Companies doing business online just became a lot more vulnerable. Last September, amendments were made to the California Database Breach Act (Senate Bill 1386) through Senate Bill 46, which expanded the definition of what constitutes compromised personal information to include "a user name or email address, in combination with a password or security question and answer that would permit access to an online account."
What that means for any business that collects this type of information is that it's now liable to comply with the strict guidelines under the California Database Breach Act, including how the business notifies consumers about a data breach.
And this applies to companies outside of California, too -- because if you're doing business online, you need to assume there's a potential consumer in every state. Now, businesses need to evaluate how they're protecting what is likely the most common data website visitors give today: user name and password combinations.SB 46: What it changed and how it can affect your business
Proponents of SB 46 successfully argued that in today's world, simple data such as username and password can lead to a more serious data breach. Because people often use the same combination of user names, passwords, security questions and email addresses for multiple accounts online, seemingly harmless credentials for one website could lead to fraud on other websites, bank account access and potentially, identity theft.
Companies that have been doing business online and collecting a person's name, credit or debit cards, social security number, driver's license or medical health information were accustomed to the existing data breach notification requirements.
What SB 46 did was institute the same obligations for websites that may only be storing email addresses and security questions. This can affect businesses that may simply have a membership aspect to their website, requiring a user to log in to gain access to content.
That means it's not just big e-commerce sites that are at risk for non-compliance. Smaller businesses with perhaps more modest websites and earnings are now open to the threat of data breaches and potential lawsuits.
And what's perhaps most concerning is the fact that large companies with rigorous security measures routinely face data breaches. Take some of the more high-profile examples like LinkedIn, Sony and Adobe -- not to mention the endless list of security breaches reported each month to the California Attorney General. These data breaches cost businesses millions of dollars each year.
While hacking may be the most common form of data breach, businesses are also liable if an electronic device belonging to an employee has been stolen and contains sensitive information -- so think laptops, tablets and smartphones.How to prepare for a data breach
At Woodruff-Sawyer, we advise our clients to have a data breach response plan in place even if they've never had a breach. That means knowing exactly whom you'll consult with, what you'll do to remedy the issue and how you'll communicate the problem if a breach occurs.
First, perform a risk assessment of your company's practices, starting with the following questions:What is the most likely source of a cyber-threat for us -- is it a competitor, rogue employee or criminal individual?Who is responsible for cyber security at the company?Has a cyber-risk assessment ever been done? Who did it?What kind of data do we collect? How long do we store it?Where is our data physically located?What data cannot be restored once taken?What data can take longer to recover?What training do we currently provide our employees on password management, public Wi-Fi use and social media participation?