Search results for: "small business"

Small businesses may be discouraged from investing in preventive cybersecurity measures due to the expense involved and the mistaken belief that only larger companies are the target of cybercrimes. But that is not the case. The FBI’s Internet Crime Report indicated the cost of cybercrimes against small businesses reached $2.4 billion in 2021, indicating that small businesses are squarely in the crosshairs of criminal cyber gangs.

In addition to the risk to the business itself, small businesses may be vendors of larger corporations. In many instances, the underlying business agreements may require that these vendors (small businesses) implement and maintain reasonable cybersecurity controls. Depending on the terms of the agreement, the vendor may also be obligated to indemnify the larger corporation for any data security incident that impacts the corporation’s data. For a small business, these costs could be crippling.

One important component of any cybersecurity program to help small businesses avoid cyberattacks is implementing appropriate policies and procedures that address cybersecurity, including employee training.

Some of the policies that businesses should consider include:

  • Policies to address the use of company devices on unsecured internet.
  • Requiring multifactor authentication (MFA) for remote connections and email.
  • Prohibitions against disabling or disregarding anti-virus and malware programs.
  • Instructions on proper handling of sensitive information such as client data and/or personally identifiable information (PII).

Small businesses should also require strong passwords and train employees to recognize phishing emails.

For other best practices to avoid cyberattacks, the Small Business Administration has a short guide.

If you have questions about developing cybersecurity policies and procedures, reach out to a member of the Privacy, Data, and Cybersecurity Team.

A recent study surveying small and mid sized businesses (SMBs) found that 67% had experienced a cyber attack in 2018, and yet that same study found that cybersecurity is still “not on the to do list” for SMBs – 60% of the SMBs surveyed responded that they did not have a cybersecurity plan in place, and only 9% ranked cybersecurity as a top business priority. The federal government has taken notice of these concerning statistics.

Early this month, the U.S. House of Representatives passed five bipartisan bills to help small businesses. Among the bills passed, two specifically aim to enhance a small business’s ability to prevent and respond to a cybersecurity incident. First, the SBA Cyber Awareness Act, H.R. 2331, aims to strengthen the Small Business Administration’s handling and reporting of the cyber threats that affect small businesses. The bill requires the SBA to provide an annual report on the status of SBA cybersecurity, and notify Congress of any incident of cyber risk and how the SBA is addressing it. Second, the Small Business Development Center Cyber Training Act of 2019, H.R. 1649, requires the Small Business Administrator to establish or certify an existing cyber counseling certification program to certify employees at small business development centers. It also requires the SBA to reimburse lead small business development centers (SBDCs) for any costs relating to such certifications up to $350,000 in a fiscal year.

The Senate has also introduced legislation to help SMBs better address cyber threats. In late June, Senator Marco Rubio (R-FL) joined by Senator Gary Peters (D-MI) introduced the Small Business Cybersecurity Assistance Act of 2019, S.2034 that aims to better educate small businesses on cybersecurity through counselors and resources offered at SBDCs. The bill incorporates recommendations suggested by DHS and SBA’s Small Business Development Center Cyber Strategy in a report from March of 2019, which described challenges small businesses face with implementing cybersecurity for their business, including the confusing nature of government cyber resources and lack of training.

The cyber threats plaguing SMBs are real, and SMBs need to address the significant risk to their businesses. The cyber insurance industry is increasingly targeting SMBs with robust insurance policies, comparable to offerings for larger companies. While insurance is a helpful component of an overall risk management strategy, it should not be the only component.

In the event of a data breach, the policy might cover costs related to responding to that breach (sending notices, offering credit monitoring, etc.) and business interruption costs, but it might not cover the costs of a federal or state agency inquiry following the reported breach. That is, if, for example, a small health care practice reporting a breach might trigger a compliance review by the federal Office of Civil Rights. In that case, OCR investigators would be looking for information about the breach, but also evidence that a risk assessment was conducted, copies of written policies and procedures covering administrative, physical, and technical safeguards to protect health information, acknowledgments that employees completed HIPAA training, and other information to support compliance. Having these compliance measures in place can substantially limit an SMB’s exposure in these kinds of federal or state agency inquiries, as well as strengthen the SMB’s defensible position should the SMB be sued as a result of a breach.

The Federal Trade Commission (FTC) recently announced that it will launch a national education campaign to aid the small business sector in strengthening its cybersecurity and protecting its sensitive and personal data.

