(Ping! Zine Web Tech Magazine) – Recently, hackers gained access to Yahoo’s databases, exposing over 450,000 usernames and passwords to Yahoo, Gmail, AOL, Hotmail, Comcast, MSN, SBC Global, Verizon, BellSouth and Live.com accounts. This privacy breach comes on the heels of a breach of over 6.5 million LinkedIn user passwords. With these embarrassing security breaches, and the widespread revelation of their inadequate information security practices, Yahoo and LinkedIn were added to the rapidly growing list of large companies who have suffered massive data breaches in recent years.
While breaches at large companies like Yahoo and LinkedIn make the headlines, small businesses are equally at risk, and must take appropriate measures to keep their information safe. Aaron Messing, an information privacy lawyer with OlenderFeldman LLP, notes that most businesses networks are accessible from any computer in the world and, therefore, potentially vulnerable to threats from individuals who do not require physical access to it. In fact, a recent report by Verizon found that nearly three-quarters of breaches in the last year involved small businesses. In fact, small business owners may be the most vulnerable to data breaches, as they are able to devote the least amount of resources to information security and privacy measures. Studies have found that the average cost of small business breaches is $194 per record breached, a figure that includes various expenses such as detecting and reporting the breach, notifying and assisting affected customers, and reimbursing customers for actual losses. Notably, these expenses did not include the cost of potential lawsuits, public embarrassment, and loss of customer goodwill, which are common consequences of weak information security and poorly managed data breaches. For a large business, a data breach might be painful. For a small business, it can be a death sentence.
Proactive security and privacy planning is always better than reactive measures. “While there is no sure-fire way to completely avoid the risk of data breaches,” says Messing, “steps can be taken, both before and after a breach, to minimize risk and expense.” To preserve confidential communications and to obtain advice on possible legal issues related to your company, consulting with privacy attorneys about your specific requirements is recommended. OlenderFeldman LLP recommends the following general principles as a first step towards securing your business.
Second, although external breaches from hackers gain the most publicity, the vast majority of data breaches are internal. Informal or non-existent business attitudes and practices with regards to security often create temptations and a relatively safe environment for an opportunist within to gain improper or unauthorized access to your company’s sensitive information. Unauthorized access, use, or disclosure, whether intentional or unintentional, puts individuals at risk for identity theft, which may cause monetary liability and reputational damage to your company. Mitigating this risk requires limiting access to company resources on a need to know/access basis and restricting access to those who do not need the access.
Third, be vigilant about protecting your information. Even if your company develops a secure network, failure to properly monitor logs and processes or weak auditing allows new vulnerabilities and unauthorized use to evolve and proliferate. As a result, your company may not realize that a serious loss had occurred or was ongoing. Develop a mobile device policy to minimize the security and privacy risks to your company. Ensure that your technology resources (such as photocopy machines, scanners, printers, laptops and smartphones) are securely erased before it is otherwise recycled or disposed. For example, most business owners are not aware that scanners and fax machines store and retain copies of documents that have been printed, scanned, faxed, and emailed on their internal hard drives. Thus, anyone with possession of that photocopier (i.e., when it is sold or returned) can obtain copies of all documents that were copied or scanned on the machine. This compilation of documents and potentially sensitive information poses serious threats of identity theft.
To discuss data breaches, privacy laws and regulations, regulatory compliance or ecommerce law for your business, please feel free to contact Aaron Messing, Esq., CIPP by phone at 908-624-6293 or by email at amessing(at)olenderfeldman(dot)com.
OlenderFeldman LLP is a full-service law firm providing customized business, financial, technology, privacy, intellectual property and litigation services. We work with diverse clients ranging from startups to multinationals, and can tailor solutions to fit your business needs. http://www.olenderfeldman.com