There are two questions I get from business owners all the time:
- How do I know if I've been hacked?
- What do I do if I have been hacked?
The answer to question 1 for many small businesses and individuals is, they don’t. Outside of ransomware, very few cybersecurity incidents are visible to the victim. In fact, most small and medium businesses (SMB) data breaches go undetected, sometimes for years at a time. The few breaches that are discovered usually are by a third party partner or law enforcement, who then notify the small business.
Thus, of the 50% of SMB’s that have been breached in the past year (according to the 2016 State of SMB Cybersecurity Research Report), most still don’t know they have been breached and likely will only find out if the intrusion is eventually caught by another party that then notifies them. The fact that small business data breaches often go undetected for long period of time results in nearly one-third of companies not being able to determine the root cause of a breach. Without a root cause, or ability to determine what data was accessed, companies are forced to assume compromise of all their data, which leads me to question 2.
Data breaches are currently regulated at the state level, with additional federal requirements levied on companies that fall under compliance industries such as healthcare (HIPAA). 47 states have data breach laws, with most of the regulation centered around notifying individuals, and sometimes the state Attorney General, if there has been unauthorized access to personal information. In an effort to create uniformity and facilitate compliance for businesses operating across multiple states, the Obama White House proposed a data breach law that would preempt state laws and become the de facto data breach law. While that proposal didn’t initially make it, most experts believe it is only a matter of time before the federal government passes a bill in this area. That bill will likely mirror California Civil Code 1798, so let’s take a closer look.
Upon suspicion of a data breach, a business has a choice:
- Pay money to investigate what happened and if any information was stolen
- Ignore the suspicion and hope a breach didn’t occur (or that it is never traced backed to them)
This may seem like a choice with an obvious answer, but take it from someone who has sat across the table from multiple business owners who have decided not to investigate that it is not as clear cut as it seems. Why? Because there is a real cost to investigating a data breach. Unlike a physical break in, local law enforcement does not have the skill set required to investigate cybercrime. This skill set lies with the FBI, who have their hands full with the Sony’s and Target’s of the world, or private companies, which charge to conduct what is called digital forensics. For a small business without a cyber liability insurance policy (most SMBs), the cost of investigating a breach averages between $20,000 and $50,000. For many, this is a cost that would put them out of business. In other words, your tax dollars do not cover this.
Ethics and future consequences aside, we recommend a business reset all of their computers (not a small task) regardless of the decision to investigate or not. If a business has the money, it is strongly advised they hire a consulting firm to perform a vulnerability assessment that will give them recommendations on how to improve their security posture so they don’t have a repeat of the cybersecurity incident (and suspected data breach) that just occurred. Of course, this is something all businesses should do proactively to prevent from being in a data breach situation to begin with.
For the business that does decide to investigate, if found to be a data breach, they must notify any California resident whose unencrypted personal information was acquired, or reasonably believed to have been acquired, by an unauthorized person. There are communication companies out there that will help draft the notification and stand up 1-800 numbers for those affected to call so you and your employees don’t have to answer these calls. This is an optional cost that ranges based on number of breached records. If more than 500 records are breached, the state of California requires you to notify the Attorney General and to post your notification letter on the state’s website for everyone to see.
Finally, you are not required to pay for credit monitoring services in CA, however if you decide, as many do, to offer (and pay for) this service, you must do so for at least a year. Many of the communication companies described above can also assist with setting this up for an additional fee.
To summarize, most SMB’s don’t ever know if they are breached unless notified by law enforcement or a third party partner, at which point they should, but don’t always, pay a private company to investigate if it was a breach, and then notify any individuals (and possibly the state Attorney General) whose personal information is assumed to be compromised. At the same time, they should, but don’t always, go through the painful process of fully resetting their computers (called re-imaging) to ensure the hacker is no longer in their systems and hire a consulting firm to conduct a vulnerability assessment and provide them recommendations for how to improve their cybersecurity in order to avoid a repeat of what just happened. Oh, and don’t forget about the attorney. Any business that suspects a breach should consult an attorney immediately.
So, what should you, the business owner who processes and/or stores other people’s personal information take away? In the words of the great Ben Franklin, “An ounce of prevention is worth a pound of cure.” Don’t put yourself in a position to decide between investigating or ignoring. Be proactive and address the risk BEFORE anything bad happens.