TechInsurance_Customer_Education_Guide_FINAL

The Small-Business Owners Guide to Identity Theft Prevention and Data Security

2Data Breach & Identity Theft Prevention Guide | October 2014

Many small-business owners are a little overwhelmed when it comes to computer and network security. Over the last year, weve heard many news stories about data breaches. And yet, its rare to hear anyone actually talk about what you can do to protect your business and prevent identity theft and data breaches.

Thats why weve put together this guide. It outlines a series of steps that any small business can take to protect its data.

Why Is Computer and Network Security Important for Small Businesses?FierceCIO, a computer security firm, found that companies can expect to lose up to 33 percent of their cus-tomers after a data breach. Because the effects of data breaches are so drastic, small-business owners need to take steps to prevent data breaches and have a plan in place to minimize the damage if one occurs.

This guide walks you through

Setting up your data security plan.

Identifying your cyber risks.

Learning federal and state data protection laws.

Improving your network security.

What Data Do I Need to Protect?Lets start with the basics. The first thing you need to understand is that, as a small-business owner, you have all kinds of data you need to protect. Logins, passwords, addresses, phone numbers, financial / credit card information, and even email addresses need to be secured. Hackers can use any of this information to try to steal money from your customers or make fraudulent purchases.

The Small-Business Owners Guide to

Identity Theft Prevention and Data Security

3Data Breach & Identity Theft Prevention Guide | October 2014

What Happens if My Business Is Hacked and Customer Data Is Stolen?Customer identity theft is a nightmare. Not only can your customers sue you, but your business will also lose sales, suffer damage to its reputation, and incur other losses that can last years. Protecting your data is as much about protecting your customers as it is about shielding your business from devastating costs and burdensome lawsuits that can follow a data breach.

How Do Do I Prevent Identity Theft at My Business? Data protection is complicated and it requires adopting a comprehensive strategy across all levels of your business. Well break it down step by step. This guide includes the following sections:

Data Breach and Identity Theft FAQs

Data breaches vs. Identity Theft: Whats the Difference?

Data Breach Laws for Small Businesses: A State-by-State Guide

Data Protection Checklists

4Data Breach & Identity Theft Prevention Guide| October 2014

Data Breach and Identity Theft FAQs


Data Breach and Identity Theft FAQsData breaches and identity theft are complex and often confusing phenomena. Click the links below for answers to some of the most common questions small-business owners have about data security, data breaches, and ID theft.

What is a data breach?

What is identity theft?

Would hackers really target my business?

Can hackers break in through my mobile app or third-party software?

Does my insurance offer identity theft prevention?

What do credit protection services do?

What can I do to prevent identity theft?

What do I do after a data breach?

How do I know Ive had a data breach?

Is my IT consultant liable for my data security?

What are my states data breach laws?

How much does a data breach cost?

How likely am I to experience a data breach?


What is a data breach?A data breach is the unintentional disclosure of personal data. A data breach can be caused by outside criminals (hackers and identity thieves), but many are caused by mistakes within your organization. When employees lose their iPhones or accidentally email the wrong spreadsheet, they can unintentionally expose your businesss data.

What is identity theft?

Identity theft occurs when a criminal uses stolen data to make purchases, apply for loans, or pretend to be someone else. Often, it isnt hackers who commit identity theft. Hackers steal information and then sell it to criminals who use the stolen information to make fraudulent purchases. There is an entire underground economy in which identity thieves buy stolen credit card numbers for $10 to $20 a pop from hackers. Then they use this data to buy items such as iPads, because they are portable and have a high resale value.

(If youre confused about the relationship between a breach and fraud, see Data Breach vs. Identity Theft.)

Would hackers really target my business? When most people think of data breaches, they get an image of a hacker in a hoody targeting

a huge corporation or government entity. Unfortunately, thats not really the way most data breaches work. Data breaches are often crimes of opportunity. Many hackers simply have software and computers that do the work for them. This software tests company websites and networks to see if they have any blatant security holes. If so, the software attacks. Like anyone else, hackers use software to make their job easier. Unfortunately, that means that any business (big or small) can be targeted.


Can hackers break in through my mobile app or third-party software?

Hackers can find ways into your business by attacking third-party companies you employ (vendors and contractors) and through your mobile apps. In fact, many breaches occur this way.

One way to protect your business is to make sure you always work with contractors who are security-conscious and who have adequate business insurance. To learn more about managing third-party risk, see Checklist: How to Choose an IT Contractor Who Will Keep Your Data Safe.

Does my insurance offer identity theft prevention?

