What is a “Reasonable” Privacy and Security Program?
Many data privacy and security regulations require businesses to have a “reasonable” privacy and security program. What exactly does “reasonable” mean? This vague terminology leaves significant room for guesswork when developing a privacy and security program. However there is one thing you can be sure of…you must have some program in place.
Most large corporations already have data privacy and security policies that surpass anything required by law. However, small and medium-sized businesses often lack robust data security and privacy programs, which makes them especially vulnerable to data breaches and other cybersecurity issues.
It is not acceptable for any business, regardless of size, to go without a reasonable privacy and security program. This type of negligence could put your customers’ data in danger and could ultimately set your business up for failure if a breach occurs. Developing a privacy and security program may feel overwhelming, but a few simple steps can go a long way in protecting your company.
Examples of Current State Regulations
Several states have recently passed laws governing data privacy and security. California has some of the country’s most robust data security laws, including the California Consumer Privacy Act (CCPA). This law spells out many expectations for businesses over a certain size to:
- Notify customers of their privacy practices
- Honor consumer requests for details on the data collected
- Allow consumers to opt out of data collection
- Honor consumer requests for data to be deleted
- Maintain a database to track business practices, third parties, products, devices, and applications used for data processing or storage.
The California Civil Code mentions that businesses should use “reasonable” security practices to protect personal consumer data from unauthorized access, use, modification, destruction, or disclosure, but it does not define what “reasonable” means. Therefore it is up to the business to determine the threshold of reasonable and the first step is to determine the value of the data they hold, their risk and most importantly their risk appetite.
What Makes Small and Medium-Sized Businesses (SMBs) Especially Vulnerable?
Although data breaches that affect large corporations are the ones that often make the news, cybersecurity threats are a common issue for small businesses, and they can have devastating effects.
Hackers often analyze a business’s vulnerabilities before launching a targeted cyber-attack. They choose to target companies that will give them financial benefits with minimal effort. This means that even if your small business is not well-known, it could still become the victim of a cyber-attack if hackers see it as an easy target.
Small businesses often lack the resources and expertise to implement an effective data security program and may not provide the employee training necessary to recognize and avoid cyber threats. Cybercriminals often use a strategy known as phishing, spear phishing, and smishing. Many small businesses are tight-knit communities, where employees know the CEO and executive leadership team personally. Hackers can use this to their advantage by impersonating a trusted leader to convince employees to send private information or even money directly to the cybercriminals.
Recovering After a Cyber Attack
In addition to being a vulnerable target, small businesses typically have a harder time recovering after a cyber-attack. While large corporations may carry millions of dollars in cyber insurance that helps absorb the financial impact of a data breach, SMBs typically have lower coverage levels, and some do not carry cyber insurance at all making recovery a financial burden.
SMBs thrive when they maintain a good reputation among their customer base. When customers lose confidence in a business’s ability to protect private information, they often switch to a competitor who can provide similar services with less perceived risk. When a company’s reputation is tarnished, many small businesses are not able to rebuild, and can ultimately fail.
Potential Elements of a Reasonable Security Program
The Federal Trade Commission (FTC) says that businesses can avoid liability for data breaches by following the National Institute of Standards and Technology framework. However, the NIST framework is so lengthy and complicated that it would be very difficult for an SMB to implement all of these policies. Even understanding the document enough to choose the most important suggestions to implement is beyond the scope of most SMBs.
A strong privacy and security program should include:
- Privacy Assessments – This is an important starting and check point for a data privacy and security program. A privacy assessment can help summarize how your company collects, uses, and stores personally identifiable information (PII), identify potential security risks, and develop or improve policies based on best practices. In addition to obtaining a baseline, an annual privacy and security assessment is a recommended best practice for any organizational program.
- Policies and Procedures (Administrative Controls) – The weakest link in data security is often the human element. If your employees are not aware of data security risks and how to avoid them, they can make costly mistakes. Businesses should develop policies that include employee training. These policies should include but not limited to who can access protected data and from which devices, how to report a suspected phishing attempt or scam, password management, an incident response plan, technical security and physical security policies, and a disaster recovery plan. Additionally, limiting personal data collection to the minimum amount needed to conduct business can minimize the effects if a breach does occur. It is essential to regularly evaluate the effectiveness of these policies and make changes as needed.
- Vulnerability Scanning – Most companies use a firewall as a basic first line of defense against unwanted network access. However, simply having a firewall installed is not enough. In addition, almost every organization has a virtual presence, their websites. These are two publicly available access points into an organization’s network. Vulnerability scans should be regularly performed on your firewalls and website to identify vulnerabilities and make necessary improvements to manage your organization’s risk of data loss.
- Vendor Management – Many small and medium size businesses contract with third-party vendors who may require access to customer or employee data. Third parties may include outside call centers or data centers, payment processing companies, auditors, attorneys, and/or software providers. These companies have vastly different data privacy and security policies, which could put your customers’ data at risk.
