Posted on Nov 27, 2017 by Carmelo B. Sammataro
The recent cyberattack on the credit reporting agency, Equifax, is being called one of the worst data breaches ever. The incident potentially compromised the personal information of 145 million Americans, including nearly half of South Carolina residents.
An industry report counts more than 1,000 data breaches last year at U.S. businesses and governmental agencies, a 40% increase over 2015. On average, a breach will cost a business $7 million, according to research.
A data breach is both a technical and legal problem. With so much at stake, what can businesses do to prepare for inevitable cyberattacks, limit their potential liability and protect their customers’ sensitive data?
Businesses must protect “personal information”
Under South Carolina’s Financial Identify Fraud and Identity Theft Protection Act (FIFITPA), businesses must protect customers’ “personal information,” including Social Security number, driver’s license number, credit card and other financial account numbers, date of birth, and current and former addresses. The Gramm-Leach-Bliley Act triggers additional legal obligations for financial institutions.
South Carolina law allows anyone affected by a breach to sue for damages, and the state can fine a business up to $1,000 for each resident impacted by a breach.
Businesses are also required to notify the individuals whose data was stolen “in the most expedient time possible.”
There is a lifeline
Businesses are not liable for fines or civil damages if the stolen information was encrypted or otherwise rendered unusable by a thief. Although its exact parameters are not clear, this exception seems intended to give the benefit of the doubt to businesses that proactively take strong measures to protect data. Financial institutions are excluded from this law because they are bound by the security provisions of federal law.
Key steps to take
Cybersecurity risk is a part of doing business today, so you should plan for potential incidents in the same way you would for any other emergency.
Take preventative measures to secure your customers’ personal information. Preparation will minimize your potential liability if you can show that you took every proactive step that you possibly could.
Should a breach occur, coordinate your response to:
Regularly revisit each point above to make sure your plan is not stale and is sufficient to respond to ever-evolving threats.