Turner Padget Insights

Lessons from Equifax: Preventing and Responding to Cyberattacks on Your Business

Posted On Nov 27, 2017

The r ecent cyberattack on the credit reporting agency, Equifax, is being called one of the worst data breaches ever. The incident potentially compromised the personal information of 145 million Americans, including nearly half of South Carolina residents.

An industry report counts more than 1,000 data breaches last year at U.S. businesses and governmental agencies, a 40% increase over 2015. On average, a breach will cost a business $7 million, according to research.

A data breach is both a technical and legal problem. With so much at stake, what can businesses do to prepare for inevitable cyberattacks, limit their potential liability and protect their customers’ sensitive data?

Businesses must protect “personal information”

Under South Carolina’s Financial Identify Fraud and Identity Theft Protection Act (FIFITPA), businesses must protect customers’ “personal information,” including Social Security number, driver’s license number, credit card and other financial account numbers, date of birth, and current and former addresses. The Gramm-Leach-Bliley Act triggers additional legal obligations for financial institutions.

South Carolina law allows anyone affected by a breach to sue for damages, and the state can fine a business up to $1,000 for each resident impacted by a breach.

Businesses are also required to notify the individuals whose data was stolen “in the most expedient time possible.”

There is a lifeline

Businesses are not liable for fines or civil damages if the stolen information was encrypted or otherwise rendered unusable by a thief. Although its exact parameters are not clear, this exception seems intended to give the benefit of the doubt to businesses that proactively take strong measures to protect data. Financial institutions are excluded from this law because they are bound by the security provisions of federal law.

Key steps to take

Cybersecurity risk is a part of doing business today, so you should plan for potential incidents in the same way you would for any other emergency.

Take preventative measures to secure your customers’ personal information. Preparation will minimize your potential liability if you can show that you took every proactive step that you possibly could.

Therefore:

  • Review the data you store and identify that which is sensitive.
  • Establish protocols for what information can be collected and how it may be used.
  • Work with technical experts and legal counsel to assess your vulnerability and make a proactive response plan that assigns responsibilities for action in the event of a breach.
  • Review your procedures and establish best practices, including technical measures such as firewalls and encryption, as well as procedures governing how employees access your data using passwords and mobile devices.
  • Educate your employees on your protocols.
  • If you are just starting out, refer to helpful online resources such as those offered by the U.S. Small Business Association to learn more about the issues and some basic, inexpensive steps you can take to minimize your risk.

Should a breach occur, coordinate your response to:

  • Investigate and understand its scope, how it occurred and what information was compromised.
  • Notify the owners of the information as soon as possible.
  • Make necessary technical fixes.
  • Bring in experts to help with the public relations response.
  • Implement corrective measures, such as offering free credit-monitoring services to affected customers.

Regularly revisit each point above to make sure your plan is not stale and is sufficient to respond to ever-evolving threats.