Why data theft poses a big risk to small businesses

Eric Cernak is VP at specialty insurer Hartford Steam Boiler, a unit of Munich Re,(Photo: George Ruhe)

(EDITOR'S NOTE: More than half the small businesses in the USA say they have had a data breach. Yet, many owners don't know what to do next when private information is lost or stolen. In this guest commentary, Eric Cernak, vice president for specialty insurer Hartford Steam Boiler^[1], a unit of Munich Re, suggests ways to prevent a breach and how to respond.)

Why should a small business worry about a data breach? After all, many owners think, computer hackers and identity thieves only target big corporations.

In fact most small businesses in the USA already have been exposed, or likely will be soon. The loss or theft of private information can be expensive, drive away customers and even result in legal penalties.

A Ponemon Institute survey^[2] for insurer Hartford Steam Boiler found that 55 percent of small businesses had a data breach and 53 percent of those businesses had multiple breaches.

Yet, surprisingly, only 33 percent of the businesses notified the people affected, even though 46 states, the District of Columbia and Puerto Rico require that individuals be contacted when their personal information is compromised.

Why would a small business owner risk fines and their company's reputation by ignoring a data breach? They don't believe it will happen to them. When it does, they're not prepared and don't know how to respond.

Others aren't aware that most states require them to tell individuals, or believe the laws don't apply to small companies. They do. And failing to comply may risk bad publicity, angry customers and lost business opportunities.

The Ponemon Institute surveyed small businesses around the country with revenues under $10 million, including Main Street businesses, accountants, attorneys and other professionals, health care providers, restaurants and small retailers.

The results showed that small businesses have valuable information about customers or employees and light security often makes them easy targets for identity thieves.

In one case, a computer hacker stole almost 20,000 customer credit card records from an online retail website.

The theft of two computers from a doctor's office exposed 10,000 patient records.

An employee of another medical office lost a computer thumb drive with 1,200 files.

Once data is breached, most small business owners and professionals find out that their standard commercial property and liability insurance doesn't cover the loss.

A specialty coverage, data breach insurance, is necessary to help pay the costs of responding and providing personal services such as credit checks for victims.

The hacked web retailer was paid $50,000 under a data breach policy to notify customers and help prevent identity theft.

After the break-in, the physician received the same amount from the coverage.

The doctor's lost thumb drive resulted in a $16,400 payment for notification, a legal review and customer services.

What can a small business do to help prevent a data breach and respond effectively?

Start with an inventory of information and keep only what's necessary. Limit access to employee and customer records, shred old files, destroy old hard drives. Wipe portable devices and remove memory cards before discarding or selling.

Do simple background checks on employees. Don't forget that secretaries, clerks and other entry level employees often have access to restricted information.

Install and update computer firewalls, anti-virus and anti-spyware programs. Even basic software can help protect a small business and encryption programs are getting more affordable.

If a business shares personal data with third parties to process payrolls, payments, or manage websites, contracts should make those vendors responsible for all costs when information is breached while under their control.

Seek professional security services before a data breach occurs. A crisis is no time to start looking for help. A security consultant can help you decide what level of protection makes sense and is always on call.

When data is lost or stolen, don't panic. But don't ignore the incident. Evaluate what information has been exposed, review state reporting laws, and decide how best to respond.

Since data is so vital to business today, many small business owners are adding data breach insurance to their basic coverage, along with property, liability, fire and theft.

The coverage not only pays for the costs to respond, but provides services such as identity fraud case management for customers.

All the business owner has to do is make a single telephone call to the property-casualty carrier and the data breach specialists go to work.

Small businesses have a big exposure when it comes to the information they keep.

With some planning, basic security and the right insurance, a small business can help limit the losses from a data breach and protect its reputation.

References

1. ^{^} http://www.hsb.com/HSBGroup/ (www.hsb.com)
2. ^{^} http://www.hsb.com/HSBGroup/Subpage.aspx?id=579 (www.hsb.com)