The national education campaign builds on the FTC’s 2017 Small Business Initiative which included the creation of a new website: FTC.gov/SmallBusiness aimed at helping small businesses protect their networks and data and avoid scams, and the Small Business and Cybersecurity Roundtables that included five roundtable discussions with small businesses to learn from the challenges they face dealing with cyber threats and cybersecurity and hear ideas on how the government can help them. The FTC developed the national cybersecurity education campaign based on lessons learned from the roundtables.

In the FTC’s announcement of the national education campaign, Tom Pahl, Acting Director of the FTC’s Bureau of Consumer Protection highlighted that, “Small businesses understand the importance of cybersecurity and the need to protect their networks and data, but many feel overwhelmed about how to address the myriad of cyber threats they face… Our new campaign aims to help these small businesses with targeted, plain-language advice on everything from protecting against phishing scams to tips on what to look for when choosing a cybersecurity vendor.”

An FTC staff report released together with the announcement, Engage, Connect, Protect: The FTC’s Projects and Plans to Foster Small Business Cybersecurity – The Federal Trade Commission Staff Perspective includes an outline for the reader friendly materials the national education campaign will provide for small businesses looking to better protect themselves from cyber incidents, including:

  • Creating a suite of training materials for small businesses and their employees – 10 – 12 modules that will each include a cybersecurity challenge and advice for dealing with it accompanied by short videos, presentations, and other materials. These materials will be appropriate for small business owners and managers to share with employees.
  • Developing consistent messages from the federal government – this includes working together with the government’s Cybersecurity Forum, the National Cybersecurity Alliance’s (NCSA) federal partners working group, and other working groups FTC staff belong to, to create consistent messages regarding cybersecurity across other key federal agencies that interact regularly with small businesses.
  • Partner with the private sector – The FTC will continue to work together with private sector partners including the NCSA, the Better Business Bureau, and the U.S. Chamber of Commerce to ensure small businesses across all industries are aware of and have access to campaign materials. Materials will also be available online.

Although the media’s attention of late has been on large companies suffering data breaches, it is important to remember that, according to a recent study, half of all cyberattacks target small and mid-sized businesses. Small businesses are particularly at risk for identity theft and need to act promptly and aggressively to minimize their legal and monetary exposure.

For more information on small businesses and cybersecurity, below are several of our helpful materials:

 

Most business owners are all too familiar with identity theft. What they might not be sufficiently aware of is the “Dark Web” where identity theft thieves buy and sell stolen personal information.

The Dark Web Defined

The Dark Web describes places on the internet not identified by traditional search engines. Although not all sites on the Dark Web engage in criminal activity, it is generally where illegal consumer data is bought and sold.  For identity thieves, the Dark Web is a virtual market place that can provide a safe haven for cyber criminals to barter their goods, whether it’s stolen account information, stolen credentials, stolen documents or other personal information.

What Is the Connection between the Dark Web and Small Business?

Generally, personal data stolen from businesses ends up on the Dark Web. There is a myriad of categories within the Dark Web that specialize in different stolen information such as stolen credit cards, stolen account information from financial institutions, forged documents, etc.  Many times there are even subcategories within these general categories such as a specific brand of credit cards within a specific geographic location by state and zip code.  Surprisingly, some of these Dark Web businesses will not only sell stolen information such as bank cards, but will also offer “customer service” functions such as card support or refunds.  The Dark Web also offers compromised bank accounts, health records, credentials and forged real estate documents.  Interestingly, a “one-stop shop” is available on the Dark Web that offers entire “wallets” complete with driver’s license, social security numbers, birth certificates and credit cards.

How Is Stolen Information Utilized?

There is no real limitation for the creative criminal mind on what purposes stolen information can serve. Generally, it can include obtaining credit, mortgages, loans, tax refunds, etc.  In addition, it can be used to create a “synthetic identity” where both real and fictitious information is lumped together to suddenly create a new identity that is difficult to discover.

Stolen Credentials

A growing area of criminal activity on the Dark Web is the use of stolen credentials such as user names and passwords. To profit from this type of information, many times identity thieves hire “account checkers” who input stolen user names and passwords across various business accounts, including banking, and eCommerce and attempt to “break in” to the account, as many people use the same user name and passwords for various business services.  Suddenly, a stolen user name and password from one credit card, can suddenly be used to open up a variety of accounts across financial and business-related horizons.

