Data Security Best Practices for Small and Medium-Sized Enterprises

While breaches at large companies like Target Corp., Sony Corp. and Wyndham Worldwide Corp. grab headlines, data security at the small and medium-sized enterprise (SME) level goes largely unaddressed, even though 95 percent of all business in the U.S. are SMEs of 500 employees or less and their vulnerability could have a significant economic consequences.

Data security poses a challenge for SMEs who, with limited resources, must establish protections to avoid fraud and litigation resulting from a breach that could prove fatal to their businesses, while inspiring investor confidence that they are capable of success in a technologically treacherous landscape.

SMEs should stay apprised of legal obligations and the expectations of regulatory bodies to avoid harsh settlements in the event of a breach. Compliance with regulatory guidelines helps SMEs approach the necessary level of data security, but to efficiently and effectively implement protective measures, each SME must determine its areas of vulnerability to create a system of data security best practices that suits the unique needs of its business.

FTC Guidelines

Federal regulatory bodies and state attorneys general determine guidelines and legal obligations for data security policies affecting SMEs. The Federal Trade Commission (FTC) leads federal agencies in guiding data security strategies for U.S. businesses.

As the FTC emphasizes consumer protection, the focus on data protection reflects the importance of this issue to consumers. A Dec. 9, 2015 settlement with Wyndham over a 2012 lawsuit involving more than 600,000 stolen credit and debit card numbers from breaches occurring between 2008 and 2010 positioned the FTC at the forefront of federal data security enforcement 16 CTLR 567, 12/18/15, 237 Antitrust & Trade Regulation Daily, 12/10/15, 237 Banking Daily, 12/10/15, See previous story, 12/10/15, 109 ATRR 749, 12/11/15, 85 CARE, 12/10/15, 14 PVLR 2228, 12/14/15, 20 ECLR 1734, 12/16/15, 237 Privacy Law Watch, 12/10/15.

The FTC required the hotel company to “establish a comprehensive information security program designed to protect cardholder data” and conduct annual information security audits for 20 years, providing a written assessment of any breach over 10,000 credit or debit card numbers within ten days.

The Wyndham settlement has implications in the SME world, affirming the FTC’s central role in protecting consumers from data breaches. Wyndham’s injunctive relief indicates that the FTC will focus on mandating both comprehensive protection and rapid response to breach events.

The FTC sets forth guidelines in “Start with Security: A Guide for Business,” offering lessons learned from settlements to instruct businesses on how to avoid enforcement actions:

• avoid collecting unnecessary personal information, retaining information longer than necessary and collecting personal information, unless required;
• control access to data, with restrictions on access to sensitive data and limited administrative access;
• require complex and unique passwords and authentication and store passwords securely, while protecting against “brute force” attacks by limiting login attempts;
• store sensitive personal information securely and protect it during transmission using industry tested and accepted methods and proper configuration;
• segment your network and monitor activity;
• secure remote access to your network;
• apply sound security practices when developing new products by training your engineers in secure coding, following platform guidelines for security, verifying that privacy and security features work, and testing for common vulnerabilities;
• verify your service providers’ compliance in writing;
• keep your security current and address vulnerabilities that may arise by upgrading and patching third-party software and heeding credible security warnings; and
• secure paper, physical media and devices.

The FTC’s regulatory leadership stresses the importance of avoiding basic, fundamental security missteps to decrease the likelihood of an incident, while establishing a strategy for minimizing harm in the event of a breach.

SEC Guidelines

The Securities and Exchange Commission (SEC) recently turned its eye to the important role data security plays in the financial world. Involvement increased in 2012 with comment letters to 50 public companies requiring a commitment to disclose the facts of past breach events, without revealing particular details and circumstances about their data security practices and incidents.

Data security is now a higher priority, with the SEC requiring companies to make disclosures in the wake of a breach and to address ongoing risk factors in their regular filings.

The SEC’s attention to data security has important repercussions for SMEs.

On Sept. 22, 2015, the SEC announced a settlement order with an investment advising company that violated Regulation S-P (the SEC’s version of the Gramm-Leach-Bliley Act’s Safeguards Rule) by storing sensitive personally identifiable information on its third party-hosted web server “without adopting written policies and procedures regarding the security and confidentiality of that information and the protection of that information from anticipated threats or unauthorized access.”

The company paid a $75,000 penalty, along with agreeing to comply with numerous precautionary measures.

Significant for SMEs is the SEC’s focus on third parties, an area of vulnerability for companies of any size, but particularly for SMEs who may not have the leverage to obtain sufficient protection when entering into relationships with vendors.

In April 2015, the SEC issued an update on cybersecurity guidance for funds and advisors. SMEs in the financial industry and SMEs working with funds and advisors should adhere to or be aware of the SEC’s suggestions, which include:

1. Conducting a periodic assessment of the nature, sensitivity and location of information that the firm collects, processes and/or stores, and the technology systems it uses, internal and external cybersecurity threats to and vulnerabilities of the firm’s information and technology systems, and security controls and processes currently in place;

2. Creating a strategy that is designed to prevent, detect and respond to cybersecurity threats, including controlling data access via user credentials, authentication and authorization methods, firewalls and/or perimeter defenses, tiered access to sensitive information and network resources, network segregation, and system hardening, data encryption, and the development of an incident response plan; and

3. Implementing the strategy through written policies and procedures and training that provide guidance to officers and employees concerning applicable threats and measures to prevent, detect and respond to such threats.

