SMB Awareness of Breach Notification Laws IndustryView | 2015

by Daniel Humphries, Managing Editor for IT Security research firmSoftware Advice, February, 2015

Currently, 47 U.S. states have security breach notification laws, which require organizations that store sensitive information to notify customers and clients if their personal data is breached. In this report, we investigate how aware decision-makers at small and midsize businesses (SMBs) are of the laws that apply to their firms, and examine the contents of those laws. We also provide advice from leading cybersecurity experts on how best to avoid breaches, fines, lawsuits and reputational

Key Findings:

  1. Only 33 percent of SMB decision-makers we surveyed are “very confident” they understand their state’s data breach notification laws.
  2. Less than half of our survey respondents (49 percent) say their company already has a breach response plan in place.
  3. The vast majority of SMB decision-makers in our sample (82 percent) say that their business encrypts customers’ personal information.

In January 2015, President Obama proposed new federal legislation that would require organizations to alert customers within 30 days of discovering that their personal information had been exposed in a data breach. For now, however, no such law exists; instead, businesses must comply with a patchwork of state laws governing breach disclosure.

Since California passed the first such law in 2002, a total of 47 states, the District of Columbia, Guam, Puerto Rico and the Virgin Islands have enacted legislation requiring private or government organizations to notify individuals of security breaches involving Personally Identifiable Information (PII). Definitions of PII vary, but usually involve a combination of the individual’s name plus sensitive data such as their social security number (SSN), credit card number or bank personal identification numbers (PINs).

While large firms may have lawyers on tap who are experts in these laws, we wanted to gauge SMBs’ awareness of their legal obligations in the event of a breach—so we polled SMB owners and decision-makers at businesses that store customer PII. We then spoke to legal, compliance and cybersecurity experts to gain insight into these laws and learn how businesses should prepare for, and respond to, a breach.

One-Third of SMBs Not Confident They Know the Rules on Breach Disclosure

After a successful hack, cybercriminals act quickly to cash in on their ill-gotten gains.

“Most of the time, when [valuable] information leaks out of a company, it is instantly being monetized on underground forums,” says Bogdan Botezatu, senior e-threat analyst for antivirus firm Bitdefender. In these situations, he says, businesses should alert their clients and customers as quickly as possible so they can minimize the aggravation and inconvenience that results when sensitive data goes missing.

In addition to an ethical responsibility, however, most U.S. businesses storing sensitive data also have a legal responsibility to inform customers of lost PII. Thus, even if a business owner concerned about reputational damage is tempted to conceal or suppress a breach of PII—as experts believe often happened before these laws were adopted—today, this is illegal in every state but Alabama, New Mexico and South Dakota.

So, how confident are SMB owners and decision-makers that they understand the security breach notification laws of their state?

Only one-third (33 percent) of respondents are “very confident,” while 34 percent describe themselves as “moderately confident.” Another one-third, combined, are largely (19 percent) or completely (14 percent) unaware of their state’s breach disclosure requirements.

This suggests many businesses are highly likely to be caught off-guard if a breach occurs—and according to the most recent security report from Symantec, targeted attacks on SMBs accounted for 30 percent of all “spear phishing” attacks in 2013 (the most up to date figures from 2014 are still pending). In these attacks criminals craft fake emails to dupe individuals into surrendering their credentials, or into downloading malware.

Heather Buchta, partner at legal firm Quarles & Brady and an expert in e-commerce, software and technology law, says that although state laws vary, they do share common features. When defining PII, the statutes “almost always” include a combination of an individual’s name together with any “sensitive data elements,” such as SSN, driver’s license numbers, credit card PINs and account passwords, for instance.

However, the definition of a “sensitive data element” may be broader.

“For instance, some states, such as Missouri, include various types of health information, while Nebraska’s law covers biometric data [e.g., retina or fingerprint scans],” Buchta says. “North Carolina considers an individual’s parent’s surnames prior to marriage to be sensitive, while Puerto Rico includes labor evaluations and the Wisconsin law covers DNA.”

Clearly, the laws are complicated. Jeff VanSickel, compliance lead at security consultancy SystemExperts, has conducted a comparative analysis of all 47 laws. He says he’s often surprised at which states are the most stringent in their definitions of sensitive data.

For instance, VanSickel believes that Montana has the “most rigorous” laws in the nation—there, the mere combination of name and address is defined as PII. Not a problem if you’re not based in Montana? Think again, says VanSickel: Businesses must also know the laws where their customers are located.

He uses the example of a company that is based in Florida but has clients in Hawaii to illustrate his point. If that company lost the PII of its Hawaiian customer base, then it would face legal issues in Hawaii, VanSickel says.

To read the full report on SMB Awareness of Breach Notification Laws, click here.