Small Business Impact from Dark Web

The media generally focuses on data breaches for large companies that possess information on millions of consumers. Consequently, many small business mistakenly may conclude that they would not be a prime target of identity thieves.  Small business owners should know that thieves generally don’t target the size of the business, only those that are most vulnerable.  As privacy specialists noted at a recent Federal Trade Commission (FTC) conference,  information available for sale on the Dark Web is up to twenty times more likely to come from a company whose breach wasn’t reported in the media.  Unfortunately, many of these are small retailers, restaurant chains, practices, school districts, medical practices etc, as emphasized at the FTC conference, whereby it was announced that the majority of breaches investigated by the U.S. Secret Service involve small business. (The full FTC conference on identity theft is available for viewing under the video tab here.)

Reducing Risk for Your Small Business

Obviously, it starts and ends with adequate security protections and the commitment to consistently utilize proper security protocols. The FTC has a data security page that identifies security options for a business of any size and sector.  In addition, the House of Representatives recently held a hearing to discuss cybersecurity risks for small businesses and various solutions. In particular it was suggested that increased sharing of cyberthreat data could enhance the security of all industries, supported by Committee Chairman Steven Chabot’s recently introduced Small Business Cybersecurity Enhancement Act (H.R. 4668) which would create a government-led cyberthreat sharing information program.  For more information on small businesses and cybersecurity, see our article Data Breach Preparedness: A critical risk management for small and mid-sized business. The bottom line is that small businesses are particularly at risk for identity theft and need to act promptly and aggressively to minimize their legal and monetary exposure.

 

As we reported, state Attorneys General have authority to enforce the privacy and security regulations under the Health Insurance Portability and Accountability Act (HIPAA), pursuant to the authority granted under the Health Information Technology for Clinical and Economic Health (HITECH) Act. Shortly after announcing plans to seek legislation requiring stronger protections for personal and financial information, Indiana Attorney General Greg Zoeller reached a settlement with a dentist in his state, Joseph Beck, for improperly dumping patient records in violation of state law and HIPAA. The dentist agreed to pay $12,000 in fines.

According to news reports, over 60 boxes containing years of dental records pertaining to over 5,600 patients, and including very sensitive personal information, were found in a dumpster. Apparently, the dentist hired a third party vendor to dispose of the records; that vendor likely was a business associate under HIPAA and, if so, also subject to the HIPAA privacy and security rules.

For small medical or dental practices, as for other professional service businesses such as lawyers, accountants, and insurance brokers, data security can be both daunting and expensive if there is a breach. Like many businesses, small businesses rely on third party vendors to perform certain activities. When those activities involve personal information of the business’ customers, the business owner should be paying more attention. Ask the vendor about what steps it has in place to protect information, does it have a written information security plan, it is licensed, does it have insurance in the event of a breach, does it train employees about data security, and, yes, how does it dispose the records and data it is being asked to handle. In many states, businesses are required to have language in the service agreements with vendors about data security when the vendors are going to handle personal information. There is a similar provision under HIPAA for business associates.

It is troubling to see that sensitive records are still being found in dumpsters even after the many widely-publicized data breaches. But, as here, the owner of the records may not be able to avoid responsibility by shifting it to the vendor.

Some have called 2014 the “Year of the Data Breach.” That may be true given the steady stream of large-scale data breaches affecting tens of millions of individuals. We do not know if this time next year commentators will be saying the same thing about 2015, but there are signs pointing to a significant tightening of regulation and increased enforcement of data security mandates – some are discussed below. No matter a company’s size or industry, maintaining personal data can be a risky business, more so for companies that are not prepared and that have not taken reasonable steps to safeguard personal data.

New York regulators announce new cyber security preparedness assessments for banks. Following an announcement in October concerning third-party vendors, Benjamin M. Lawsky, Superintendent of Financial Services, issued an industry guidance letter on December 10 to all New York State Department of Financial Services (DFS)-regulated banks outlining enhanced examinations as part of “new targeted, DFS cyber security preparedness assessments.” According to the announcement, and in the letter to banks, DFS examinations will be looking at safeguards such as protocols for detection of cyber breaches and penetration testing; corporate governance related to cyber security; defenses against breaches, including multi-factor authentication; and security of their third-party vendors. This is not just an issue for the banks because as part of their efforts to be ready for these increased examinations and assessments, they will need to be looking at the practices of their third-party vendors.

