Data Breach Planning for Small Businesses

Many of the top stories last year related to data breach – from the Target breach during the Christmas Shopping Season (Dec. 2013: Prior Post, Small Business Magazine article; additional news coverage) to the UPS Store data breach during the summer (Aug. 21, 2014) to, more recently, the intentional hacking of Sony Pictures‘ servers (Nov. 24, 2014) and Staples’ data breach (Dec. 19, 2014).

It would be easy to believe that data security breaches happen only to large organizations, but such a belief would be mistaken. In the last year, a number of smaller companies have experienced breaches of the records they maintain. These can occur in at least two ways – 1) they may be the third-party vendor through whom hackers invade a larger company like Target or Home Depot; or 2) they use a third-party vendor who experiences a breach that impacts the smaller company’s customers.

Using Small Businesses as Door Opener

In the case of Target, for instance, the initial open door to Target’s point-of-sale system came through a third-party vendor – an HVAC company that had legitimate access to Target’s systems for purposes of billing, contract submission and project management. Michael Riley, Ben Elgin, Dune Lawrence and Carol Matlack, “Missed Alarms and 40 Million Stolen Credit Card Numbers: How Target Blew It,Bloomberg Business Week, Mar. 13, 2014.

The hackers used stolen login credentials from this HVAC company to gain access to Target’s systems. The end result? More than 40 million credit card numbers were breached, and over 70 million records containing personally identifiable information (“PII”) were stolen. Sara Germano, Robin Sidel and Danny Yadron, “Target Faces Backlash After 20-Day Security Breach,” Wall Street Journal, Dec. 19, 2015 (subscription may be required).

This breach occurred despite Target’s investment in a $1.6 million security system. See
Riley Article.

A similar breach – using stolen passwords from a third-party vendor who provided services to Home Depot – happened in November 2014 that resulted in information about more than 50 million of Home Depot’s customer accounts being breached. Ben DiPietro, “Retailer Breaches Put Spotlight on Vendor Contracts,” Wall Street Journal Risk & Compliance Blog, Nov. 12, 2014.

Breaches Affecting Small Business’s Customers Because of a Vendor’s Breach

More locally, in September of 2014, local news reported that more than two dozen restaurants in the Bucks County area were hacked through their use of a common payment card system. Many of these restaurants were of the hoagie/sandwich shop size.

Most Common Sources of Data Breach

According to a recent study by the Ponemon Institute, the most common “root causes” of data breach are (some of these may overlap):

  • Malware – 44%
  • Trusted insider (inadvertent) – 30%
  • Hacker – 27%
  • SQL Injection – 26%
  • Password compromise – 24%
  • Targeted attack – 19%
  • Trusted insider (malicious) – 15%
  • Lost, stolen or hijacked device – 12%

Ponemon Institute Research Report, “2014: A Year of Mega Breaches,” at 11, Jan. 21, 2015.

Lessons Learned Moving into 2015

The lesson here is NOT to ignore the potential for data breach based on an assumption that your company is too small for it to happen to you. Indeed, sometimes small companies have the “keys to the kingdom” to allow a malicious actor to gain access to a larger pool of data – and the smaller company may not have a large budget for data security.

However, it is critical to start planning for the possibility:

1) Develop an incident response plan that is appropriate for your business. Cover both paper and electronic data in your plan – loss of either can constitute a “breach” depending upon the specific law that applies. Involve key stakeholders in your planning.

2) Examine how you use data and where they are stored. Ask a key question: Do you need to keep those data? If not, destroy them securely (some states have data destruction laws with which you need to comply – see prior post). Do not hold onto sensitive data “just in case” you may need it later – these data can actually cause more problems if you do not actually need them.

3) Work with your IT department (or outside consultant) to ensure that your internal systems do not permit outsiders to gain unauthorized access, and lock them down if they do.

4) Work with your attorney to put any protective policies into place (such as incident response plans, BYOD or document retention policies) to make sure your procedures match your expectations.

Most importantly, it’s not “if” a breach will occur – it’s when, and how bad it will be. Prepare now, and perhaps you can reduce the impact.