The internet has been a game changer for small businesses, allowing them to reach new markets, hire nonlocal talent, and compete with larger companies. Not having an online presence where customers can discover and interact with your business is now almost unthinkable. You may also have remote team members and vendor partners that are vital to your success.
But the power and convenience of the internet is not without downsides for businesses. Small businesses are vulnerable to cyberattacks—failure to defend against an attack could cost you everything.
American Small Businesses Are Experiencing a Wave of Cyber Crime
Data is the lifeblood of both large and small businesses. The more information you have about your customers and operations, the more you can improve the customer experience, develop better products and services, and improve efficiency.
The data businesses maintain, however, is also valuable to online thieves. Cybercriminals traffic in personal information. Hackers who steal user data sell it to other criminals who use it to perpetrate identity theft, launch bot and spam campaigns, and engage in other illegal activities.
Prices for stolen data sold on the dark web range from around $35 to $75 for a hacked social media account, $25 to $250 for stolen credit card and banking information, and $50 to $100 for a Social Security number. Hackers have a tremendous incentive to steal data in bulk. This leads them to target businesses that hold the personal information of many individuals.
In 2021, the FBI Internet Crime Complaint Center received nearly 850,000 complaints about cyberattacks and malicious cyber activity. Most of the victims were small businesses.
More than 40 percent of all cyberattacks are against small businesses, which often make attractive targets because they lack the cybersecurity infrastructure of larger businesses. The smaller the business, the more vulnerable it may be due to resource constraints that prevent hiring security professionals.
Cybersecurity Laws for US Businesses
The law struggles to keep pace with technological change. Nowhere is this more apparent than in the patchwork of laws that govern data privacy in the United States.
Unlike Europe, which implemented the landmark General Data Protection Regulation (GDPR) in 2018, the United States lacks a comprehensive federal data privacy law. Instead, it has largely left the matter of data security to the states, although there are several federal laws that protect specific types of data. These include the Health Insurance Portability and Accountability Act (HIPAA), which contains a security rule applicable to cybersecurity as it relates to protected health information. The following federal laws may also affect a company’s cybersecurity policies and practices:
- Gramm-Leach-Bliley Act (GLPA) (consumer financial privacy)
- Fair Credit Reporting Act (FCRA) (personal information in consumer credit reports)
- Children’s Online Privacy Protection Act (COPPA) (personal info collected from children under age thirteen)
- Telephone Records and Privacy Protection Act
- Cable Communications Policy Act
- Video Privacy Protection Act
Currently, nine states—California, Colorado, Connecticut, Indiana, Iowa, Montana, Tennessee, Utah, and Virginia—have enacted comprehensive data privacy legislation. These laws give consumers rights and impose obligations on businesses. They have significant overlap but important differences as well. For example, California’s privacy law, which permits data breach victims to sue businesses, is considered one of the most consumer-friendly of all of the state privacy laws passed to date.
In addition to comprehensive state privacy laws, there are laws that regulate certain aspects of cybersecurity, such as data breaches. All fifty states and the District of Columbia, Guam, Puerto Rico, and the US Virgin Islands have data breach laws that protect consumers. These laws generally empower those states’ or territories’ attorneys general to impose penalties and fines on companies that violate data breach requirements.
Importantly, not all cybersecurity laws apply to all businesses. Data privacy laws typically have size, revenue, and data-handling thresholds that companies must meet for compliance purposes.
Cybersecurity best practices (i.e., implementing data protection by design and by default) go a long way toward building a modern security and privacy program. Information about best practices is available from the U.S. Small Business Administration, the FTC, and the Cybersecurity & Infrastructure Security Agency.
Many Small Businesses Are Lax about Security despite Data Breach Costs
Cybercrime takes many forms, including malware, viruses, ransomware, spyware, and phishing. While some criminals may be out to steal state secrets or sow digital chaos, most of them are interested in the monetary value of stolen data.
Data breaches, whether they occur from compromised email credentials or a software vulnerability, are very costly to businesses. Data breach costs primarily take the form of lost business, including increased customer turnover, lost revenue from system downtime, and the higher cost of acquiring new business due to reputational harm. Costs are also incurred when investigating and responding to data breaches. Companies that fail to secure customer data can face fines, penalties, and lawsuits.
These costs may end up being more than a major inconvenience. They could ultimately end up dooming a business. In fact, an estimated 60 percent of small businesses that suffer a data breach close their doors permanently within six months.
The top reasons cited for not implementing stronger security measures were a lack of resources and a knowledge gap regarding the complexity of cybersecurity. Bigger companies are more likely to report having a chief information security officer and internal staff responsible for planning, overseeing, and executing cybersecurity policy. Smaller businesses are more likely to outsource cybersecurity efforts.
Businesses that do not have a plan to prevent cybercrime are courting disaster. You would not leave a physical business unlocked and unsecured. Your online business should be no different. Leaving your systems unsecured is practically inviting cybercriminals to break into them.
A basic cybersecurity plan starts with assessing your operations, identifying vulnerabilities, and understanding applicable cybersecurity laws. From there, you can create a cybersecurity and data privacy action plan tailored to your business needs.
Remember that cybersecurity is about more than checking legal compliance boxes. Cybersecurity should be integrated into every aspect of business planning, practices, and operations. Only by taking a proactive, comprehensive approach to digital security can you hope to stay one step ahead of cybercriminals.
Davis Law Group Can Help
If taking on full-time cybersecurity staff is beyond your current budget, outsourcing can be a way to strategically address security gaps. We can be part of your cybersecurity team by helping you identify gaps and address compliancy issues. To talk with our attorneys about the legal issues related to your cybersecurity concerns, please contact us to set up a virtual or in-person meeting.