More than half of small U.S. businesses surveyed by the Ponemon Institute were found to have experienced at least one data breach in the entire span of their operations, but only a third notified customers of the situation.
"Smaller companies are targeted by data thieves, but they often don't know how to respond when sensitive information they keep on customers and employees is lost or stolen," says Eric Cernak, vice president for Hartford Steam Boiler in a statement. "Failing to act in a timely and effective way can harm the reputation of businesses and even risk legal penalties in many states."
Cernak later told PC360, "The top three reasons why small businesses aren't reporting breaches are because many do not know that state laws regulating their disclosure exist, some companies erroneously think that the laws only apply past a threshold of amount of data stolen, and they may believe that if they don't report the incident, no one will find out."
He continued, "If you provide notification services to the people affected and maintain a good reputation with those folks, more often than not, the state attorney general is not going to come knocking on your door unless you're a repeat offender."
The Ponemon Institute, an independent organization that researches information security, studied data breaches of companies with revenues below $10 million on behalf of The Hartford Steam Boiler Inspection and Insurance Company (HSB), part of Munich Re.
Of the organizations surveyed, 55 percent of which experienced one breach incident involving electronic records and 53 percent of which experienced multiple breaches, only 33 percent overall complied with the 46 state laws requiring that individuals be contacted when their data is exposed.
The primary causes of data breach are mistakes made by employees or contractors, such as the improper disposal of information; information obtained on lost or stolen laptops, smartphones and storage media like USBs; and procedural or programming mistakes. Only eight percent of cases involving data exposure did not lead to stolen information.
To lower these exposures, Cernak recommends that companies develop a document retention and destruction policy categorizing the sensitivity of data and its storage method, how long it must be kept, and how to safely dispose of it — which doesn't entail throwing a paper document into a trash can.
"Start with where your hard copy and electronic data is, and then protect it," recommends Cernak. "Many companies have virus software but fail to update it. You can also purchase an inexpensive router with a built-in firewall, keep a small list of employees who may access customer's personally identifying information (PII), and don't leave documents lying around on the reception desk, which is another common mistake made by small businesses."
The threat also lies in outsourced data: at least 85 percent of the survey respondents share customer and employee records with third parties who are responsible for website hosting, payroll, IT operations and cloud services, but 62 percent do not have contracts requiring the other company to cover the costs associated with a breach of outsourced information.
The majority of respondents shared more than 1,000 customer records and more than 50 employee records per month, including customer account data and financial business information.
Seventy percent of small business owners, reports the study, would purchase insurance to help pay for the costs of data breach.
Want to continue reading?
Become a Free PropertyCasualty360 Digital Reader
Your access to unlimited PropertyCasualty360 content isn’t changing.
Once you are an ALM digital member, you’ll receive:
- Breaking insurance news and analysis, on-site and via our newsletters and custom alerts
- Weekly Insurance Speak podcast featuring exclusive interviews with industry leaders
- Educational webcasts, white papers, and ebooks from industry thought leaders
- Critical converage of the employee benefits and financial advisory markets on our other ALM sites, BenefitsPRO and ThinkAdvisor
Already have an account? Sign In Now
© 2024 ALM Global, LLC, All Rights Reserved. Request academic re-use from www.copyright.com. All other uses, submit a request to [email protected]. For more information visit Asset & Logo Licensing.