By Rachelle Green | Although National Cyber Security Awareness Month is coming to a close, we don’t want our clients and friends to lose sight of the new Rhode Island Identity Theft Protection Act that went into effect in July. This statute mandates that all businesses (as well as municipal and state agencies, among others) have a risk- based (meaning one that is appropriate for their size and the nature of information they collect and store) cyber information security plan in place. It also now requires expedited notice in most cases – as soon as possible, but no later than 45 days after the breach is confirmed – and, importantly, removes the prior $25K cap on penalties. Another key, and relatively easy to address, element of a security plan demands that the organization develop safe and timely methods of destroying personal information.
Businesses that suffer a data breach – an event that, these days, is more a question of when, than if – and do not have a cyber plan in place or do not follow the required notice procedures could be hit with penalties as high as $100 per record for a “reckless” violation and $200 per record for a “willful” violation. But don’t let that scare you. One of the policies driving adoption of the new requirements in the statutes was to provide compliant businesses with protection; by following the requirements of the statute, businesses can avoid these penalties. Indeed, an admirable public/private initiative allowed Rhode Island to be one of only two (out of 34) states attempting to pass this kind of legislation to be successful.
Nor should the new statute be the only motivating factor for business. As we’ve become accustomed to hearing – in this election cycle and even the daily news – the constantly accelerating proliferation of new technologies in all sectors has, along with countless benefits, resulted in a corresponding rise in hackers adept at developing new ways to get access to protected information. There are numerous, and rapidly evolving causes for a data breach, ranging from simple employee negligence (e.g., clicking on a link in a phishing scam or inadvertently forwarding protected information to the wrong customer) to complex schemes that involve creation of slightly altered email accounts for corporate executives and other tricks of the trade. Often, hackers get access to business systems but do not act immediately; instead, they study the company’s business and communications practices before attempting to orchestrate a transfer of money or copying sensitive intellectual property.
While many companies have put ad hoc security measures in place as their technology has developed, now is the time to review and convert them into a concrete and compliant cyber plan. A small investment of time may generate large potential return-on-investment in the case of a data breach, both in the form of avoided penalties and customer confidence.
Despite implementing best practices, appropriate security controls and security plans, breaches still occur. If it happens in your workplace, swift response is crucial and can minimize the damage the company suffers as a result. Depending on the scope of information at risk, you may have to comply with varying requirements of multiple jurisdictions, which, along with Rhode Island, require notification of state agencies if the breach affects a certain number of individuals.
There are many other considerations a company should explore, both to comply with applicable law and minimize the impact to the people impacted by the breach. For example, a targeted business can build goodwill by providing identity theft protection and other safeguards to people whose data was compromised. It is imperative to get both legal and information technology professionals engaged promptly to mitigate the damage that may result if a breach goes unaddressed or is casually handled.
Finally, businesses are well-advised to examine available insurance coverage, including that offered by existing IT and cloud providers. Many are wise to explore cyber insurance. A September survey by the Risk and Insurance Management Society found that 80% of companies bought a stand-alone cybersecurity policy in 2016; such plans are quickly becoming the new norm.
To learn more, contact Rachelle Green here.