Mark Pribish

Data-breach alert laws vary by state

By Mark Pribish
Vice President and ID Theft Practice Leader

As I spoke on ID theft and data breaches at the National Small Business Association Phoenix conference last week and talked with business owners one-on-one, it was all too clear that most small businesses do not know or understand their obligations to notify customers or employees if an information breach occurs.

They most certainly didn't realize there are a dizzying 47 different data-breach notification laws in currently place.

Though small businesses are a sweet spot for ID-theft criminals, most small businesses do not have an information security and governance plan or a data-breach response plan in place.

While the White House is leading the charge in support of the "Personal Data Notification & Protection Act," which will create federal standards for a national breach notification law, small businesses still need to be better prepared today. The current 47 states' requirements regarding safeguarding customer and employee information also outline the notifications required in the event a breach occurs.

A new study released by Software Advice, a technology research and advisory company, found that small- to medium-sized businesses do not have a very good understanding of the current security breach notification laws.

Here are the key findings of the study:

  • Only 33 percent of SMB decision-makers surveyed are "very confident" they understand their state's data breach notification laws.
  • Less than half of survey respondents (49 percent) say their company already has a breach response plan in place.
  • The vast majority of decision-makers in the survey sample (82 percent) say that their business encrypts customers' personal information.

"Small employers comprise 99.7 percent of all employer firms in the U.S. One in two workers in the private workforce run or work for a small business, and one in four individuals in the total U.S. population is part of the small-business community," according to the NSBA 2013 Year-End Economic Report.

The NSBA report also shows a disturbing trend: Half of all small businesses today report they have been the victim of a cyberattack, up from 44 percent two years ago. "Among those who were targeted, 68 percent report being a cyber-victim more than just once," the report said.

The NSBA report also shows the onerous cost of a breach on small business. "In 2013, cyberattacks cost small businesses on average $8,699 per attack. Today, that number skyrocketed to $20,752 per attack. For those firms whose business banking accounts were hacked, the average losses were $19,948 today – up significantly from $6,927 in 2013," the report said.

So what can you do?

Whether your small business has one employee or 100 employees, create an information governance plan. Set up an information governance policy by recognizing the type of employee and customer data that you are collecting, storing and transferring.

Implement annual information security and training for all employees and constantly asses and test your organization's needs and requirements. Like a secret shopper, consider conducting a simulated cyberattack, as these can be very revealing as to gaps in your policies and procedures.

Finally, you should implement baseline safeguards and controls such as annual pre-employment screening – as the insider threat including current and former employees is a common theme of data-breach events affecting both small and large businesses.

Small business owners take note that it will be no small problem if your data is breached and you're unprepared.


To learn more about these threats and how to protect yourself and your family from Identity Theft, you can read my past newsletters at the Merchants Identity Theft Educational Website at www.idtheftedu.com.


Fake IRS Agents Target 366,000 in Massive Tax Scam

You know things are bad when even Treasury officials get hit with a tax scam.

Fake IRS agents have targeted more than 366,000 people with harassing phone calls demanding payments and threatening jail as part of a huge nationwide tax scam.

More than 3,000 people have fallen for the ruse, Timothy Camus, a Treasury deputy inspector general for tax administration, said Thursday. They have been duped out of a total of $15.5 million. People in every state have been targeted. "The number of complaints we have received about this scam make it the largest, most pervasive impersonation scam in the history of our agency," Camus told the Senate Finance Committee at a hearing. The scam is so widespread that investigators believe there is more than one group of perpetrators, including some overseas.

Camus said even he received a call from one of the scammers at his home on a Saturday. He said he had a stern message for the caller: "Your day will come." So far, Camus said, two people in Florida have been arrested. They were accused of being part of a scam that involved people in call centers in India contacting U.S. taxpayers and pretending to be IRS agents.

As part of the scam, fake IRS agents call taxpayers, claim they owe taxes, and demand payment using a prepaid debit card or a wire transfer. Those who refuse are threatened with arrest, deportation or loss of a business or driver's license, Camus said. The callers might even know the last four digits of the taxpayer's Social Security number, Camus said.

Reprinted with Permission of the Associated Press

If you believe your identity has been stolen, call 866.SMART68 today.