Cyber Liability Insurance (also called Data Breach Insurance or Cyber Risk Insurance) can cover you if your customers data is exposed. This policy pays for credit protection services, data breach notifications, investigation and clean-up expenses, and other costs related to your response to a data breach.

What do credit protection services do?

Credit protection services monitor a persons credit for any signs of fraudulent activity. After a data breach, companies generally offer this service to their customers. If an identity thief uses stolen data to make a purchase, withdraw money, or apply for a loan, the customer is notified about the suspicious activity.


What can I do to prevent identity theft?

Michael Chertoff, the former head of the Department of Homeland Security, suggests that companies and consumers think about their data security in the same way they think about hygiene. In fact, he coined the phrase cyber hygiene.

The idea is to practice good data habits every day. These include using strong, unique passwords, hiring contractors with E&O Insurance, following IT security protocol, limiting access to sensitive data, updating your software immediately when patches become available, etc.

Good habits will go a long way to prevent data breaches. But you need to make sure all your employees fol-low this routine, which can be easier said than done. Also, ask your IT consultant what security policies will protect your business. For more, see How to Protect Your Business from Identity Theft: Prevention.

What do I do after a data breach?

After a breach, theres a lot youll need to do. You must contact law enforcement, investigate the breach, and shore up your security. For a full walkthrough of your data breach responsibilities, see our checklist, How to Respond to a Data Breach.

How do I know Ive had a data breach?

If you have proper security software in place, you can be alerted when data is downloaded from your network. Security logs should show a record of suspicious activity.

Its also possible security software wont work, and youll find out the hard way when an angry customer calls you or law enforcement agencies contact you.


Is my IT consultant liable for my data security?Your IT consultant may be liable for your data security, depending on what you hired them to do. If their work is directly related to the system that caused the data breach, they may have some liability. If you have adequate Cyber Insurance, however, that policy will likely cover the cost of rebuilding your business after the breach. Youll want to make sure that any IT companies you work with have Errors and Omissions Insurance. This insurance coverage insures your contractors work. If you believe your IT contractors negligence directly caused your data breach and you decide to sue them, their E&O Insurance covers the cost of the lawsuit, as well as any damages they are found liable for paying you.

What are my states data breach laws? Currently, 46 states have their own data breach laws each is slightly different. We cant summarize them accurately in as short a space as we have here. However, data breach laws generally require you to notify customers, report breaches to authorities, and take steps to prevent identity theft. If youd like to know the rules in your state, see our guide to state data breach laws.

How much does a data breach cost? According to experts: $195 per lost record. If you lose 1,000 customer records (including information like addresses, logins, or financial info), the typical business pays $195,000 or loses that amount in lost revenue and damages to their reputation.

How likely am I to experience a data breach? Studies show youre always under attack. For instance, 1 in 5 small businesses

is targeted by a spear phishing email scam designed to look like your bank or other financial company is contracting you for information.

10

Data Breach & Identity Theft Prevention Guide | October 2014

Data Breach vs. Identity Theft:

Whats the Difference?

11


Data Breach vs. Identity Theft: Whats the Difference?By understanding the differences between data breaches and identity theft, small businesses can prevent some data breaches from turning into identity theft disasters. After a breach, youll need to move into identity theft prevention mode. A risk management plan and adequate Cyber Liability Insurance will help you move quickly, meet your state data breach requirements, and protect your customers from fraud.

Note: The statistics cited here come from the Ponemon Institutes 2014 Cost of Data Breach Study.

What Is a Data Breach? A data breach is a catchall term it refers to any scenario in which your customers data might

have been exposed. Here are some examples that show just how many different things can be called a data breach:

When sending an email, an employee accidentally attaches a document that containspersonal data.

A hacker breaks into a businesss network and downloads point-of-sale data.

A healthcare employee sends patient data using a non-encrypted email.

Malicious software (aka malware) spreads to a businesss servers and steals private data.

An employee downloads a business file to their thumb drive and opens it on their unsecure home network.

A problem with a companys web hosting software causes financial data to be exposed online.

Thieves break into your office and steal a laptop, which contains company data.

In each of these cases, data might have been exposed. Youll notice how few of these examples involve hackers. In fact, only 42 percent of data breaches are caused by hackers or criminals. Thirty percent are caused by human error (like the employee who emailed the wrong document), and 29 percent are caused by system glitches (like the web host error).

12


What Is Identity Theft?

Identity theft occurs after a data breach. Identity theft happens when cyber criminals use stolen data to make purchases, apply for loans, withdraw money, or commit fraud. If a data breach is the moment you lose data, then identity theft is the moment criminals use that data for malicious purposes.

