Your accountant has to keep current with continuing education and be certified. Attorneys have to keep current with continuing education and pass the bar. Even your hair stylist has to be licensed! But anyone can claim to be a computer expert and work on your most sensitive and critical data. They often are convinced they are experts – hint: most are more dangerous than doing nothing at all. But things are changing. If you own or manage a business, you need to take proactive steps to protect your data (and prove you are doing it) as the consequences just got a whole lot bigger.
Small and medium sized organizations really haven’t had to worry too much about their computer system or what their employees do. But if even a tiny bit of some information gets out, even if by an employee, accident or hacker, new changes mean huge consequences. The changes involve Florida (and other states) enacting things like FIPA and credit card companies saying enough and going after firms over PCI issues. So what is FIPA and PCI?
Florida's Information Protection Act (FIPA)
FIPA is the Florida Information Protection Act. In short, this new law protects consumer’s personal information that is stored or handled by businesses. If your business touches ANY consumers personal data this applies to you. Personal data includes things such as social security numbers, driver’s license numbers, credit/debit cards, medical information, policy numbers and even customer names! The law governs how businesses are required to protect this data and what they must do in the event the data is breached. Fines are up to $500,000 per breach.
FIPA is past due. Companies these days have SO much sensitive information and often aren’t aware of it and rarely protecting it securely. It doesn’t matter if it is an accident or if an employee does something or if it’s a hacker. Symantec published a study that listed the top reasons employees believe it is acceptable to take corporate data and the results were quite shocking. Consumers have spoken up and legislators have listened. If you don’t protect the data, you will pay.
Ask yourself: Do you know exactly WHAT data your firm stores or handles? Do you know EXACTLY how it is secured?
Payment Card Industry (PCI)
PCI compliance refers to the Payment Card Industry’s Data Security Standard. Long story short, if your firm does anything at all with credit cards, you need to be aware of this. PCI has been around for a long time but two major changes that we expect will have a huge impact on small businesses in particular: (1) The credit card companies are aggressively increasing their pursuit and penalties in regards to PCI compliance and (2) a HUGE change occurred on October 1 which could easily bankrupt firms.
We have seen a big surge in firms getting “that scary letter” asking them about their PCI compliance. Many firms think they just need a new firewall or maybe to answer a few questions, however, once you see this letter, they are not messing around. They will want a lot of details and will be asking you to sign your name to it. We suspect it won’t be long before every business credit cards has this experience.
On October 1, anyone accepts credit cards and does not use the new chip reader technology (Not the swipe method) and a credit card is stolen, will be liable for all of the charges. So imagine this scenario: A business has card numbers stolen over months from them. Maybe it was an employee taking the data, or a computer that was disposed of that had data on it or an actual hacker attack. Unfortunately, these are all very common scenarios. Those credit cards are then used to purchase hundreds of thousands of dollars in merchandise. Once this is caught, and it can take months, it is traced back to the business who is then expected to pay it ALL back if they didn’t use these new chip readers for every purchase. Can you imagine AMEX or VISA going after a firm for say $200,000?
What’s worse is that businesses really haven’t had to worry about this at all until now. If someone stole a ton of money, the credit card companies handled it. So most businesses have horrible data security. The consequences weren’t that bad. But now they are massive. But the credit card
companies have had enough of paying huge amounts out because businesses have been so lax with security. And the credit cards firms have teams of lawyers to enforce that reimbursement. Not to mention the black eye to a firm’s reputation.
Ask yourself: Do you take any credit cards?
So what can I do? (Good news! Most is easy to improve.)
I think many firms would be surprised at just how much sensitive data they handle. Customers and staff. Many think they have it secured and yet it’s ripe for the picking. The good news is that with both FIPA and PCI there is a lot you can do easily that makes a big impact!
The two big things you can do easily and inexpensively that make a major impact now are: (1) educating yourself and (2) educating staff.
If you own or manage a business, the first step is educating yourself and you are off to a great start by simply reading this article! Then start asking yourself some questions. Grab a legal pad and ask yourself questions like: What data do we take? What do we store? How sensitive is it? Do we take credit cards? What do we keep on employees? Customers? How secure is all of this? How can I be sure? What is documented? Do we have plans in place should we get breached? Etc… Just asking yourself these things is a huge leg up.
The other part is educating your staff. It is uncanny how often we see the biggest, most costly breaches caused by the most basic employee blunder. You can have the security of Fort Knox but if someone hands the keys to the bad guys, all that security is worthless. And the bad guys know this. That is why they target the single biggest weakness in any system – people.
We can lecture staff to death on how to know if an email is legit, or on safety procedures, only to have them turn right around and step off of a cliff. But this is fixable! The tricks are lots of regular reminders and education. Even basic security training. We recommend regular training combined with testing to see if the skills were obtained. It doesn’t have to be big, timely or expensive. We recommend regular reminders in firm newsletters or even just via email blasts combined with an hour or two of training periodically.
We can really help in this area as it’s what we call “low hanging fruit” – you can make a lot of improvements very easily without much effort. If you have questions, we are happy to point you in the right direction and if you would like our help, we can definitely make things much better.
So businesses, particularly small and medium sized businesses, have been dangerously lax with security. And who can blame them when the consequences have been so minimal. But now the public and the government have said “enough” and are putting their foot down. If you don’t keep your data secured, they are making sure no one else pays the price besides the firm that allowed it to happen.
Alan D. Crowetz, CEO of InfoStream, Inc.