You may be held legally responsible if your customers’ data is compromised due to a vendor who lacks adequate data security practices, even if it wasn’t directly your business’s fault. To reduce this risk, you should assess each vendor’s data security policies before entering into a contract, and review their policies and practices regularly to ensure they continually meet high standards.
- Incident Response – In today’s environment, security breaches are so common that your company may still experience a security breach no matter how much you do to prevent it. How you respond to these incidents can greatly affect the impact on customers and your business. Each state has security breach notification laws that you will need to follow in the event of a breach.
Implementing a Data Security Program Is an Ongoing Process
Sitting down and implementing a data privacy and security program that meets current state and federal regulations is not enough to truly protect your business. State and federal laws are created in reaction to changing cybersecurity threats, but it takes time for governments to develop and pass these laws. Rather than only being reactive to changing laws, companies can proactively evaluate and improve their own data privacy and security policies to keep up with evolving threats.
For example, just a few years ago, email was the main method cybercriminals used to try to convince unsuspecting consumers to provide personal information. Now, they are increasingly turning to text messages in a new type of phishing attack. Regularly updating policies and security measures and providing training to employees on emerging security threats can help your business stay ahead of the game. Employee training does not need to be lengthy training modules or meetings. Some of the most effective training may take the form of a quick meme or funny video clip that highlights a specific threat.
Data breaches do not always originate from an external source. Sometimes bugs or vulnerabilities in a computer system allow for data that was intended to be private to be published publicly. Additionally, sometimes employees make mistakes that could release private data, either unknowingly or with malicious intent. It is just as important for companies to stay on top of their own computer systems and internal processes as it is to keep hackers out.
10 Questions to Ask While Developing and Implementing a Security Program
Cybercriminals’ tactics to gain access to data are constantly evolving, so regardless of if you are a brand-new startup or a business that has been established for decades, everyone can find ways to improve data security.
As you begin to develop or improve a security program, answering these questions can help you assess your current security practices and identify areas for change.
- What type of data are you collecting? Is it regulated personal information (PI)?
- Are you categorizing or separating this data from other data?
- What are you doing with this data? If it provides no functional or operational benefit, consider no longer collecting it to decrease your risk.
- What are your access control policies and procedures to protect the data? Does everyone at your business have full access? Is access limited to a select few employees? Or is it somewhere in between?
- What other administrative controls (policies and plans) do you have in place?
- Do you train your employees on security and privacy best practices at least annually?
- What technical controls do you have in place to manage your risk? Examples include multi-factor authentication, VPN requirements for remote access, anti-virus on all workstations, anti-spam/anti-phishing solutions, etc.
- Are you reviewing your processes annually to ensure effectiveness and if they are still valid for your current organizational model and goals?
- Are you monitoring access to your network with at least a notification when there are anomalies or unauthorized access attempts? For example, you could set up notifications if employees are accessing data during non-work hours, or if outside entities compromise the system and attempt to access data.
- Are you reviewing changes to state and federal regulations to see how they may impact your organization now or in the future?
If the answers to any of these questions are “I don’t know?”, “No” “Maybe”, or “Sometimes”, that would be a good place to start improving. No one expects your privacy and security plan to be perfect. In fact, achieving “perfection” is not possible in a constantly changing environment. In addition, the key to risk management is understanding the organization’s risk appetite. Now that you are aware of some of the elements of a “reasonable” security plan, the next step is to make plans and implement changes. Even small steps in the right direction can greatly benefit your business and your customers.
Everyone Benefits When SMBs Work To Prevent Data Breaches
If implementing a reasonable privacy and security program still feels too daunting or expensive, consider how it can truly benefit your business in the long run. Consumers are increasingly wary about sharing their personal information with companies that do not demonstrate strong data privacy and security standards and may choose a competitor if they have a better data security reputation. Just as you pour money into product development, marketing, and other aspects of your business to beat the competition, data security should also be a top priority.
In addition to accessing your customers’ personal information, cybercriminals may also target proprietary information that could be leaked or sold online and wreak havoc on your business. Finally, recovering from a data breach is not cheap. Without a doubt, your employees will need to spend countless hours doing damage control, which will take them away from their usual responsibilities. You may even need to hire forensic investigators or other experts to help you understand what happened and repair the damage. Additionally, you could face lawsuits and other major financial impacts. Investing the time and money now to implement a reasonable privacy and security program is not only the responsible thing to do, but it could also help your business grow stronger and avoid future financial struggles.
Take The Next Step In Improving Data Privacy Security
Implementing a reasonable privacy and security program does not need to be unaffordable or out of reach. Taking a few small steps can make a big difference. If you are ready to adopt a program that will help you fully comply with state and federal data security standards, uRISQ is designed to meet the unique needs of small and medium-sized businesses.