Its worth emphasizing that not all data breaches lead to identity theft. As we saw above, some breaches occur because of a lapse in security. An employee might use email in a non-secure way, but the odds of identity theft occurring are slim.

Its also important to understand that identity theft can be prevented even after a data breach has occurred. Lets say you find out that your businesss network has been infected with malware. Hackers have stolen information from thousands of customer transactions, along with customer credit card data. Read on to find out what you should do next.

13


How Do You Prevent ID Theft after a Data Breach?

Immediately following a data breach, a small business should contact its customers, alert them to the breach, and shore up its network security. Its also a good idea to offer fraud-monitoring services, which notify customers when their credit cards or bank accounts have any suspicious activity.

The reasons for this are twofold:

Customers are able to catch fraudulent transactions early.

Criminals are less likely to use stolen data if it has a low success rate.

The second reason paints a fascinating picture of how identity theft really works. When data is stolen, hackers sell that data on the black market. Identity thieves buy data and imprint it on fake credit cards that they use to make fraudulent purchases. However, criminals dont want to buy stolen data if it only works some of the time.

Hackers actually post the success rates for their stolen data. If you fight back and your credit monitoring services catch ID theft in action, you might actually nip further ID theft in the bud.

1

2

14


How to Protect Your Business from Identity Theft: Prevention

Remember the old saying that an ounce of prevention is worth a pound of cure? Well it holds true for data breaches and identity theft. The data security education organization Online Trust Alliance reviewed 500 data breaches and estimated that 89 percent of them could have been prevented. If so many data breaches are preventable, why do they still occur?

There are a few reasons. Often people just make mistakes. Well-meaning employees might accidentally expose their companys data. Other times, businesses dont focus closely enough on data security, or they find data security practices to be too cumbersome.

Employee mistakes and lax attitudes toward security both speak to a gap in understanding if small businesses understood their data security better, theyd be able to prevent more identity theft.

What Many Businesses Dont Understand about Data Breaches: Theyre Expensive

If businesses dont take data security seriously, its because they dont understand how costly even a small data breach can be. Data breaches and ID theft mean your business must spend tens of thousands of dollars to limit the damage and shore up its network security. After a cyber attack, youll face many direct and hidden expenses, including

Lost revenue.

Damage to your business reputation.

Credit monitoring for your customers.

Costs to figure out how a breach occurred so you can repair your network.

15


The Ponemon Institute estimates that data breaches cost $195 per lost record, which means that a cyber attack involving just 500 records could cost you almost $100,000. If your customers are victims of ID theft after their data is exposed, you can expect to pay even more.

What can you do to prevent a $100,000 data breach? Depending on the nature of your business and the technology you use, youll need to take different measures to prevent data breaches and identity theft. Well go over some of the common data breach prevention techniques small businesses can use, but first we need to explain how to institute a company-wide data protection policy.

How Data Security Is Like Preventing Fires

It might be helpful to think about data breaches as if they were another kind of risk. Lets say you run a warehouse, and youre concerned with preventing fires. What would you do?

You might dispose of potentially flammable material, make sure the wiring in the building is up-to-date, clean your warehouse, throw out unnecessary material that could catch fire, and hire a fire safety expert to inspect your warehouse. A proper data security approach works the same way.

To prevent data breaches, youll want to

Get rid of old data you no longer need to do business.

Update your software with any security patches available (these fix holes where hackers have gotten in in the past).

Review your data collection policies to make sure youre only collecting data you need to do business.

Work with an IT professional to review your network for potential security weaknesses.

16


Its also important to understand what makes data security different from other risks: identity theft prevention must start at the employee level. Because your employees implement the IT policies that will secure your data, youll have to train and educate each one. This is easier said than done.

Every time your employees log on to your network, theres a risk that they could expose your companys data. The passwords they choose, emails they open, and files they access determine the risks your company faces.

And if you dont have any employees? Then data breach and identity theft prevention fall squarely on your shoulders. Thats one reason its a good idea to have a breach prevention and data protection plan in place: once youve outlined the essentials, you dont have to agonize over every move.

A comprehensive data breach prevention plan will

Outline what you expect from employees (and from yourself) and give everyone the tools necessary to be secure users.

Have IT policies in place to limit data breaches and prevent identity theft.

Establish a workplace culture of security diligence.

Jump to the Checklists section for a checklist of things your business can do to prevent data breaches and identity theft.

1

2

3

17


How to Protect Your Business from Identity Theft: Response

What do you do if a data breach hits your business? The steps you take to respond to a data breach may make the difference between facing identity theft lawsuits and having a small, containable data breach.