Another HIPAA settlement and Phase 2 audits expected to commence soon. Earlier this month, the Office for Civil Rights announced it reached a resolution agreement with Anchorage Community Mental Health Services (ACMHS) to settle potential HIPAA violations. Under the agreement, ACMHS will pay $150,000 and adopt a corrective action plan with regard to its HIPAA compliance program. Like a number of prior OCR investigations, this one was opened when ACMHS, a nonprofit organization providing behavioral health care services, informed OCR of a breach of unsecured electronic protected health information affecting 2,743 individuals. The breach resulted due to malware compromising the security of its information technology resources. According to OCR, ACMHS had adopted sample policies and procedures, but was not following them. In addition, OCR alleged that ACMHS failed to identify and address basic risks, such as not regularly installing updates and security patches for its software. Again, as with financial institutions, healthcare providers and health plans are not the only entities under OCR’s scrutiny. Under HIPAA, and as clarified by HITECH, the privacy and security obligations extend downstream to business associates and subcontractors, and possibly others. If your business is in the healthcare industry, there is a likelihood you will be affected by these requirements.

In addition to continued enforcement, OCR also is preparing to commence Phase 2 of its audit program. OCR representatives have been reported as stating unofficially that OCR hopes to start Phase 2 by the end of 2014, or the beginning of 2015. Those audits are expected to focus on (i) risk analysis and risk management, a fundamental requirement under the HIPAA Security Rule, (ii) breach notification compliance, and (iii) compliance with notice of privacy practices requirements. The audits are expected to reach both covered entities and business associates.

States enhancing breach notification laws and enforcement. During 2014, a number of states enhanced their existing breach notification laws (e.g., CA and FL) and Kentucky became the 47th state to enact such a law. Other states, such as Oregon, have announced a desire to enhance their own laws. Additionally, states like Massachusetts continue to announce fines for companies violating that state’s data security mandates.

Cyber insurance offerings to small business grow. In July 2014, CNBC explained “Why cyber-insurance will be the next big thing.” But it also is worth noting that during 2014 a number of carriers, syndicates have announced cyber products with a focus on small and mid-sized businesses. One example is an announcement that former Pennsylvania Governor and the first U.S. Secretary of Homeland Security, Tom Ridge, formed Ridge Insurance Solutions Company which seeks to close “a dangerous cyber insurance gap… particularly [for] small- and mid-cap firms”. Also, in November, Nationwide announced that it will be joining with Hartford Steam Boiler “to offer cyber insurance coverage for small business owners.”  The insurance market’s movement in this direction is one indicator of higher data risks for businesses beyond large organizations in the financial services industry and retail.

 

These are just a few of the signs in 2014 that point to more regulatory and enforcement activity ahead in 2015. Businesses large and small need to focus on their data privacy and security practices, which starts with assessing their risks across their organizations.

On Thursday, California Attorney General Kamala Harris announced heightened enforcement concerning data breaches, reports USAToday. AG Harris’ office also issued a Guide that provides recommendations to California businesses, particularly small businesses, to help them protect against and respond to the increasing threat of malware, data breaches and other cyber risks.

The circumstances are certainly threatening for small business. According to the Guide:

  • In 2012, 50 percent of all targeted attacks were aimed at businesses with fewer than 2,500 employees.
  • More significantly, businesses with fewer than 250 employees were the target of 31 percent of all cyberattacks

The Guide is a good read for most small businesses which provides general principles and best practices to address data security. It is not comprehensive, and the Guide itself admits it does not provide “regulations, mandates or legal opinions…[but r]ather, … an overview of the cybersecurity threats facing small businesses, a brief and incomplete summary of several best practices that help manage the risks posed by these threats, and a response plan in the event of a cyberincident.”

Large national and multi-national companies are not the only targets for data breaches, and states like California are stepping up their enforcement efforts. Businesses should take the time to be sure they appropriately safeguard personal information of customers, employees and other individuals, as well as to be prepared to respond to a breach should they experience one.

 

According to one survey, Florida is fourth on the list of states with the most reported data breaches. No doubt, data breaches continue to be a significant risk for all business, large and small, across the U.S., including the Sunshine State. Perhaps more troubling is that class action litigation is more likely to follow a data breach. A common claim in those cases – the business did not do enough to safeguard personal information from the attack. So, Florida businesses need to know about the Florida Information Protection Act (FIPA) which mandates that certain entities implement reasonable measures to protect electronic data containing personal information.

According to a Law.com article:

The monthly average of 2023 data breach class actions was 44.5 through the end of August, up from 20.6 in 2022.

