Solving Your Problems While Getting You Back to Business

What Do Connecticut Small Businesses Have to Do After a Cyber-Attack?

Posted August 10, 2017
Print Page

Cybersecurity has become a very hot issue throughout the private and public sectors over the last few years. From the alleged hacking of the 2016 election to the hacking of Target in 2013, which led to the theft of 70 million customers’ credit card information, no one is safe from hackers, especially small and medium-size businesses. According to the 2016 State of Small and Medium Business Cybersecurity Report, half of all small businesses in the United States have been compromised in the last 12 months. Connecticut has a Cybersecurity resource page that offers helpful tips and information.  Check that out here.

Even though every business is at risk for a cyber-attack, 87 percent of small business owners believe they are immune from a cyber-attack. A third of small businesses have not taken steps to prevent a cyber- attack. The good news is you can protect your business from a cyber-attack, but you should still know what Connecticut law requires your business to do if your business is the victim of a cyberattack. 

In Connecticut any business (no matter the size!) who, in the ordinary course of business, owns, maintains, or licenses computerized data that includes personal information must disclose a breach of security without unreasonable delay to state residents whose personal information has been, or is reasonably believed to have been, accessed by an unauthorized person. The law specifically says notification has to take place “not later than ninety days after the discovery of such breach, unless a shorter time is required under federal law.”

What is “personal information” under Connecticut’s cybersecurity notification laws? It includes an individual’s first name or initial and last name in combination with other specified data like their SSN or driver’s license number.  If your business is breached, you must also provide “appropriate identity theft prevention services and, if applicable, identity theft mitigation services” to harmed persons – usually customers. And if your business collects social security numbers, you are required to have a written privacy policy “publicly displayed”.

What can happen to my business if a cyber-attack results in loss of customer personal information? You could be fined by the State up to $500.00 for each violation (check your insurance coverage for fines and penalties coverage), and also be sued for an unfair trade practice. Read about unfair trade practices here, and here, and here.

LESSON LEARNED: Hackers go after low-hanging fruit and small business are low hanging fruit.  Check your insurance policies for cyber coverage, and know what you need to do if your business is breached.

 

About the Author

Business and Employment Litigation Attorney Anthony Minchella

Tony represents Fortune 50 financial services companies, retail giants, and small and large specialty products companies in employment litigation, trade secret and non-competition litigation, and unfair trade practice issues. When acting as local counsel, Tony, an adjunct professor of law on Connecticut Civil Procedure at Quinnipiac Law School, helps lead counsel navigate the nuances of Connecticut state and federal court practice. Tony graduated magna cum laude from Quinnipiac University School of Law. He passed the New Jersey, New York and Connecticut bar exams and then moved on to careers with large and small firms which led to his boutique litigation practice.