The statistics about data breaches arent pretty. A study by Risk Based Security, an Internet security firm, reports that in 2013, the number of consumers affected by data breaches was twice as many as any other year. And theyre happening at small businesses as well as larger ones. In fact, Forbes Magazine calls data breaches inevitable for small businesses.

Given the increasing risk of cyber attacks, you need a comprehensive plan in place to help you respond to a breach quickly, limit its damage, and prevent identity theft. Specifically, your data breach response plan should outline how to...

Investigate the data breach.

Report the breach.

Contact your customers.

Reduce the risk of identity theft.

Your First Response: Investigate the Data Breach

Before you can do anything, you need to know what youre up against. Depending on your level of technical expertise, you might need out-side help as you investigate the breach. Your IT consultant should be able to help you figure out how much data was compromised, how many customers were affected, and how the breach occurred.

If a security flaw in your network or software caused the breach, fix it im-mediately.

1

2

3

4

18


Report the Breach: Who Do You Need to Tell If You Think Youve Been Breached?

Depending on your state laws and the size of the breach, you might have to report it to a consumer protection agency, the office of the state attorney general, or other law enforcement agencies. (These laws vary, so check our guide to state data breach laws.)

How to Tell Your Customers about a Data Breach

First, its important to note that your notification duties are likely outlined by state laws.

A few states set a specific number of days by which you must contact customers. In Maine, you only have seven days, but in other states you have up to 45.

Most states dont set a specific requirement, but instead use language like in the most expedient time and manner possible and without unreasonable delay. In other words, states put the burden on you to contact customers as soon as you reasonably can without jeopardizing data breach investigations.

But before you rush to inform your customers, make sure all your ducks are in a row. Youll need to post information on your website, set up a call center (or other means for receiving complaints and concerns), and possibly even hire temporary employees to help you handle customer complaints.

Helping Your Customers with ID Theft Prevention

Its common practice for businesses to offer credit protection services for customers who have been affected by a data breach. Most businesses will offer their customers one year of fraud prevention services after a breach. But while credit monitoring can prevent Internet fraud and ID theft, it is not cheap.

Youll have to pay for these services and set up a contact person in your organization who will answer customers questions about how to apply for credit monitoring and explain how it can protect them from identity theft.

The good news: a Cyber Liability Insurance policy (which you can purchase as a standalone policy or as an endorsement to a General Liability policy or BOP) will cover most or all of these costs.

19


Responding to a Data Breach

Between meeting legal requirements, managing the data breach crisis, and helping customers protect their credit, theres a lot to keep track of. Data breach response plans and checklists help you avoid making any mistakes when youre in crisis mode. You can print out our data breach checklists, and keep them with your data breach response plan.

Now lets look at a checklist of 10 things you need to do when you respond to a data breach.

20


How to Protect Your Business from Identity Theft: Recovery

Heres the thing most people dont understand about data breaches: the effects can last a long, long time. Were not talking months years after a data breach, you could still be feeling the consequences. In fact, these effects are often so costly that many small businesses go out of business after a breach.

How will a data breach affect your business? Good question. Here are some of the common effects of a small-business data breach:

Damaged reputation. Studies show that data breaches are one of the three worst things for a businesss reputation. From a customers perspective, the only things worse than data breaches are when company causes an environmental disaster or has poor customer service.

Lost revenue / slow sales. After Targets data breach, its profits dropped 12 percent. Larger chains might be able to weather that kind of fluctuation and regain the trust of customers, but smaller businesses often cannot.

Layoffs and infighting. Lost revenue could mean youll have to cut employees (if you have any) or find other ways to cut your costs. While it can be stressful and unpleasant to dismiss employees, it can be even scarier to not know where to cut your costs to break even.

Lawsuits. Data breach and identity theft lawsuits are expensive. Heck, any lawsuit is expensive. But data breaches often lead to class action lawsuits, where multiple customer lawsuits combine into one larger one. These lawsuits can be among the most expensive.

Now that we know some of the effects youll see after a data breach, lets go over your recovery plan.

1

2

3

4

21


A Small Businesss Guide to Recovering from Data Breaches

After a data breach (and all the mess that comes with it), your business should focus a good deal of its re-sources on recovery. Here are six things you must do in the months and years after a breach.

Guide your customers through the post-breach process. Identity theft can occur long after a breach. Businesses typically offer one year of identity theft prevention for their customers. Practically speaking, this means you may have to field questions and complaints for months (or even a year) after the breach.

Comply with law enforcement. Law enforcement and customer protection agencies often step in to investigate data breaches. You might have to comply with their requests and send them information about the breach.

