{"id":2557,"date":"2014-09-12T15:07:28","date_gmt":"2014-09-12T15:07:28","guid":{"rendered":"http:\/\/kasperskydaily.com\/b2b\/?p=2557"},"modified":"2019-11-15T07:12:58","modified_gmt":"2019-11-15T12:12:58","slug":"the-best-way-for-businesses-to-avoid-data-breach-fines","status":"publish","type":"post","link":"https:\/\/www.kaspersky.com\/blog\/the-best-way-for-businesses-to-avoid-data-breach-fines\/2557\/","title":{"rendered":"The Best Way for Businesses to Avoid Data Breach Fines"},"content":{"rendered":"

Having your business bank account hijacked by cybercriminals could bankrupt your company, but that type of breach isn\u2019t really what law enforcement cares about. They are concerned with only one thing: how well you protect information which can \u201cuniquely identify\u201d other people or Personally Identifiable Information (PII). <\/p>

The Best Way for Businesses to Avoid Data Breach Fines #enterprisesec<\/p>Tweet<\/a><\/blockquote>\n

Both the European Union and the United States (at a Federal level) are attempting to unify breach reporting requirements. The EU wants their 28 member countries to have the same rules, and the US wants the requirements for each state to be unified. Currently, there are three US states that have no laws regarding breach reporting. Here you can see what the rules<\/a> are in the US, for your respective state.<\/p>\n

Once a unified breach law exists \u2013 and the EU are very rapidly moving toward this goal, with expectations it will be in place by the end of 2014 \u2013 what will compliance look like? How can we reduce our risk of being fined for non-compliance? Let\u2019s start with the basics of what breach law dictates:<\/p>\n

\u2013\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 To whom the breach must be reported<\/p>\n

\u2013\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 How soon it must be reported<\/p>\n

\u2013\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 Remediation requirements \u2013 end-user education, credit protection service, etc.<\/p>\n

\u2013\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 Penalties and fees:<\/p>\n

o\u00a0\u00a0 For not reporting<\/p>\n

o\u00a0\u00a0 For damages \u2013 actual or potential<\/p>\n

o\u00a0\u00a0 For not having \u201ccompliant\u201d security in the first place<\/p>\n

When it comes to assessing a fine, the effect could be quite painful. The EU is suggesting \u201cup to 2% of turnover\u201d (in the US, this term correlates to \u201cgross income\u201d) for failure to report. There is some good news for small and medium businesses: SMEs will not have as stringent reporting requirements as larger companies, nor will they be fined for the first \u201cnon-intentional compliance\u201d. However, given the often subjective nature of some breach language, as soon as you become aware of a breach involving PII, consult a lawyer to be sure you understand your obligations and options and in the meantime, consider outsourcing the safe-keeping of all PII.<\/p>\n

\"wide\"<\/a><\/p>\n

It\u2019s far more likely that you will escape brand damage if you can at least point to a seemingly reliable 3rd<\/sup> party as the one who was breached. Additionally, as long as you are reasonably diligent in terms of vetting the 3rd<\/sup> party company, compliance, remediation and fines may be their responsibility. <\/p>

EU and US want the same rules for data breach reporting #enterprisesec<\/p>Tweet<\/a><\/blockquote>\n

If your business is part of a sector that is getting hit hard by breaches, it\u2019s not a bad idea to mention that you outsource the storage and protection of all PII. Even if it causes only a few hackers to bypass your company as a target, it will be worth it.<\/p>\n

Don\u2019t forget, employee information is also PII and such data should be accessible by very few people. Every employee who has access to such data should also understand that PII should never exist \u2013 whether at rest or while moving across a network \u2013 outside of an encrypted state.<\/em> This means any media used to move PII or to back it up, such as a thumb drive, must be encrypted as well. (Here you can learn more <\/a> about how to encrypt almost anything.)<\/p>\n

Admittedly, the US and EU aren\u2019t likely to begin enforcement of any new rules before 2016 (except selectively, in the case of very public breaches) so there\u2019s still time to plan. But do put \u201cPII management\u201d on your list of things to consider over the next year or you could end up exposing your business to some very expensive consequences.<\/p>\n","protected":false},"excerpt":{"rendered":"

Having your business bank account hijacked by cybercriminals could bankrupt your company, but that type of breach isn\u2019t really what law enforcement cares about. They are concerned with only one thing: how well you protect certain information.<\/p>\n","protected":false},"author":392,"featured_media":15856,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"_acf_changed":false,"footnotes":""},"categories":[1999,3052],"tags":[282,2183,314,189,2184,2173],"class_list":{"0":"post-2557","1":"post","2":"type-post","3":"status-publish","4":"format-standard","5":"has-post-thumbnail","7":"category-business","8":"category-smb","9":"tag-cybersecurity","10":"tag-cybersecurity-for-businesses","11":"tag-data-breach","12":"tag-data-security","13":"tag-fines-for-data-breaches","14":"tag-pii"},"hreflang":[{"hreflang":"x-default","url":"https:\/\/www.kaspersky.com\/blog\/the-best-way-for-businesses-to-avoid-data-breach-fines\/2557\/"},{"hreflang":"en-au","url":"https:\/\/www.kaspersky.com.au\/blog\/the-best-way-for-businesses-to-avoid-data-breach-fines\/2557\/"},{"hreflang":"en-za","url":"https:\/\/www.kaspersky.co.za\/blog\/the-best-way-for-businesses-to-avoid-data-breach-fines\/2557\/"}],"acf":[],"banners":"","maintag":{"url":"https:\/\/www.kaspersky.com\/blog\/tag\/cybersecurity\/","name":"Cybersecurity"},"_links":{"self":[{"href":"https:\/\/www.kaspersky.com\/blog\/wp-json\/wp\/v2\/posts\/2557","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.kaspersky.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.kaspersky.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.kaspersky.com\/blog\/wp-json\/wp\/v2\/users\/392"}],"replies":[{"embeddable":true,"href":"https:\/\/www.kaspersky.com\/blog\/wp-json\/wp\/v2\/comments?post=2557"}],"version-history":[{"count":2,"href":"https:\/\/www.kaspersky.com\/blog\/wp-json\/wp\/v2\/posts\/2557\/revisions"}],"predecessor-version":[{"id":30716,"href":"https:\/\/www.kaspersky.com\/blog\/wp-json\/wp\/v2\/posts\/2557\/revisions\/30716"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.kaspersky.com\/blog\/wp-json\/wp\/v2\/media\/15856"}],"wp:attachment":[{"href":"https:\/\/www.kaspersky.com\/blog\/wp-json\/wp\/v2\/media?parent=2557"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.kaspersky.com\/blog\/wp-json\/wp\/v2\/categories?post=2557"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.kaspersky.com\/blog\/wp-json\/wp\/v2\/tags?post=2557"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}