When it comes to record management and customer notifications, the legal requirements for businesses are vastly different from state-to-state. Take for example California, where businesses are required by law to immediately notify a state resident if his or her personal information has been acquired by an unauthorized user. Most states have similar laws. In Alabama, however, there is no state law requiring a business to notify customers of a data breach.
But only doing the bare minimum of what is legally required can still leave your business vulnerable to reputational harm, loss of customers and disruption of business processes that may prove catastrophic in the long run. Ask yourself this: If it were your data stolen, would you want or even expect to be notified?
What Constitutes a Customer or Employee Record?
In 2016, more than 4,000 data breaches exposed over four billion records. But what exactly are we talking about when we are referring to “records” that have been exposed?
In general, data collected on customers and employees falls into three basic categories:
- Health Information such as records from a doctor’s office or human resources department
- Banking Information such as credit card, debit card or bank account numbers
- Personally identifiable information (PII) or data that can identify the person, the person’s location or other private information
It is often this last category, PII, that causes the most confusion. The federal government and many states have taken a stab at clarifying what constitutes PII and these definitions vary wildly.
Take a moment and think about the information you require from your customers or employees, or even think about the type of information you provide as a customer yourself. Everything from your password, answers to your security questions, your shipping address or even your driver’s license number is an identifying piece of information.
With just an email address and answers to common security questions, a cybercriminal can reset a password to a customer’s email account and gain access to their inbox, which can lead them to social media profiles or Netflix or iTunes accounts that house credit card or bank account information. But that’s not all. Just because your business was not directly impacted by the breach itself, your business may still be held liable for those stolen records, even if the records were stolen from a vendor.
While each state might have differences of opinion regarding which specific pieces of data you collect are legally protected, will your customers feel the same?
What Are the Risks Associated with Your Business Records?
There are two major risks when a business gathers and stores customer and employee information.
The first is to your customers and employees. Not only can there be a risk of financial harm if the right information gets into the wrong hands but an individual’s privacy and security can also be exposed. As a business, it is your responsibility to know what information you have and to notify your customers and employees—whether or not you are legally required to so by your state—if you have been breached. This is expensive and has to be done immediately and done right.
The second risk is to the reputation of your company after a breach. How you handle the moments after a breach can impact how your customers or employees react once they find out their personal and sensitive information may have been exposed. Having the right type of support after a breach can make or break a business.
What Actions Should Companies Take?
Having a clear understanding of what type of personal and sensitive information you have stored on your business’ computer system and other electronic devices is a must. The same is true for vendors that may house customer or employee data on your behalf. Maintaining an inventory of the information you have on-hand is important, especially if your business has been a victim of a breach so that you can accurately notify your customers or employees of the information that has been exposed.
To properly protect a business today you need a robust cyber insurance policy, not just any cyber policy. Any cyber policy might have customer notification costs included in your policy but a good cyber insurance policy will:
- Provide notifications for all your customers even if you are not legally required to do so as well
- Pay to maintain your great reputation in the marketplace should a breach occur
- Include forensics to determine how this happened in the first place and fix it
Another important part of coverage when choosing a cyber policy is business disruption coverage. Many businesses never fully recover from the lost business following a breach. Be sure this coverage is included in your policy. According to a 2016 study conducted by Keeper Security and Ponemon, businesses that have been victim of a breach have lost an average of $955,429 due to the disruption of normal business operations, in addition to the average cost of $879,582 companies have spent due to damages (i.e., impact of business reputation or loss of trust from stakeholders) or theft of IT assets after a breach. Can your business sustain that loss without the insurance to cover it?
By having a clear understanding of what type of records you are collecting and storing from your employees and customers, along with a good cyber policy, every business owner can rest assured that if they are a victim of a cyber attack, they have the know-how and support of their insurance provider to keep their business running smoothly with the least amount of damage to business processes and reputation.