Crank up the PR. When youre recovering from a public relations disaster, you cant afford to go about business as usual. Your advertising and PR campaigns need to be focused on earning back customers youve lost and finding new ones. The bright side? You can use the breach as an opportunity for a fresh start, launching a campaign around the new security features youre putting in place. Sales tend to be slower following a data breach, so you may need to target new revenue streams more aggressively than usual.

Rethink your current level of security. Why did the breach occur? Was there a lapse in your security? Maybe the breach occurred because a third-party vendor that worked for your company had lax security. Whatever the cause, youll need to implement changes to make sure it doesnt happen again.

Upgrade network / web security and update or replace old software. Consumer Reports cautions that small businesses are often slow to update old software. Many small businesses use old software or patchwork IT solutions because they dont want to fork over the cash for something more comprehensive. This makes sense your budget is smaller. But old software can cost you if it isnt secure. The good news is that most software patches are free to download, so be sure youre taking this crucial step toward securing your customer data.

Review your response. After things have cooled down, youll want to analyze how successful your business was at limiting the damage of the data breach. If you had a data breach response plan, how useful was it? Do you need to update it to reflect some of the unexpected challenges you faced?

Remember, your Cyber Liability Insurance can pay for many of these expenses, including the PR campaigns and customer outreach programs.

1

2

3

4

5

6

22


Data Breach Laws for Small

Businesses:A State-by-State

Guide

23


Data Breach Laws for Small BusinessesData breach laws are regulated at the state level, which means your response to a data breach will depend on where your business operates. For a detailed online guide to data breach laws across the United States, visit our state-by-state guide to data breach laws.

24


Checklists: Step-by-Step Guides

to Protect Your Business Data

25


Checklists: Step-by-Step Guides to Protect Your Business Data

The surprising truth about data breaches is that many are preventable. Thats great news for small-business owners, but it means that if you want to take data security seriously, theres work to do.

Human errors and employee mistakes account for nearly one-third of all data breaches. So youll need to implement security training and IT procedures that minimize employee mistakes.

Not only can many data breaches be prevented, but the cost of a data breach can be limited by the work you do today to prepare for a breach. For instance, the Ponemon Institute found that simply having a data breach plan can reduce the cost of a data breach by 9 percent.

Take a look at the checklists in this section to address your data security needs now and in the future.

What to Do Today to Prevent Data Breaches and Identity Theft

What to Do This Week to Prevent Data Breaches and Identity Theft

What to Do This Month to Prevent Data Breaches and Identity Theft

What to Do This Year to Prevent Data Breaches and Identity Theft

How to Prevent a Data Breach

How to Respond to a Data Breach

How to Recover from a Data Breach

How to Choose an IT Contractor Who Will Keep Your Data Safe

26


What to Do Today to Prevent Data Breaches and Identity Theft

Always use hard-to-crack passwords (and if you have employees, require them to do the same). Test the strength of your current passwords at howsecureismypassword.net.

Use unique passwords (i.e., ones not used for any other accounts). Again, make sure any employees are doing this as well.

Make sure computers and devices encrypt all data when a user is logged out. (This feature is usually included in operating systems, but you might need to turn it on in your settings.)

Talk with your insurance provider about adding Cyber Liability Insurance to your General Liability Insurance policy. (You can also purchase a separate Cyber policy, depending on your needs.)

Put someone in charge of data security. If youre operating alone and arent tech-savvy, consider working with an IT contractor. If you already have someone working on IT in your business, discuss increasing security measures.

If you have employees, make an announcement about the new focus on data security and how everyones actions today can prevent data breaches and identity thefts tomorrow.

27


What to Do This Week to Prevent Data Breaches and Identity Theft

Update your company policies (or employee handbook) to standardize and outline your network security protocol. No written policies in place? Nows the time to draft one so its clear what your best practices are.

Review which employees have accesses to personal data (credit card info, addresses, logins, etc.), and limit access to that data as appropriate. The goal is to only grant access to people who need that information to do their jobs. The more people have access to sensitive information, the more chances there are for a data breach.

Make it standard policy to check that all your contractors and vendors (IT, HVAC, and others) have insurance that covers data breach liability.

Work with a data security consultant or IT contractor to build an incident response plan, which outlines what you need to do after a data breach.

Look at our guide to data breach laws, and review what your state requirements are.

Train your employees to use email securely and to identify malicious emails.

Install laptop / computer locks around your office to prevent thieves from stealing your devices.

Add encryption capabilities to emails, and enforce this standard among your employees.