The SEC’s recent attention to data security creates compliance expectations for financial SMEs and offers increased protection for SMEs working with financial companies.

State Laws

Laws vary from state to state and are frequently amended, often to address changes in technology or in reaction to a highly-publicized breach.

For instance, in January 2015, California amended its civil code, which encourages businesses to protect the personal information of California residents to apply to businesses that merely “maintain” personal information about a California resident (replacing the qualification that a business “own or license” the information to be held responsible) and requires businesses to implement reasonable security measures to do so.

SMEs should decide how to best stay up to date with laws of the states in which they do business, whether designating an company officer or retaining local counsel to stay compliant.

Areas of Vulnerability

Beyond compliance with federal and state guidelines and laws, SMEs should assess their areas of vulnerability to create a data security program that best serves the company.

Because of their value, certain types of information are more susceptible to breach than other. These include important and highly sensitive information, such as trade secrets, future plans, future mergers, information that could affect stock prices and personally identifiable information (PII).

Rogue employees can cause tremendous harm to a SME through a lapse in data security. SMEs should determine who has access to their information, who controls their information, and if the company is properly preserving its rights in anticipation of intellectual property causes of action.

Third-party vendors are cited as a common area of vulnerability for all business. SMEs are particularly susceptible to ill consequences of a vendor breach, as they are less advantageous positioned to allocate responsibility to the third party and assure indemnification for both direct and indirect damages in the event of a breach.

Understanding areas of vulnerability can help SMEs focus their resources to efficiently create a system of data security best practices.

Best Practices

Data security best practices for SMEs start with a comprehensive analysis of the information the company maintains. “Data mapping” consists of an audit of a company’s current and planned data collection, processing, usage, storage and transfer practices that assesses the necessity, source and location of all data and identifies little-known data files containing PII, including those under the control of third parties, which may pose a breach risk.

A thorough inventory of information leads to an effective risk assessment. SMEs aiming to efficiently establish a data security program should determine the threats specific to their business, design security measures that align with those specific risks and implement them with an eye for the likelihood of risk and minimizing potential damage.

Flexibility is essential to SMEs aiming to maintain best practices for data security. SMEs should repeat privacy audits and implement policy changes, if necessary. SMEs should be mindful that material changes to company policy only apply to newly collected data and the company must inform present customers through privacy policy update notices.

In addition, SMEs should understand their insurance policy coverage and exclusions and those of their third party vendors and business partners. Staying informed of the current status of a company’s information storage and the protections in place help prevent unnecessary exposure and limit harm in the event of a breach.

Large companies dedicate specific data security positions, including that of a Chief Information Security Officer (CISO), Chief Privacy Officer, or other senior executive responsible for data privacy and security.

SMEs may not have the resources to establish a position solely devoted to data security. However, working in conjunction with marketing, human resources, product development, information technology, in-house legal and outside counsel can facilitate institutional awareness of data security and can reduce breach risk by encouraging adherence to a realistic strategy.

To align best practices with specific needs, SMEs should stay current with any material changes to the business, changes in technology, changes in business practices, development of new products and services, evolution of the law, self-regulation and best practices, changes in internal or external threats, environmental or operational changes, as well as act with diligence in employee screening, input checking, background checks, monitoring, and education to minimize the risk posed by “bad actors.”

Breach Strategy

Even if SMEs fully comply with laws and guidelines, diligently assess the company’s potential weakness, and implement highly effective data security programs, a breach may occur. Any comprehensive data protection program includes a plan for such an event. An effective plan should address the following:

1. The timely notification of appropriate persons within the organization;

2. Prompt actions to respond to the breach aimed to prevent further information compromises and to facilitate effective cooperation with law enforcement;

3. Procedures for notifying regulators and potential victims; and

4. Protocol for dealing with the media.

Social media diminishes the control companies can exercise over the release of information, making news of a breach event harder to delay and reducing the time a company has to react.

While effective crisis communication is imperative, it does not supplant a strategy for the next action. For example, Target responded to their 2013 breach with customer discounts and free credit monitoring.

SMEs may not have the resources to react in kind, making a plan in anticipation of a breach a necessity to minimize harm to customer and business data and to the company’s reputation.

Conclusion

SMEs put themselves in considerable risk with lax data security measures, not the least of which is diminishing their value to potential investors.

Private equity firms and potential investors evaluate potential acquisitions for such risks. In the mergers and acquisitions context, due diligence on data security liabilities, preparedness and breach history in acquisitions is now conducted on a more regular basis.

As the SEC increasingly requires companies to address data security risk factors in their regular filings, a comprehensive protection strategy is key to the vitality of a business. SMEs aiming to eventually go public or sell to a larger company or investors should maintain an information protection strategy to maximize their value and limit potential red flags to investors.

Data security best practices help SMEs avoid the risks of a breach and the potential of costly subsequent litigation, events that could be fatal to a company with limited resources, while serving as essential indicators of a company’s vitality.