With one click of a button, you can share photos with family members, renew your passport, or even send documents across the world. Technology allows us to socialize, connect with customers, and continually increase our productivity and profit margins. As the world continues to invest in technology for everyday activities the value of data increases dramatically. This value is why ransom attacks are so prevalent; companies would pay a hefty sum to get back even half of the information hackers may hold hostage.
The crazy thing about this is, for many years, there were no security requirements for how companies stored sensitive data. Now, governments around the world have begun to create laws to protect data, such as HIPPA, GDPR, and CCPA.
Data breaches happen every day; how they are handled is the difference between losing the public's trust and building a stronger community. Undoubtedly, executives who manage the financial risk of their organization should certainly ask the following seven questions. But the real question is, are you able to answer them?
These questions are the first steps to strengthening your data security.
1) Where does the data live?
Consider creating a data map. This is simply a reference document to where all your data lives. It will help show the risk and sensitivity levels of the data collected. Many stop at data collected from websites and Point of Sales systems. Though this is a great start, we also have to look at emails, anything that was shared with a third party, and data saved to folders on the local computers and shared networks. Sounds like a lot? There's more.
Physical documents that are kept in cabinets and safes also need to be accounted for. Data breaches are not just from cyber attacks. They can come from people copying files that are just lying around the office. Make sure all sensitive data is locked up and/or disposed of correctly.
2) Who has access to what data?
Companies should be routinely in the know of who has access to sensitive data. Limiting who has access minimizes the number of breach points. This also makes it easier to create and uphold a firm security policy. Much like not everyone needs access to the payroll information, not everyone needs access to the consumers' data. Check with your IT provider about how to secure your data and assign clearance for staff that needs access to the encrypted files.
3) Can I easily provide a Californian all their personal data that we have collected?
It used to be for the first 30 years of the Internet that more data was better. Not anymore. Now having data is a liability. Take the new California legislation, CCPA requirements state that you have to allow any California resident that inquires about any collected data, to access that data. This has two parts, (1) you have to allow an easy way for people to request such as a website link or toll-free number and (2) you have to give them ALL of the data that you have collected on them.
4) What pieces of personal data is necessary to store?
The personal data that you collect should be part of your data map. Your data map should also have what data is required to do business, and what data is nice-to-have. For example, first and last names are required for shipping, but phone numbers are not, so "Name" fields on forms should be required and "Phone" fields should be optional. This is because customers willingly giving optional information is less risky.
Speaking of risk, if you were to have a data breach with just names and emails that would be terrible. But a data breach with credit card numbers, home address, and phone numbers is worse; it's almost as bad as losing your customer's wallet. Companies should put their customers at the lowest risk possible.
5) Do we have an incident management workflow?
This workflow should surface any IT issues, be it a laptop that can no longer update to the newest software or issues with your emails. Once identified, the workflow should then fix the problem. If your company outsources its IT, the help desk should already cover this. However, if you are using internal IT or self-monitoring, make sure there is a process that states when the issue was identified and notes all the steps that took place to correct the problem. Be sure to identify any repeat issues or high-risk areas in your network.
6) Do I have a way to monitor and detect security breaches?
The CCPA requires that all breaches be reported within 15 days of discovery of the breach. If a company fails to send the required notification, it is a $100 per day fine until all affected are notified. This fine is just the state, California has set a monetary value on data that ranges from $100 to $750 per consumer per incident, or actual damages, whichever is greater. This could bankrupt a small business.
Having a system in place that monitors your data is not a luxury its a requirement. Looking at the cost of hiring an MSP or a Data Protection Officer might seem like an extreme measure for those without it, but a monthly set fee to prevent a lump sum lawsuit does weigh out in the end. When looking to hire either a company or an individual, make sure they can prove how they monitor for security breaches and how often this takes place.
7) Do I know how and who to notify when a security breach occurs?
As soon as your company is aware of a data breach, you will need to work with forensic investigators to find out how the data breach occurred and what type of data was involved.
Once you know who and what data was affected, you will need to inform those whose data was compromised. You will need to send an email with a summary of the incident and the likely consequences of the breach. Next you will want to review the precautions that your company had put in place prevent any loss and be sure that no additional loss will occur. You should also provide steps that the individual should take to lessen further personal data breach on their end.
A few last thoughts on data privacy
What your company has to gain from technology outweighs the risk if you have a strong relationship with your cybersecurity. Much like the ocean, you should never turn your back on it; the environment is always changing. Not moving quickly with the changes could wipe out your business. Contact your IT provider if you are not sure if any security systems need to be updated or installed to improve cybersecurity.
Data privacy is a team effort. To lower potential risk, have a solid cybersecurity policy in place and provide training to the staff on how to spot potential threats. Small businesses, just like a large business, should be able to demonstrate in a court of law that it has taken every known step to limit a possible attack. To learn more, check out this article on cybersecurity countermeasures to mitigate ransomware attacks.