SC Magazine reports on a survey of 180 small-business owners that were asked about their knowledge of state data breach laws. The results were lukewarm, showing…
- 33 percent were very confident in their understanding of the laws.
- 34 percent were only moderately confident.
- 14 percent were not confident at all.
This mixed bag of results shouldn't be too surprising. While there's a lot of worry attributed to data breaches, there's still a lot of ignorance about data breach laws and InfoSec best practices.
How Much Do Your Clients Really Know about Data Breach Laws?
Should we be encouraged that one-third of respondents were "very confident" in their knowledge about data breach laws? Well, not exactly.
Experts warn that small-business owners might be overstating their expertise. In reality, data breach laws are more complicated than many business owners realize. Interstate commerce laws are always tricky. Because small businesses probably have customers in a variety of states, they'd theoretically need to know the laws for those states as well.
In fact, the same article points out that a majority of businesses still don't have a data breach response plan. Clients may think they're fulfilling their obligations to protect private data, but in reality, most are still behind the curve.
Risky Business: Overestimating the Security of Data
Let's say your client thinks their data security is "good enough," and they're "pretty sure" they know their data breach laws. How do you convince them to get serious and invest more resources in security?
- Help them understand that data breach laws aren't that simple. Data breach laws aren't really designed to protect companies. They're designed to make suggestions and set out basic requirements, while still leaving room for customers and state authorities to sue companies that are careless with their data. Bluntly, data breach laws are the bare minimum requirement. In reality, no law could outline robust data security requirements because technology changes too quickly.
- Show them data breach laws change all the time. In the wake of recent data breaches, we've seen data breach laws updated regularly. It's particularly important to keep track of how certain types of data require special protections. As we reported in "CA Data Breach Laws Shake Up IT Contractor Liabilities," California increased its security requirements for minors' data and made new restrictions for e-learning companies that have student data. Being unaware of these small changes could lead to accidental violations of state data breach laws.
- Emphasize that security requires constant vigilance. Data breach experts often warn that "perimeter defense" like firewalls and anti-malware software give companies a false sense of security. Top-flight IT can't prevent all data breaches – simply because so many are caused by employees mistakes and lackadaisical security habits. Data security is as much about encouraging good habits and training employees to use their computers securely as it is about investing in the best anti-malware or exfiltration-spotting software.
To help you teach your clients more about data security, TechInsurance has put together a free customer education kit that explains state data breach laws. We keep this resource updated. As states pass new data breach legislation, we'll explain how any changes affect you and your clients.