While a business may not be able to completely prevent a data breach, adopting reasonable safeguards can minimize the risk of one occurring, as well as the severity of an attack. Additionally, maintaining reasonable safeguards to protect personal information strengthens the businesses’ defensible position should it face an government agency investigation or lawsuit after an attack.  

Entities Subject to FIPA

FIPA applies to a broad range of organizations, including:

   •    Covered Entities: This encompasses any sole proprietorship, partnership, corporation, or other legal entity that acquires, maintains, stores, or uses personal information…so, just about any business in the state. There are no exceptions for small businesses.

   •    Governmental Entities: Any state department, division, bureau, commission, regional planning agency, board, district, authority, agency, or other instrumentality that handles personal information.

   •    Third-Party Agents: Entities contracted to maintain, store, or process personal information on behalf of a covered entity or governmental entity. This means that just about any vendor or third party service provider that maintains, stores, or processes personal information for a covered entity is also covered by FIPA.

Defining “Reasonable Measures” in Florida

FIPA requires:

Each covered entity, governmental entity, or third-party agent shall take reasonable measures to protect and secure data in electronic form containing personal information.

While FIPA mandates the implementation of “reasonable measures” to protect personal information, it does not provide a specific definition, leaving room for interpretation. However, guidance can be drawn from various sources:

  •    Regulatory Guidance: For businesses that are more heavily regulated, such as healthcare entities, they can looked to federal and state frameworks that apply to them, such as the Health Insurance Portability and Accountability Act (HIPAA). Entities in the financial sector may be subject to both federal regulations, like the Gramm-Leach-Bliley Act, and state-imposed data protection requirements. The Florida Attorney General’s office may offer insights or recommendations on what constitutes reasonable measures. Here is one example, albeit not comprehensive.
  •   Standards in Other States: Several other states have outlined more specific requirements for protecting personal information. Examples include New York and Massachusetts

Best Practices for Implementing Reasonable Safeguards

Very often, various data security frameworks have several overlapping provisions. With that in mind, covered businesses might consider the following nonexhaustive list of best practices toward FIPA compliance. Many of the items on this list will seem obvious, even basic. But in many cases, these measures either simply have not been implemented or are not covered in written policies and procedures.

  • Conduct Regular Risk Assessments: Identify and evaluate potential vulnerabilities within your information systems to address emerging threats proactively.
  • Implement Access Controls: Restrict access to personal information to authorized personnel only, ensuring that employees have access solely to the data necessary for their roles.
  • Encrypt Sensitive Data: Utilize strong encryption methods for personal information both at rest and during transmission to prevent unauthorized access.
  • Develop and Enforce Written Data Security Policies, and Create Awareness: Establish comprehensive data protection policies and maintain them in writing. Once completed, information about relevant policies and procedures need to shared with employees, along with creating awareness about the changing risk landscape.
  • Maintain and Practice Incident Response Plans: Prepare and regularly update a response plan to address potential data breaches promptly and effectively, minimizing potential damages. Letting this plan sit on the shelf will have minimal impact on preparedness when facing a real data breach. It is critical to conduct tabletop and similar exercises with key members of leadership.
  • Regularly Update and Patch Systems: Keep all software and systems current with the latest security patches to protect against known vulnerabilities.

By diligently implementing these practices, entities can better protect personal information, comply with Florida’s legal requirements, and minimize risk.

Around the country, the weather is turning wintery, but in the privacy arena, there will be a blizzard as five state comprehensive privacy laws become effective.

Here is an overview of businesses needing to prepare.

1. Delaware Personal Data Privacy Act (DPDPA)

The DPDPA takes effect on January 1, 2025. It applies to entities doing business in Delaware or targeting Delaware residents. It covers businesses that process the personal data of at least 35,000 consumers or derive significant revenue from selling personal data. Notably, nonprofits are not exempt, and the law includes stringent requirements for handling sensitive personal information.

2. Iowa Consumer Data Protection Act (ICDPA)

The ICDPA also takes effect on January 1, 2025.  It is more business-friendly, with a high threshold for applicability. It targets businesses that control or process data of at least 100,000 Iowan consumers or derive over 50% of their revenue from selling personal data. The ICDPA offers a generous 90-day cure period for violations.

3. Nebraska Data Privacy Act (NDPA)

The NDPA takes effect on January 1, 2025. The NDPA applies broadly to entities conducting business in Nebraska, with few exemptions. Small businesses are exempt from most provisions but must obtain opt-in consent before selling sensitive information. The law includes a 30-day cure period for violations.

