Cybersecurity has become a very hot issue throughout the private and public sectors over the last few years. From the alleged hacking of the 2016 election to the hacking of Target in 2013, which led to the theft of 70 million customers’ credit card information, no one is safe from hackers, especially small and medium-size businesses. According to the 2016 State of Small and Medium Business Cybersecurity Report, half of all small businesses in the United States have been compromised in the last 12 months. Connecticut has a Cybersecurity resource page that offers helpful tips and information. Check that out here.
Even though every business is at risk for a cyber-attack, 87 percent of small business owners believe they are immune from a cyber-attack. A third of small businesses have not taken steps to prevent a cyber- attack. The good news is you can protect your business from a cyber-attack, but you should still know what Connecticut law requires your business to do if your business is the victim of a cyberattack.
In Connecticut any business (no matter the size!) who, in the ordinary course of business, owns, maintains, or licenses computerized data that includes personal information must disclose a breach of security without unreasonable delay to state residents whose personal information has been, or is reasonably believed to have been, accessed by an unauthorized person. The law specifically says notification has to take place “not later than ninety days after the discovery of such breach, unless a shorter time is required under federal law.”
What is “personal information” under Connecticut’s cybersecurity notification laws? It includes an individual’s first name or initial and last name in combination with other specified data like their SSN or driver’s license number. If your business is breached, you must also provide “appropriate identity theft prevention services and, if applicable, identity theft mitigation services” to harmed persons – usually customers. And if your business collects social security numbers, you are required to have a written privacy policy “publicly displayed”.
What can happen to my business if a cyber-attack results in loss of customer personal information? You could be fined by the State up to $500.00 for each violation (check your insurance coverage for fines and penalties coverage), and also be sued for an unfair trade practice. Read about unfair trade practices here, and here, and here.
LESSON LEARNED: Hackers go after low-hanging fruit and small business are low hanging fruit. Check your insurance policies for cyber coverage, and know what you need to do if your business is breached.