Data Breach Laws: What You Need To Know
In a Bring Your Own Device world, it’s likely your employees are storing work-related data on their personal devices. Or if your business has a work from home policy, they might be driving around with their laptop or tablet. But what happens if your employee notifies you that their device was stolen or misplaced? Besides the cost and inconvenience of replacing the laptop, could your business be on the hook for bigger expenses and do you need to notify all your clients? It depends on where you live and what type of data was stored.
FLORIDA DATA BREACH LAWS:
Companies are capturing more and more data about their employees, customers and prospects, and as a result, most states are starting to aggressively enforce data breach and security laws that enforce responsibilities for businesses capturing and storing personal data.
In Florida, businesses that experience a data breaches are legally required to notify affected Florida residents within 30 days of the breach. A breach that affects more than 500 people needs to be reported to the Department of Legal Affairs, and a breach that affects more than 1,000 people requires notification to credit reporting agencies.
WHAT IS CONSIDERED CONFIDENTIAL OR SENSITIVE DATA?
Definitely, personally identifiable information (PII) which is any data that could potentially identify a specific individual. This includes medical and financial records such as credit card numbers, credit scores and bank account numbers, but also addresses and phone numbers, social security numbers, birthdays and in some cases purchase history—information that the majority of companies keep on their clients and employees.
“WE DIDN’T KNOW” IS NO LONGER ACCEPTABLE
With millions of cyber criminals working around the clock to penetrate systems, especially those of small and medium businesses, along with employees having access to confidential client data, there is no sure way to guarantee your business won’t have a data breach. However, adoptions of solid best practices in security will help you avoid hefty fines. Here are a few things your business can implement today to save your reputation and your company.
- Limiting Permissions: Who has access to the confidential information you store in your business? Is it easily accessible by everyone in your company or just a specific group of employees? What is your mobile device management policy and procedures for taking data out of the office on devices?
- IT security: The level of IT security should increase accordingly to the sensitivity of the data. Are your passwords easy to guess? Are your files and data encrypted? Do you have a strong firewall? If not, why?
- Employee Training. One of the biggest causes of data breaches is due to human error: staff who accidentally downloads viruses and malware that allow hackers easy access. How often are you training your staff, just at onboarding? Do you have phishing tests to determine what needs to be retrained? What is your data security policy?
- On-Premise security. Do you lock your offices at the end of the day, or just the front and back doors? Do you have cameras and alarms monitored by a security company? Thieves to break into offices and steal servers, laptops and other digital devices. Paper contracts and files are also gold mins: they contain sensitive information — do you have locks on those filing cabinets? What type of physical security do you have in place to deter criminals from breaking in?
Every business is not responsible for proactive data security. Being negligent has consequences that go beyond the legal aspect; it can seriously harm your reputation with clients and perhaps put you out of business. Ask your IT department or vendor about IT Best Practices. Don’t have one, contact us today.