4. New Hampshire Data Privacy Act (NHDPA)

The NHDPA takes effect on January 1, 2025. New Hampshire’s NHDPA focuses on consumer rights and data protection, requiring businesses to implement robust data security measures and provide clear privacy notices. It also grants consumers the right to access, correct, and delete their personal data.

5. New Jersey Data Privacy Act (NJDPA)

The NJDPA takes effect on January 15, 2025. The NJDPA introduces comprehensive data protection requirements, including mandatory data protection assessments and the obligation to recognize universal opt-out mechanisms. It aims to enhance transparency and consumer control over personal data.

How to Prepare for the Blizzard

With these new laws, businesses must take proactive steps to ensure compliance. Here are some key actions to consider:

  • Assess Application of the Law: Determine whether each law applies to your business.
  • Conduct Data Audits: Identify and categorize the personal data you process to understand your obligations under each law.
  • Update Privacy Policies: Ensure your privacy policies are transparent and reflect the new legal requirements.
  • Implement Data Security Measures: Strengthen your data protection practices to safeguard consumer information.
  • Service Provider Agreements: Review and update as necessary service provider agreements with those vendors that process personal information on behalf of the business.
  • Consumer Rights Readiness: Be prepared to comply with requests from consumers concerning their privacy rights, such as rights to opt-out of sale or deletion of personal information.
  • Train Employees: Educate your staff about the new laws and their roles in maintaining compliance.

If you have questions about compliance with the laws taking effect in January or related issues please reach out to a member of our Privacy, Data, and Cybersecurity practice group to discuss.

No organization can eliminate data breach risks altogether, regardless of industry, size, or even if the organization has taken significant steps to safeguard their systems and train employees to avoid phishing attacks. Perhaps the most significant reason these risks remain: third-party service providers or vendors.

For most businesses, particularly small to medium-sized businesses, service providers play a critical role helping to manage and grow their customers’ businesses.

Consider vacation rental and property management businesses. Whether operating an active website, maintaining online reservation and property management platforms, or recruiting and managing a growing workforce, these businesses wind up collecting, processing, and storing large amounts of personal information.

With a national occupancy rate of approximately 56%, a vacation rental company with 100 units for weekly rental might expect to collect personal information from about 5,000 individuals annually (25 weeks rented X2 persons per rental X100 properties). My crude math leaves out website visitors, cancellations, employees (and their family members), and other factors. After three years in business, the company might easily be storing personal information of up to 15-20,000 individuals in their systems.

There are lots of good resources online helping to protect VR businesses from online scams, including those that could lead to a data breach. “Vacation Rental Scams: 20 Red Flags for Spotting Hoax Guests” and “How to Protect Your Vacation Rental from Phishing Attacks” by Lodgify are good examples.

But what happens when the VR business’ guest and/or employee data is breached while in the possession of a vendor?

Last year, as reported on the Maine Attorney General’s Office website, Resort Data Processing (RDP) experienced a data breach affecting over 60,000 individuals caused by a “SQL injection vulnerability which allowed an unauthorized third party to redirect payment card information from in-process transactions on our RDP’s clients’ on-premises Internet Reservation Module (“IRM”) server.” Affected individuals likely included consumers who stayed at properties owned by RDP’s business customers. At least, that is what one plaintiffs law firm advertised about the incident.

Addressing this risk can be daunting, especially for small businesses that may feel as though they have insufficient bargaining power to influence contract terms with their vendors. But there are several strategies these organizations might consider to strengthen their position and minimize compliance and litigation risks.

  • Identify all third parties that collect, access, or maintain personal information on behalf of the business.
  • Investigate what personal information they access, collect, and maintain and assess how to minimize that information.
  • Make cybersecurity a part of the procurement process. Don’t be afraid ask pointed questions and seek evidence of the vendor’s privacy and cybersecurity policies and procedures. This should be part of value proposition the vendor brings to the table.
  • Review service agreements to see what changes might be possible to protect the company.
  • A vendor still may have a breach, so plan for it. Remember, the affected data may be owned by the business and not the vendor, making the business responsible for notification and related obligations. The business may be able to assign those obligations to the vendor, but it likely will be the business’ responsibility to ensure the incident response steps taken by the vendor are compliant.

Experienced and effective counsel can be instrumental here, both with negotiating stronger terms in service agreements and improving preparedness in the event of a data breach.