Data Breaches Happen To Small Companies Too


Reports of major data breaches at large companies — Anthem, Home Depot and Target, to name a few — have flooded the news cycle over the past couple of years, along with stories of the lawsuits and significant business interruption that inevitably followed the breaches. But it is a mistake to assume that data breaches strike only large companies. The risk is present for every business. In fact, small businesses that cannot afford to spend millions of dollars on cybersecurity are often favored targets. The legal obligations for small businesses can be just as onerous and complex as they can for a Target, and the economic impact even more devastating. Yet, small businesses are often least prepared to handle a data breach. With that in mind, this article outlines some initial steps small businesses should take when they learn about a potential breach.

As an initial matter, cybercriminals do not just target large companies. Far from it. Cybercriminals seek opportunities of any size, and are often drawn to the “low-hanging fruit.” Small businesses, with often-outdated security measures, can present attractive targets. For example, small businesses hosting their own websites are at a tremendous risk of experiencing a breach by a hacker. Lack of employee awareness or training also risks a breach, e.g., a recent study from Verizon Communications Inc. found that sending phishing emails with tainted links or attachments to as few as 10 employees will get hackers access to a corporate network roughly 90 percent of the time. And even beyond threats from cybercriminals, small businesses (maybe even more than large companies) face risks from employees losing unsecured devices containing protected information (such as customer lists, employee information, etc.), which can be just as devastating as a network intrusion and trigger the same legal obligations.

The Identify Theft Resource Center, a nonprofit focused on identify theft issues, has already tracked 225 reported data breaches through mid-April 2015 — a staggering number that does not include the myriad intrusions that are undetected or unreported. Those breaches included attacks on numerous small businesses in a variety of industries, including:

Slack (a communications platform);
Direct Marketing Association (a marketing organization);
Nite Ize (a consumer products company);
Kraft Music LTD (a music supply company);
Perspectives.org (an online education website);
Bulk Reef Supply (an online aquarium supply store);
Greers Professional Fabricare Services (a Vermont dry cleaning company);
Dutch Bros. Coffee (a drive-through coffee chain);
and c3controls (an electrical controls manufacturer).

The diversity of the attacks teach that no industry or company is immune.

Published by Law360 – Portfolio Media, Inc., April 23, 2015

For more information, contact Gavin Skok or James Wendell.

Read entire article (PDF).