28


What to Do This Month to Prevent Data Breaches and Identity Theft

If you allow employees to use their personal devices on your work network, talk with an IT consultant about managing this risk as it exposes your company to a greater likelihood of hacks. (The technical term for this is BYOD or bring-your-own-device risk.)

Update old software and replace anything obsolete.

Teach your employees why using non-secure email or portable storage devices (e.g., thumb drives) can expose your company to data risks.

Institute policies that limit when and how company data can be moved from your network to private and non-secure networks.

If you use a point-of sale-system (and not a mobile payment platform), check with an IT consultant to see whether your system is secure. Many older platforms use Windows XP or even older operat-ing systems that have security flaws. POS systems should be replaced every five years or so.

Review your Terms of Use, User Agreement, Privacy Policy, and other contracts posted on your website. These documents should accurately convey how you store and use customer data. They need to be updated any time you change your policies.

Evaluate your employee exit strategies. Make sure you close employee accounts and remove their access to data. (Insider data breaches often come in the weeks before an employee leaves a company, so have a preventative strategy and check activity logs around the time of employee departures.)

Reduce the number of places you store data and consolidate them in order to reduce the number of access points data thieves have.

Because mobile workers are often exposed to more risk from laptop theft and open Wi-Fi threats, create specialized protocol for them.

29


What to Do This Year to Prevent Data Breaches and Identity Theft

Hire an IT consultant to perform a security audit on your firm.

Review your insurance coverage to see if you need to update your policies to reflect significant changes in your company (growth, new personnel, etc.).

Securely dispose of old laptops, devices, and hard drives that have sensitive data.

Review your companys data security policies (perhaps with an IT consultant) to see what could be improved, which policies need to be strengthened, and what new technological threats you need to guard against.

Review company data collection policies to limit the amount and type of data collected. Try to collect only data that is useful and necessary (extra data just means extra risk).

Delete old and obsolete customer data.

Ask your IT employees, CISO, or consultants what they think are the biggest security threats to your organization and what resources they need now and in the future.

30


Checklist: How to Prevent a Data Breach

Limit the places you store data by consolidating (if possible) into as few places as possible and encrypting data when it is not in use.

Delete old, irrelevant data and properly dispose of old hard drives and physical technology that might have personal records. (Note: you may have to wipe these clean before you dispose of them.)

Train your employees on proper email and password security, and standardize these policies in an employee handbook. If you dont have employees, review best practices for yourself.

Replace outdated software and technology with new, more secure versions, and update software as patches become available. These patches close gaps that hackers have exploited in the past known entry points to your data.

Hire an IT security consultant to perform a security audit at your company if you arent very tech-savvy. This can save you the time and headache of trying to sort through recommendations yourself.

Write a Data Breach Response Plan (see Checklist: How to Respond to a Data Breach) that satisfies your states data breach laws and outlines the steps you need to take when a data breach occurs.

Reduce bring-your-own-device (BYOD) liability by limiting the access employees personal devices (e.g., mobile phones) have to your business network. If you dont have employees, invest in a sepa-rate mobile device for work to reduce entry points to your customers data.

Change laptop and mobile device settings to encrypt data when you are logged out.

Review state and industry regulations concerning data security and the protection of customers financial, medical, or personal data (see State Data Breach Laws for more).

31


Checklist: How to Respond to a Data Breach

Review your data breach response plan. Dont have one? Thats okay. Take a deep breath. Review your states data breach laws and make a list of entities you have to contact. Do this as soon as you learn about the breach; some states give as little as seven days to inform customers.

Contact law enforcement or consumer protection agencies, if your state law requires it.

Contact your data security guru or IT consultant (if you have one). If you dont, you may want to hire one to perform an IT security audit so youre less likely to experience another data breach in the future.

Contact your insurance company if you have Cyber Liability Insurance. Your Cyber Liability Insur-ance provider will pay for some of the costs associated with responding to a data breach, including (depending on your policy) crisis management, credit monitoring, and data breach investigation.

Investigate the breach, compiling information as to where it occurred and what data was lost. (If youre not particularly tech-savvy, hiring a network security consultant to perform a security audit may be wise.)

Repair any security weaknesses, but keep records and evidence of the breach (which you might need to turn over to law enforcement agencies later).

Contact a credit monitoring company about fraud and IT theft prevention services you can offer your customers.

Set up a phone line or email address to handle incoming questions and concerns from customers.

Post an announcement on your website about the data breach and how customers can reach you with questions.

Notify individual customers (via email, phone, or mail, in accordance with state regulations).

If you didnt have a data breach response plan before, nows the time to make one. Unfortunately, data breaches arent going anywhere, and a response document will almost certainly come in handy in the future.

32


Checklist: How to Recover from a Data Breach

Fulfill all legal obligations to law enforcement and customer protection agencies. This may include notifying them of the breach or allowing them to review your records.

Review data collection policies. After a data breach, you might find that some of the stolen data wasnt even important to your business. Unnecessary data only exposes you to more risk. If youre routinely collecting data that you dont use, rethink your data collection policies so that you only collect and store what you absolutely need to do business.

Review data storage policies. If youre holding onto years worth of old, obsolete data, its time for spring cleaning. Delete it! If youre storing duplicate data, trim it down. Sorting through a sales database can be exhausting work, but having streamlined data reduces your liabilities. Note: if youre not sure where to start with eliminating data, work with an IT consultant who has experience in data management.

Prepare for lost revenue and slow business by limiting unnecessary expenses and ramping up your sales game.

Prepare for possible firings. If you have employees, give them as much warning and information as possible if youll need to let them go. This may mean letting them go early with an extra month or two of pay to improve their odds of finding new work. If you have an employee whose negligence caused the breach, document this carefully to avoid post-firing lawsuits.

Increase public relations / advertising campaigns to offset lost revenue. If necessary, enlist help from an outside PR agency. This may sound like an unnecessary expense, but many Cyber Liability Insurance policies pay for public relations efforts to restore a businesss reputation after a breach.

33


Checklist: How to Recover from a Data Breach (contd.)

Enlist a professional to conduct a security audit. During an information security audit, an outside party evaluates the security of your IT solutions. This can be one of the best ways to prevent future incidents. Look for an IT professional with experience performing security audits for small businesses.

Update software and IT solutions. After a breach, you might have to rethink how much money you budget for IT. If your previous security configuration leaves you open to future breaches, you might have to put more resources into security and technology.

Examine third-party hiring practices. Some data breaches are caused by lapses in security by the contractors and third parties you hire. You can request that all future contractors have basic business insurance (including Errors and Omissions Insurance). If your contractors have this policy, youll know an insurance company is insuring their work. (See the checklist, How to Choose an IT Contractor Who Will Keep Your Data Safe for details.)

Update your data breach response plan based on your experience. You may want to include contact information for the regulatory bodies, credit monitoring service, PR firm, and IT profession-als you worked with this time around just in case.

34


Checklist: How to Choose an IT Contractor Who Will Keep Your Data Safe

Many small-business owners hire outside help to build or install their business technology, office networks, point-of-sale systems, and custom software. However, if youre like most of these business owners, you might find yourself in a difficult position. Youre not an IT expert and you may not know exactly what you need or who can help you get what you want.

This checklist explains what to look for in a quality IT contractor, so youre not left guessing:

Get referrals. Start the process by reaching out to friends or professional contacts who might know an IT contractor who can help you. Finding an IT contractor someone you trust can vouch for can save you a lot of time, so be sure to publicize the fact that youre in the market for IT help.

Advertise your need. Websites like WorkMarket.com specifically advertise to technology freelancers. Many let you post positions free of charge.

Check the website. A professional IT contractor will have a website where you can at least find contact information and at best find examples of past work.

Ask for examples of past work. If you arent able to find work samples on your own, ask for exam-ples of projects similar to the one youre asking the contractor to complete. If you dont like what you see, feel free to move on to another candidate.

Ask about their data security practices, including how they handle data breaches. This is essential. Any IT contractor you trust with your customer data and sensitive information about your business should have a solid plan in place to keep that data safe. That includes a plan for how to respond to data breaches, which have become all but inevitable in recent years.

35


Checklist: How to Choose an IT Contractor Who Will Keep Your Data Safe (contd.)

Call references for top candidates. When you find a candidate you like, request contact information for references you can call. Ask these people about the candidate: how he performed, whether he stayed on budget and on deadline, whether he communicated well, whether he was easy to work with. This is a crucial step, as some contractors who look good on paper might not be a good hire if their former clients wouldnt recommend them. Of particular note: ask references about their satisfaction with the contractors security practices.

Request proof of insurance. Your IT contractor and any subcontractors she plans on bringing onto your project should have General Liability and Errors and Omissions Insurance. Ask to see a Certificate of Liability Insurance for all professionals who plan to work on the project.

Request price quotes. When youve found candidates you like, ask for quotes for their work. Compare these and choose the one that fits your budget.

Request completion timelines. Get these in writing, too. This can be crucial if things get off target down the line.

