California Data Breach & Noncompliance Notification Laws
Learning about a data breach after the fact can be devastating for organizations, especially when you consider the overwhelming fines for neglecting required notifications. Ignoring California’s Stringent Data-Breach Laws Sets You Up for Hefty Fines and Litigation.The thought of a data breach is enough to send information security professionals into a frenzy. And, thousands of small and medium-sized businesses will face this issue in the coming years (if they haven’t already).
There are significant challenges when running a small business' IT department. Keeping up to date with the latest security patches and recommendations often falls by the wayside in the daily hustle. The massive focus on new technologies means there’s more pressure on overtaxed IT teams than ever before—And it’s leading to very damaging data breaches.
California has beefed up its notification requirements in an attempt to provide more transparency to individuals whose personally identifiable information (PII) has been compromised.
Here’s how these data breach notification laws will impact your business.
The Frightening Statistics
Between client records and intellectual property, there are millions upon millions of data points that are of prime interest to cybercriminals. Of the small businesses that are attacked and suffer a severe data breach, almost 60 percent went out of business within six months of an attack. This is even more frightening when you consider that nearly half (43%) of cyberattacks are against small businesses.
Few small businesses feel ready to repel an attack, and even less confident about their ability to recover from this type of disaster.
Having a proper disaster recovery and notification plan in place is critical to ensure your business can continue operating after a data breach.
The Types of Cyber Attacks
While you may be familiar with what people generally term as “hacking” (unauthorized entry into the digital property with malicious intent), you may not be aware of the myriad of ways that cybercriminals can infiltrate your systems.
Ransomware is a growing concern and can cause entire systems to be unavailable until you pay the ransom dollars. Payment is often demanded in the form of untraceable Bitcoins or other digital currency, making it even more difficult for law enforcement professionals to track the complex transactions that occur.
While a client's credit and debit card information is a prime target, employee information and intellectual property are also extremely attractive to criminals who wish you ill. Phishing and social engineering, where cyber criminals attempt to gain access to your systems through means of malware innocently launched by internal users, are also of growing concern, as is the loss of connected devices such as laptops and mobile phones.
The cost of asset loss and theft can be devastating, with small businesses reporting losses in the tens or hundreds of thousands of dollars.
California Data Breach Notification Laws
California has taken additional steps in an attempt to provide consumers with more transparent notifications in the event of a cyberattack. While this well-meaning legislation provides protection to consumers, it can be onerous for business owners as they attempt to navigate the legal landscape. Businesses are now required to notify clients if unencrypted personal information is exposed. The following are included in the definition of “personal information:”
- Social security numbers
- California driver’s license or other identification numbers
- Health insurance and other medical information
- Financial account information, such as credit and debit cards, or account security codes
- License recognition data collected via an automated system
There are specific requirements under California law that pertain to even the font size of your notification—It must be no smaller than a 10-point font for legibility. In addition, the notice must contain conspicuous headings such as “Notice of Data Breach,” along with information about the organization making the notification, the date ranges for the breach, the extent of the information obtained by cybercriminals or accidentally released, and any details about a delay in notification.
You must be very clear about the specific steps you’ve taken to rectify the situation, provide remedy recommendations for victims, and details on how to find out more information about the incident.
Consequences of Noncompliance
Negligent failure to comply with the terms of the statute can lead to civil liability damages of up to $2,500 per violation, for a total of up to $500,000 per occurrence, with the damages set “irrespective of the amount of damages suffered by the consumer as a result of that violation.” Knowing and willful violations will likewise be subject to civil damages of up to $2,500 per violation, but there is no limit on the level of damages per occurrence for such violations.
In line with the state’s strong stance toward protecting against identity theft, all fines can be doubled in instances where violation results in the identity theft of a consumer.
What You Can Do to Protect Your Business
Regardless of your industry or size, businesses are increasingly vulnerable to cybercriminals who intend to steal personal information or lock up your systems. In 2016, some of the largest brands in the world were hacked. However, what you may not know is that thousands of smaller businesses were also impacted by cybersecurity incidents. There are no safe spaces anywhere. Hackers seek to gain access to valuable information stored in company databases both onsite and in the cloud.
While there’s no way to protect your business from all forms of cybercrime, there are some key ways to minimize your risk:
- Educate employees on what causes a data breach, and what they can do to prevent being victimized.
- Audit and strengthen all IT controls.
- Utilize data-loss prevention software.
- Create and implement a disposal procedure for aging hardware.
Following these guidelines can reduce the chance that your organization will be infiltrated by criminal elements.
Understanding California’s laws will help you stay within the current data-breach notification requirements. This is exceptionally important as there are strict and costly penalties for noncompliance and legal consequences when victims make a claim against your business for damages caused by improper notification.
Need to Strengthen Your IT Security Perimeters?
Here at Intelligent Technical Solutions, we understand how to establish a system of compliance that will help your organization stay well-protected in the event of an attack. We can help to keep your business and data secure. Contact us today!