Three Steps Can Limit Hacker Damage

Posted on

<p><strong>Charlotte, N.C. &mdash; July 10</strong><br />Every small-business owner fears a late-night call from the police, saying someone has broken into his company.<br /><br />Today, there&#39;s another reason for sleepless nights: a call from the IT department, saying someone has hacked into the company&#39;s computer system.<br /><br />As a growing number of businesses keep sensitive personal information, it&#39;s no wonder that more owners find themselves on the receiving end of this bad news, wondering, &quot;What do I have to do now?&quot;<br /><br />Or, more accurately, &quot;Do I have to tell my customers about this?&quot; </p><p>From a legal perspective, the answer comes from a blend of federal action and inaction and an ever-changing array of state laws.<br /><br />To date, only companies in particularly sensitive industries (such as banks, hospitals and universities) are required by Congress to take specific actions following a potential network-security breach.<br /><br />Other industries aren&#39;t completely off the hook, however. As part of its mission to protect against unfair practices, the Federal Trade Commission (FTC) has filed complaints based on companies&#39; failures to follow advertised security policies and to employ reasonable measures protecting customer information. </p><p>Businesses that come under fire from the FTC can face millions of dollars in fines.<br /><br />Because the agency concentrates on large companies and high-profile cases, the typical business owner must find guidance from a batch of state laws enacted within the last five years.<br /><br />At least 32 states have laws regarding unauthorized access to computer data. All but two of those laws apply to nearly any company that conducts business in the state or stores customer data electronically.<br /><br />A Delaware corporation headquartered in North Carolina that suspects someone hacked into its Idaho data center and compromised customer data nationwide might face legal action in all those jurisdictions.<br /><br />In all states with laws on the books, notice to affected customers is required if a resident&#39;s unencrypted information was clearly and dangerously compromised.<br /><br />Some states go further, however, and also require notice to customers who might have been affected. Other states require notice to their agencies or to credit agencies regarding an incident.<br /><br />In a few states, the likelihood and potential severity of harm are factors in determining whether notice is required.&nbsp; But the laws in many other states do not even consider those issues.<br /><br />The shock of a business owner concerning a breach might only be compounded by this dizzying array of state laws, duties and standards.<br /><br />For any business at risk of facing such a situation, the guidance of the federal and state laws can be broken down into three simple pieces of advice:<br /></p><ul><li><strong>Encrypt</strong>: All state laws cover only the unauthorized release of unencrypted personal information. Similarly, FTC actions frequently cite businesses for failing to encrypt. A company that takes care to encrypt customer data before an incident occurs can avoid a lot of headaches if someone ever gains access to its computer network. <br /></li></ul><ul><li><strong>Investigate:</strong> That advice might seem simple, but when faced with so many legal and technical complexities, wishful thinking and willful blindness can be appealing. At least six states require an investigation into the security of customer information when there has been any unauthorized access to computer networks. On the other hand, in at least seven other states, no notice to customers is required if a reasonable investigation shows that misuse of the information or harm to consumers isn&#39;t likely. An investigation is not only prudent but also might be required or might provide an affected business with a legal safe harbor from the need to inform its customers of the problem.<br /></li></ul><ul><li><strong>Inform</strong>: Initially, that means informing the police, which might not only assist with limiting the scope of the data release but also can assist with the reasonable determination that notice to customers is not required. Even if notice to customers eventually might be needed, law-enforcement officials can also delay this step if they think it will hinder their investigation, thereby giving the company more time to craft its damage-control strategy. If the unauthorized access ultimately proves real and dangerous, businesses must accept when it is time to notify the affected customers. Otherwise, the next ominous phone call may be from a state attorney general or the FTC, and the nightmare will only continue.</li></ul>

Like what you see? Share it.Share on Google+Share on LinkedInShare on FacebookShare on RedditTweet about this on TwitterEmail this to someone
cmadmin

ABOUT THE AUTHOR

Posted in Archive|

Comment: