By: Lisa Shorr
For several years, the media has had a field day reporting data breach after data breach. In turn, big corporations such as Target, Home Depot and Sony have scrambled to put a crisis communication plan in place, as well as dole out millions of dollars in restitution. Cybersecurity is not just a "big business" issue. We have seen several of our clients in the small- to-midsize business space innocently fall prey to a hacker.
Has your data been compromised?
In a reactive effort to protect the rights of Rhode Island residents, Gov. Gina M. Raimondo signed the Rhode Island Identity Theft Protection Act of 2015 into law on June 26, 2015. The law requires businesses to take several measures to ensure the security of private information of Rhode Island residents. Included in this law was a one-year transition period for businesses to comply. That date was July 2, 2016, and still, most businesses are unaware that the law even exists.
So what are the highlights?
n If you are a Rhode Island employer, state agency or municipality, regardless of your size, you must implement a "Risk-Based Information Security Program" to safeguard your employee's or customer's private information. Check the law on RI.gov for more details.
n If a breach occurs in your company, you are required to alert the affected individuals within 45 days of discovering the breach.
n Before writing your risk-based plan, assess who this will apply to. A best practice would be to take the time to clean your database of names of people no longer affiliated with your company. Then, write the plan. There are specific details that must go into the plan, including: access controls, network and physical security in place to protect the information, and data retention and destruction plans, to name a few.
n Potential costly penalties: Reckless violation – a breach that occurs when you were unaware of the law incurs a fine of $100 per record; knowing and willful violation – you were aware of the risks and chose not to comply with the law or protect your data, can be a $200 fine per record.
n Notifying individuals: Along with notification within 45 days, your notification to impacted individuals must include the right to file a police report, instructions on how to freeze account information along with the associated fees, contact information of reporting agencies and the attorney general's office.
n If a breach of over 500 Rhode Island residents occurs – the business is required to contact the attorney general's office.
A crucial component to consider for compliance is your technology requirements. Breathe easy if you can answer "yes" to the following questions. If not, it's time to talk to your IT provider.
n Data encryption: Are you sending documents via encrypted email? And, are your mobile devices encrypted, just in case one is lost or stolen?
n Firewall: Does your office have an actively managed and up-to-date firewall? And, is your IT vendor monitoring your firewall for breaches?
n Secure Wi-Fi: Is your Wi-Fi secured with a password? Does your wireless access point have a separate zone for guest access?
n Data backup and disaster recovery solutions – Do you have a backup system that is off-site, encrypted, monitored and tested daily?
n A written network security plan: Do you have a plan in place to secure your network? Are the steps written out to deal with a security breach?
Hacking is a multibillion-dollar criminal activity. The thought today should shift from, "Will a cyberattack ever happen to me?" to "When will it happen?"
You've worked so hard to build your corporate brand. Don't let a hacker and your indifference toward this law destroy it. •
Lisa Shorr is vice president of marketing for Secure Future Tech Solutions in Warwick.