Always use hardtocrack passwords and if you have employees require them to do the same Test: Use unique passwords ie ones not used for any other accounts Again make sure any employees: Make sure computers and devices encrypt all data when a user is logged out This feature is usually: Insurance policy You can also purchase a separate Cyber policy depending on your needs: Put someone in charge of data security If youre operating alone and arent techsavvy consider: If you have employees make an announcement about the new focus on data security and how: Update your company policies or employee handbook to standardize and outline your network: Review which employees have accesses to personal data credit card info addresses logins etc: Make it standard policy to check that all your contractors and vendors IT HVAC and others have: Work with a data security consultant or IT contractor to build an incident response plan which: Look at our guide to data breach laws and review what your state requirements are: Train your employees to use email securely and to identify malicious emails: Install laptop computer locks around your office to prevent thieves from stealing your devices: Add encryption capabilities to emails and enforce this standard among your employees: If you allow employees to use their personal devices on your work network talk with an IT: Update old software and replace anything obsolete: Teach your employees why using nonsecure email or portable storage devices eg thumb drives: Institute policies that limit when and how company data can be moved from your network to: If you use a pointof salesystem and not a mobile payment platform check with an IT consultant: Review your Terms of Use User Agreement Privacy Policy and other contracts posted on your: Evaluate your employee exit strategies Make sure you close employee accounts and remove their: Reduce the number of places you store data and consolidate them in order to reduce the number: Because mobile workers are often exposed to more risk from laptop theft and open WiFi threats: Hire an IT consultant to perform a security audit on your firm: Review your insurance coverage to see if you need to update your policies to reflect significant: Securely dispose of old laptops devices and hard drives that have sensitive data: Review your companys data security policies perhaps with an IT consultant to see what could be: Review company data collection policies to limit the amount and type of data collected Try to: Delete old and obsolete customer data: Ask your IT employees CISO or consultants what they think are the biggest security threats to your: Limit the places you store data by consolidating if possible into as few places as possible and: Delete old irrelevant data and properly dispose of old hard drives and physical technology that: Train your employees on proper email and password security and standardize these policies in an: Replace outdated software and technology with new more secure versions and update software: Hire an IT security consultant to perform a security audit at your company if you arent very tech: Write a Data Breach Response Plan see Checklist How to Respond to a Data Breach that satisfies: Reduce bringyourowndevice BYOD liability by limiting the access employees personal devices: Change laptop and mobile device settings to encrypt data when you are logged out: Review state and industry regulations concerning data security and the protection of customers: Review your data breach response plan Dont have one Thats okay Take a deep breath Review: Contact law enforcement or consumer protection agencies if your state law requires it: Contact your data security guru or IT consultant if you have one If you dont you may want to hire: Contact your insurance company if you have Cyber Liability Insurance Your Cyber Liability Insur: Investigate the breach compiling information as to where it occurred and what data was lost If: Repair any security weaknesses but keep records and evidence of the breach which you might: Contact a credit monitoring company about fraud and IT theft prevention services you can offer: Set up a phone line or email address to handle incoming questions and concerns from customers: Post an announcement on your website about the data breach and how customers can reach you: Notify individual customers via email phone or mail in accordance with state regulations: Fulfill all legal obligations to law enforcement and customer protection agencies This may include: Review data collection policies After a data breach you might find that some of the stolen data: Review data storage policies If youre holding onto years worth of old obsolete data its time: Prepare for lost revenue and slow business by limiting unnecessary expenses and ramping up your: Prepare for possible firings If you have employees give them as much warning and information as: Increase public relations advertising campaigns to offset lost revenue If necessary enlist help: Enlist a professional to conduct a security audit During an information security audit an outside: Update software and IT solutions After a breach you might have to rethink how much money you: Examine thirdparty hiring practices Some data breaches are caused by lapses in security by: Update your data breach response plan based on your experience You may want to include: Get referrals Start the process by reaching out to friends or professional contacts who might know: Advertise your need Websites like WorkMarketcom specifically advertise to technology: Check the website A professional IT contractor will have a website where you can at least find: Ask for examples of past work If you arent able to find work samples on your own ask for exam: Ask about their data security practices including how they handle data breaches This is: Call references for top candidates When you find a candidate you like request contact information: Request proof of insurance Your IT contractor and any subcontractors she plans on bringing onto: Request price quotes When youve found candidates you like ask for quotes for their work: Request completion timelines Get these in writing too This can be crucial if things get off target:

TechInsurance_Customer_Education_Guide_FINAL

Documents

customer data

kinds of data

data breach laws

customer identity theft

effects of data breaches

data security plan

smallbusiness owners

id theft