Is Your Business Ready For Rhode Islands New Cyber Security Law?

Faceless hooded anonymous computer hacker with programming digital code from monitor

by Jay Madden

Attacks Hit Small Employers Big
According to a 2015 report from the Insurance Information Institute, cyber hacks increased by an estimated 27.5% from 2014 to 2015, with perpetrators coming from everywhere – politically-motivated criminal across the globe to local disgruntled employees.

While most people have heard about highly-publicized attacks targeted at big companies like retailers and health insurers, large corporations aren’t the only ones who are at risk. Increasingly small- to medium-sized business are the biggest targets. In fact, according to a recent Data Breach Investigations Report by Verizon, 72% of all attacks are now perpetrated on small businesses.

What makes these organizations most vulnerable?
• Lack of time and/or budget to implement adequate security solutions
• No dedicated IT staff
• Lack of awareness
• Belief that they’re too inconsequential, even though they often serve as “backdoors” for cyber criminals into larger and more extended systems
• Lack of proper employee training
• Failure to update technology systems, policies and procedures
• Outsourcing to unqualified vendors

The Growing Costs of the Growing Risk
Cybercrime costs the global economy an estimated $445 billion annually – a figure expected to reach $575 billion within the decade. Since all industries are prone to attack, every business – even small ones – risks significant expenses if a breach occurs, including:
• Legal liability to the injured individual or individuals
• Defense costs of regulatory actions resulting from a breach
• Fines and penalties dues to a breach
• Loss of income and revenue
• Business continuity expenses and costs
• Destruction of electronic data and equipment
• Extortion and ransom threats
• Breach management expenses (including forensics, notification costs, credit monitoring)
• Brand and reputational damage
As a result of these unanticipated costs, according to the National Cyber Security Alliance, 60% of all small businesses are forced to close their doors within six months of a data breach.

RI’s New Legal Requirements
In response to the alarming increase and the serious nature of cybercrime, Rhode Island’s new Identity Theft Protection Act of 2015 requires that businesses, individuals, and state and municipal agencies who store, collect, process, maintain, acquire, use, own or license personal information – meaning a name and one other piece of identifying data such as Social Security number, driver’s license number or even email with required access code – take a number of actions to protect the data.

Specifically, those subject to the law must:
• Implement a risk-based information security program that contains reasonable security procedures and practices to protect the personal information from unauthorized access, use, modification, destruction or disclosure
• Implement a written document retention policy
• Secure written contracts with any third party to whom it discloses the personal information of Rhode Island residents ensuring that the third party has implemented and maintains reasonable security procedures and practices to protect the information
• Notify individuals if it suffers a data breach within forty-five (45) days of confirmation of the breach – one of the shortest notification periods among the various state data breach laws – and notify the Rhode Island Attorney General if the breach involves more than 500 individuals

Penalties for violation of the Act are equally onerous, potentially including a civil suit by the Attorney General and $100 fine per record for reckless violation of the Act and $200 for knowing or willful violation – with no cap

Steps to Compliance
To avoid the fallout of an attack and ensure compliance with Rhode Island’s new law, it’s critical small businesses take several necessary steps to combat the growing threat of a breach. Consider the following actions to prepare:

• Involve all levels of the organization in creating or enhancing a written information security program to protect personal information that’s appropriate for the organization and the type of information it collects.
• Establish a policy for destroying personal information securely after a reasonable retention period, such as by shredding, pulverization, incineration, or erasure.
• Create a model form for a notice that meets the Act’s requirements in case a breach occurs. Provide fields that will allow your company to describe: 1. the incident, how it happened and the number of individuals impacted; 2 the type of information involved; 3 the date(s) of the breach; and 4 when it was discovered. Also, include remediation services that will be offered along with contact information, as well as how a consumer can file or obtain a police report, request a credit freeze and any required fees that may be required by consumer reporting agencies.

Insure For Added Protection
In addition to meeting the state’s legal requirements, small businesses can take additional steps to help prevent catastrophic losses from an attack by performing a threat assessment to understand its potential vulnerabilities. Once a company has a picture of its security exposures, it can transfer much of the risk with an insurance policy tailored to its specific business risks that can mitigate the costs and losses attributable to a cyber event. While many traditional insurance policies don’t offer adequate levels of protection or exclude these types of occurrences, in response to the growing threat, many insurers now offer stand-alone cyber-specific policies. In fact, over sixty different insurance carriers now underwrite some form of cyber insurance that can cover:

• Legal liability (to the injured individual or individuals)
• Loss of income and revenue
• Defense costs of regulatory actions resulting from a breach
• Fines and penalties dues to a breach
• Extortion and ransom threats
• Breach management expenses (including forensics, notification costs, credit monitoring)

As cybercrime continues to evolve, so will a small business’ risk. While Rhode Island’s new law is designed to protect consumers against the threat, companies need to take precautions to protect themselves. Because their survival may very well depend on it. Jay Madden

Leave a comment

Avatar About the Author: The Rhode Island Small Business Journal is a printed monthly magazine and an online resource for the aspiring and start-up entrepreneur and small business owner.

previous arrow
next arrow
Slider