Cyber Security Measures Entrepreneurs and Their Customers Can Give Thanks For This Season
Like colorful autumn leaves blowing in the wind, the month of October - National Cyber Security Awareness Month - blew past so quickly that many entrepreneurs blinked, and it was gone. Building a company can get extremely busy, but smart businesswomen recognize that setting aside some time to take precautionary measures now is a brilliant way to transition from a season of fright to a season of giving thanks. After all, cyber security is something we can all feel grateful about.
As businesses become more digitally driven, the need for cyber security and privacy compliance measures has become a paramount consideration. Everyone within the company along with third-party providers have data security and privacy obligations imposed by law. Yet, entrepreneurs sometimes remain unclear about when they must, for example, adopt a privacy policy. Such lack of awareness and non-compliance may cause serious problems if the company is involved in obtaining, maintaining, using or disclosing personal information about consumers. Further, due to recent widespread data breaches with serious consequences, it is necessary for every businesswoman who stores content online to understand the risk of cyber attacks and take proactive measures to protect her data. To further complicate the matter, business owners with employees have an increased duty of care since they must protect their employees’ information as well as their own.
Unless you are a privacy professional or tech ninja, it is not always clear (1) who should take action, (2) what information should be protected, or (3) how to implement cyber security. Here, Parazim provides comprehensive techniques and guidelines entrepreneurs can implement and use on a daily basis for personal and company-wide data protection.
WHO NEEDS CYBER-SECURITY?
Entrepreneurs tend to procrastinate about addressing issues they are aware of but are not yet imminently facing. Unfortunately, this bad habit is unhelpful, because the issue becomes much harder to resolve after the harm is done. Taking proactive measures to guard against data theft is necessary because of the potentially serious consequences and threat of lasting damage.
The massive Equifax data breach in May, 2017 suggests that no one is safe from cybercriminals. Even the most well equipped companies are vulnerable. This breach is considered one of the most significant data breaches in recent history since it includes highly sensitive information such as credit cards numbers, SSNs and other personal identifying data. Information of more than 143 millions of American customers was compromised.
According to Breach Level Index, a global database that tracks data breaches and measures their severity based on number of records compromised, the type of data, the source of the breach, how the data was used, and whether or not the data was encrypted, data theft is a fast-growing problem for individuals as well as large corporations and organizations. The frequency of stolen data records is an astounding 60 records stolen per second, 3,578 records stolen per minute and 214,693 records stolen per hour. With the increased frequency of data theft and its global expansion, every entrepreneur is in the zone of risk.
WHAT INFORMATION SHOULD A SAVVY ENTREPRENEUR PROTECT?
Before diving into privacy and cyber security measures, it's important to first understand what information is sensitive and vital to protect. Under current U.S. laws and regulations, the following are examples of some types of information collected that will require special handling and protection:
-personally identifiable information (PII) including an individual’s name or initials, birthdate, Social Security number (SSN), driver’s license number,financial data, email address, location data
-personal information related to medical history, criminal convictions, sexual orientation, political and religious affiliation.
Even if some types of information are not defined by law as PII but will help lead to a particular individual (home address, personal correspondence, private photos), it is still wise to be careful about sharing such information on the Internet. Social networks provide an outstanding opportunity to steal personal information to use it for criminal purposes. For example, when people take photos with geotags and post them on Facebook, burglars and stalkers will know such person is not at home and where they are at. In addition, another example is that before posting photos of boarding passes prior to a flight, remember that someone could use this information to change your flight details or cancel the tickets. It is important to keep in mind that every time you publish a photograph on a social network site, you surrender privacy. Usually information associated with user preference is used for targeted advertisements only, but social network platforms where such information is posted know just about everything about you. It is your own responsibility to evaluate what data you will keep private and what you will share.
In addition to personal information, smart entrepreneurs should focus on protecting sensitive business information, and this includes anything that might pose a risk to the company if discovered by competitors or the general public. Examples of this include the company’s trade secrets, financial data, acquisition plans, or customer information.
Finally, a key way to separate PII from other more public information is to establish whether an enforcement action is available in the event that a data breach occurs. If SSN, birthdate, credit card information is breached, for example, a person can be substantially harmed. Thus, they can file a complaint with the State Attorney General, the Federal Trade Commission (FTC), and also sue the wrongdoer for damages.
HOW SHOULD AN ENTREPRENEUR TAKE ACTION?
Protecting Customers
A privacy policy is a statement that declares a company, website, or mobile application’s policies on collecting, using, and sharing personally identifiable information (PII) about a user or visitor. There are a minimum of two reasons why a company should include a privacy policy on its website. First, CA law requires operators of commercial websites or online services that collect personal information on consumers residing in CA through a website to conspicuously post a privacy policy and to comply with it. Second, many customers rightfully demand privacy protection. Due to the increasing number of data breaches, internet users have become more concerned about who sees their personal information and how it may be used when they visit a company’s website. Thus, the increasing customer demand for a clear privacy policy motivates credible companies to comply, even if regulations do not apply.
Entrepreneurs should keep in mind that their company may be subject to FTC action or a lawsuit if their privacy practices do not accurately reflect those stated in their privacy policy. Moreover, such violations may result in fines or suspension of a business license. For example, California imposes a civil fine of up to $2,500 per incident. The California Attorney General clarifies that each non-compliant mobile app download constitutes a single violation, and each download may trigger a separate fine. With these serious consequences, every effort should be taken to create a privacy policy that is reflective of the company’s actual practices related to customers’ data collection and use. It is also advisable to ensure alignment with federal, state, and local law regarding the standards of handling sensitive information.
