exercise and a “live” simulation.

A tabletop exercise is a simple way to practice executing your Plan without the expense or interruption of a full scale drill.  In a tabletop exercise, Team members talk through a breach crisis scenario in a “war room” type of setting.  These exercises should involve everyone on the Team so that every member has an opportunity to think through their role during a breach event.

“Live” simulations are more elaborate and tend to mimic real-world conditions more closely than tabletop exercises.  “Live” simulations are usually impromptu events that can occur at any time, including the evening or a holiday, like a real breach.  The most effective simulations involve breach response vendors that your organization has contracted with, as well as your internal Team.  In a “live” simulation, systems are actually compromised and even social media uproars can be created. Talk with your service providers to develop simulation exercise that includes everyone.

After conducting simulations, evaluate the effectiveness of your Plan to identify any gaps in your organization’s response.  Revise your Plan to fill these gaps and ensure that your organization improves.

If you follow all eight of these steps, your organization will be better prepared for the inevitable data breach.  Thanks for reading.  Please let me know if you have any questions or wish to offer suggestions based on your experience.

Basic Steps to Prevent Small Business Data Breach

Tags: , , , Data Breach, Prevention, Small Business 1 comment

It seems like every day in the news; another data breach is reported where millions of records are lost. In the past year alone, the following major data breaches occurred:

Target – Lost 40 million credit and debit cards, along with 70 million customer records, including name, address, email address and phone number.

Home Depot – 56 million debit and credit cards stolen and 53 million email addresses.

eBay – 145 million active users’ data at risk.

JP Morgan Chase – 76 million households and 7 million small businesses.

Community Health Systems – 4.5 million patients.

Goodwill/ C&K Systems– 868,000 cards at 300 stores.

Although large companies make the headlines and grab our attention, small businesses are also targets for cyber-attacks.  In 2013, Symantec reported that 31% of all targeted attacks were directed at businesses with less than 250 employees.  See Symantec 2013 Internet Security Threat Report.  This finding was echoed by a study conducted by the Ponemon Institute, which found that 55% of small businesses in the U.S. have had a data breach.

Despite this, a majority of small businesses do little to protect themselves from a cyber-attack or protect the sensitive information of their customers and employees.  This inattentiveness is extraordinarily risky.  The average cost for a data breach in 2014 is $201 per record and the probability of a business having a data breach over the next 2 years with more than 10,000 records is nearly 19%See Ponemon Institute, 2014 Cost of Data Breach Study, at 1-3.

These numbers should terrify every small business owner. But there are 7 cost-effective basic steps that a small business can take to decrease the likelihood of a data breach:

1) Identify:  The business should first identify all types of personal and confidential information (“Personal Information”) collected, possessed and used by the business.  Personal Information can include: names & addresses, financial account numbers, social security numbers, e-mail addresses, license numbers, health care information, video rental records, and anything else that can allow the business to identify a specific individual or company.

2) Locate:  Next, the business should determine where the Personal Information is located and stored and where it comes from. Locations can include workplace files, computers, mobile devices, websites, networks, and many other places.  Employees and owners should be questioned about all of the places where they store Personal Information, since they might have data on their home computers and personal mobile devices.

3) Evaluate Risks: The business should then identify and evaluate all potential risks to the security, confidentiality and integrity of the Personal Information in the business.  Risks come in all shapes and sizes and can include natural disasters, cyber-attacks, theft, use of mobile devices & laptops, negligent employees, accepting credit cards, and many, many others.

4) Implement safeguards: After evaluating the potential risks, the business needs to implement reasonable safeguards to mitigate these risks. Safeguards come in three different forms: Physical, Administrative, & Technical.

Physical Safeguards: These are the physical protections, rules, and procedures a business takes to secure Personal Information from physical threats such as natural disasters and unauthorized intrusions. Depending on the business, these safeguards can include: Offsite secure storage, Locked doors and file cabinets, fences, security guards, cameras, passwords, ID cards and other authentication measures for computer/facility access, regular automated backups, and many other possible preventative measures that can be taken.

Administrative Safeguards: These are the management measures, policies, and procedures that an organization puts in place to protect Personal Information. These measures should include:

• Written Information security policy
• Incident response plan
• Internet usage policy
• Social media policy
• Mobile phone policy
• Bring your own device policy
• Specific limitations on employees’ access to information
• Rigorous protections and oversights in third-party vendor contracts
• Employee background checks
• Employment contracts with confidentiality clauses and restrictive covenants, and
• Others depending on the nature of the business.

Technical Safeguards: These are technological measures implemented by an organization to manage and protect Personal Information. These measures should include:

• Keeping hardware, operating system software and apps up to date;
• Using and updating antivirus and antispyware on all computers and devices;
• Using firewalls and virtual private networks to secure sensitive information; and
• Requiring strong passwords with quarterly changes.

Depending on the size and complexity of the organization, and the size of the information security budget, there are many more advanced protections that can be implemented. But the foregoing is the bare minimum that should be done by every business to help protect the organization.

5) Train Employees:  This point cannot be emphasized enough.  Businesses should regularly train employees on the proper way to collect, use and store personal information.  Employees also need to be trained about the nature of today’s cyber-attacks and the best way to protect themselves and the organization.  Cyber-attacks usually begin when an individual opens a “phishing” email message with an attachment that contains malware that infiltrates your network. To stop this, a business should employ a spam filter that will try to catch phishing e-mails and other junk.  But even the best spam filters are not always successful. Employees need to be vigilant and trained not to open anything that seems even remotely unusual.  One isolated training session is not enough, and a business should regularly hold training sessions to emphasize the importance of privacy and information security.

6) Destroy:  Any personal information that is no longer being used by the business should be destroyed.  Paper documents and paper files should be shredded, pulverized, macerated, or burned.  If you hire a company to do this, make sure that the vendor has a good reputation, there are sufficient contractual protections to safeguard the data, and that you understand the vendor’s destruction and disposal practices.  Do not just throw your unshredded sensitive paper documents in the dumpster near your business.

Computers and other electronic storage devices and the information stored on them are a little more difficult to destroy. Merely deleting the information is not enough, and steps need to be taken to overwrite or physically destroy the electronic device and computer. Different electronic devices need to be wiped clean in different ways. If you want to do it yourself, there is plenty of information on the internet about this process.  See, e.g. https://www.us-cert.gov/security-publications/Disposing-Devices-Safely; http://it.med.miami.edu/x677.xml; https://www.privacyrights.org/personal-data-retention-and-destruction-plan#destruction.  If you want to hire a vendor, make sure that they have a good reputation, there are sufficient contractual protections to safeguard the privacy of the data, and that you understand how the device is going to be wiped or destroyed.

7) Monitor and Repeat: After completing the prior steps, you should continuously monitor your systems, networks, and business to make sure that the safeguards are working.  If the there are problems, or your business needs change, you may need to revise or implement the security practices that were put in place.  This is an ongoing process and cyber-threats are continuously evolving.  You need to be vigilant in order to have the best chance of preventing a data breach.

Following these steps will not guarantee that your small business won’t have a data breach.  But they are cost-effective and should decrease the likelihood of a data breach.  Your business will also be in a better position to determine whether more expensive protections are needed.

Thanks for reading! I would love to hear if you have other suggestions or there is something else your business is doing to protect itself from a data breach.