Terry Corbell, The Biz Coach
By Terry Corbell
Business Consultant

Don’t Wait for Cyber Security Law to Affect Your Business



Not likely to pass, a data-breach bill has been re-introduced in the U.S. Senate that would regulate how businesses behave – informing customers when their personal information has been stolen. 

Passage or not, businesses should act on their own. It’s the right thing to do.

The “Data Security and Breach Notification Act of 2012” died in committee and was re-introduced as S. 1193 again in June 2013 but has stalled. 

ID-100303754 pat138241Businesses would have to tell victims the date of the security breach, what personal information was stolen, and how to contact the breach company for more information.

The bill encompasses covers driver’s license numbers, financial account information including credit and debit cards, and security codes. The penalty would be fines as much as $500,000. 

On behalf of himself and four other senators, Sen. Pat Toomey (R-Pa.) introduced the bill.

On a daily basis, there have been headlines about cyber crime, such as: “Senate Committee Approves Data Breach Bills Despite Heavy Opposition.”

Other data security and privacy bills were passed in the Senate Judiciary Committee in the face of vehement opposition from Republican members.

The proponents’ goal in Congress is to require companies and federal agencies to protect consumer data, and to pass a national-notification law for data-breach reporting.

Currently, there are a myriad of state laws controlling what businesses must do if their data is breached. Each state has its own requirements. Those laws would take a backseat to any federal law, unless the individual state laws require particular protections and programs to help victims.

Incredibly, Sen. Chuck Grassley (R-Iowa) maintained such an umbrella federal law would be overkill, and would unfairly burden small businesses. Even as a business-performance consultant for small to medium size companies, I differ.

No one wants to see small businesses be hampered, but they need to pay the price of benefiting from such commerce. The right thing to do is to take proper precautions, and to communicate with customers if there’s any evidence of a data breach. And I’d want to consider the potential damage to a company’s reputation. Being lax in security is not acceptable. It’s a sales-opportunity cost.

Global headache

About 1.2 billion Internet usernames and passwords from hundreds of thousands of Web sites and 500,000 e-mail addresses were stolen by a Russian crime syndicate in 2014. (See Security Needs Update after Russian Hackers Steal 1.2 Billion Passwords.) 

As noted here before, cyber crime is a widespread nightmare, including medical breaches: Why Many Healthcare Workers Are Responsible for Alarming Trend: Medical ID Theft.

‎Indeed, consider another 2011 breach – the major personal breach of Tricare’s data by a vendor, Science Applications International Corp. It was the breach of unencrypted backup tapes – medical records of some 4.9 million military-personnel patients for the last 19 years. Data includes addresses, Social Security numbers, telephone numbers and more.

What? The company failed to encrypt the data?

Astonishingly, the vendor claims the risks are minimal because it would require additional insider information about the company’s software and hardware. I question such an assertion, too.

“A security breach is like a heart attack or stroke,” warns a nationally known cyber security expert, Stan Stahl, Ph.D.

“It’s often the things you do first that determine whether the patient lives or dies,” he says. “Doing these right things first depends on management having a clear understanding of the implications of their choices along with the information they need to choose between alternatives.”

He offers an example: “Do we put this server back into production right away because our people need to work on it or do we first preserve any evidence it might contain?” he asks.

He quotes President Dwight Eisenhower: “When going into battle, planning is essential but plans are worthless.”

Obviously, common sense is warranted.

While the Senate again debates this vital issue, it’s important to take precautions:

  1. Be mindful of your state’s legal requirements.
  2. Make certain you’re using the latest security measures.
  3. Be prepared with a response strategy in the event of a breach.
  4. Tell your customers what you’re doing to solve the issue, and give them ample opportunity to get in touch with your company.

That’s the right thing to do.

Dr. Stahl’s links:

From the Coach’s Corner, there are countless cyber-security tips in this portal’s Tech section, including:

Security Precautions to Take Following Citibank’s Second Reported Online Breach — Citibank’s admission that private information of 360,083 North American Citigroup credit card accounts was stolen by hackers in 2011, which affected 210,000 customers, serves as a warning for all businesses and consumers to take precautionary steps. The bank’s May 2011 security breach wasn’t reported until weeks later.

BYOD, Mobile-Banking Warnings about Security Prove Prophetic — Not to be gauche, but in 2009 you saw the Internet security warning here first – mobile banking is so risky an IT security guru said don’t do it. The warning was prophetic.

“All violations of essential privacy are brutalizing.”

 -Katharine Fullerton Gerould


 __________

Author Terry Corbell has written innumerable online business-enhancement articles, and is a business-performance consultant and profit professional. Click here to see his management services. For a complimentary chat about your business situation or to schedule him as a speaker, consultant or author, please contact Terry.





Photo courtesy of pat138241 at www.freedigitalphotos.net

Seattle business consultant Terry Corbell provides high-performance management services and strategies.