There is no universal approach to developing a privacy policy that will fit the needs of every company or industry, as privacy policies are as unique as the entrepreneurs who display them. Every businesswoman must ensure that her website privacy policy accurately addresses specific legal issues and technical implications of her company. In other words, your privacy policy must be completely customized. It is a big mistake to use privacy policies copied from other websites. Such action constitutes copyright infringement and will likely lead to fraudulent or misleading business activities prohibited by law. With this in mind, here are tips for success:
Determine whether your business is required to adopt a privacy policy.
Do not use a poorly drafted privacy policy solely because you think you should have at least something. Having no privacy policy at all is often better than displaying an improper one, since the latter will likely result in active violation of privacy law and regulations.
Do not borrow a policy from someone else's website. You may be held liable for copyright infringement or this policy may have no practical application to your business.
Do not draft the policy yourself, unless you are a professional. It may be very beneficial to hire an expert at writing policies within your industry.
Although a privacy policy alone will not eliminate data breaches or misuse of personal information, displaying one is a smart step to ensure transparency and professional relations. It is something your customer will surely be thankful about!
Protecting Yourself and Your Company
Preventative Care
Smart entrepreneurs should also focus on taking preventative measures now to protect personal and business data from a security breach. Even though organizations that you deal with have a duty to secure any data collected from you, it does not always happen because things can go wrong. You can, however, take steps to strengthen your own defenses against data breaches.
Here is a non-exhaustive list of data protection methods in alignment with FTC:
Use password protection for all business computers and devices and require employees to have unique user names and strong passwords that they change regularly (every three to four weeks is optimal).
In order to create strong, secure passwords, use uppercase and lowercase letters, special characters symbols, and random numbers. Use different passwords on different accounts.
Make sure your software and operating systems on computers and mobile devices are up to date. Install updates to operating systems and antivirus software as soon as possible.
Secure access to your network with firewalls, remote access through properly configured Virtual Private Networks, and Wi-Fi networks that are secure and encrypted.
Train your employees to ensure they understand your data protection practices and their importance.
Give your SSN and other sensitive data only when it is absolutely required.
Monitor credit reports at one, two, or all three of the major credit reporting agencies — Equifax, Experian, and Transunion.
If possible, use an identity protection service such as Identity Guard, Life Lock, or ID Shield.
Evaluating Whether a Breach Occurred
Even after taking precautionary measures to protect her data, an entrepreneur may wonder from time to time whether her information is secure. One option to alleviate stress associated with the threat of a potential data breach is participating in personalized data monitoring. Entrepreneurs can monitor their account balances, statements, and credit reports to ensure no one is trying to open an account under their name. Plus, organizations can ensure they have strong intrusion detection systems in place to identify unauthorized access into systems containing personal data. It is a reasonable practice to periodically check the website of a company you are doing business with to determine whether any data has been compromised. In most cases, U.S. based companies are obligated to notify their customers and other parties about a hacking incident, so data breaches are usually disclosed via a company press release to major media networks.
After its cyber security incident, Equifax offered its customers a free monitoring service called Trusted ID Premier. This program includes five separate offerings that allow users to monitor their credit files along with SSNs, freeze their credit reports, and search suspicious websites for user SSNs. While enrolling in the program, make sure you are on a secure computer and an encrypted network connection. Upon enrollment, the website will tell you if you have been affected by the Equifax breach. According to Equifax, customers who sign up for the credit-monitoring service do not waive their rights to take part in a class action lawsuit against them. If you are using Equifax, you may want to enroll in this program. You have until January 31, 2018 to register.
Here is a non-exhaustive list of actions to help determine whether a breach has occurred:
Check your credit report by visiting annualcreditreport.com
If you find suspicious activity on an account, visit IdentityTheft.gov. This is the government’s free resource for reporting and recovering from identity theft. The website will provide you with a personal, interactive recovery plan tailored to your individual needs.
Report all identity theft to the FTC.
Notify the IRS if you are a potential tax fraud victim.
Consider placing a credit freeze on your credit reports, which will make it harder for someone to open a new account in your name. This action will not, however, prevent a thief from making charges to your existing accounts.
Consider placing a fraud alert on your files. This will warn creditors that you may be an identity theft victim and require them to take precautions if someone seeks credit in your name.
Monitor your existing credit card and bank accounts closely for charges you don’t recognize.
Remember, regardless of your industry, securing sensitive information and complying with privacy regulations is now a top concern for everyone. The need to take proactive measures has never been greater for today's entrepreneur.
-------
Are you a female entrepreneur in need of legal solutions to launch or grow a successful business enterprise? Parazim can help! Our mission is to elevate and champion the most effective, extraordinary, and powerful women in the world. Our breakthrough habitude of "women helping women" leads to invaluable resource sharing and building strong allies so every female is 100% empowered to reach her highest potential. Get connected today - email harmony@parazim.com or visit www.parazim.com for more information.
-------
Harmony Oswald, Esq. is licensed to practice law in the state of California. She is the Founder and Managing Attorney at Parazim. To learn more about Harmony Oswald, Esq. and her 2017 leadership book for women click HERE. The above article does not create an attorney client relationship. It provides information only and should not and cannot be construed as legal advice. For more information, please contact harmony@parazim.com.