If you work in the insurance industry, it can be easy to forget that small business owners aren’t always sure what types of cover they should have in place. Forbes, however, has put together a handy list of thirteen types of insurance essential for small business owners. Number eight on the list? Data breach cover. Any business that holds sensitive information about employees, clients or business operations on computers, so just about every small business, should have this cover in place. Breaches can result in hefty fines and expensive lawsuits.
The Information Commissioner’s Office (ICO) has proposed a fine of £375k, its largest so far, for a patient privacy breach at Brighton and Sussex University Hospitals NHS Trust. The incident occured when hard drives containing patient data were sold on eBay by the registered contractor hired to destroy them. The hard drives have been safely recovered but the breach could mean major consequences for the Trust.
The Trust is doing its best, however, to challenge the proposal, explaining that they were themselves a victim of a crime which they reported to police as soon as they were alerted. But the ICO says it is still investigating whether this breach violated the Data Protection Act (DPA). The DPA stipulates that organisations must take all appropriate measures to prevent the loss or destruction of personal data, and that they must go the extra mile when dealing with particularly sensitive data, such as medical records.
The question is whether hiring a trusted contractor to handle the material is going far enough to protect patient records. Suppose we’ll have to wait and see.
American shoe giant Zappos, owned by Amazon.com, has recently undergone a major security breach which exposed the personal details, albeit no full credit card information, of as many as 24 million of its customers.
The good news is that Zappos was fairly well-equipped to defend and respond to such an attack. Full credit card details were kept on a separate server and passwords were encrypted. And whilst some companies face a lot of bad press after a privacy breach, Zappos has been praised by many media publications for having a plan in place and responding so quickly. All customers who may have been affected have been emailed with details of the breach and asked to create a new password and all of Zappos staff have been asked to pitch in and respond to any email queries submitted by customers.
But even if they had all the right precautions in place and have handled the situation well, nothing can prevent the inevitable class action lawsuit to follow. Although unlikely to succeed as the plaintiffs will have trouble proving actual harm, Zappos will nonetheless be forced to defend itself in court. And there’s some argument that this trend of the courts’ reluctancy to find in favour of the plaintiffs in privacy breaches might be changing. In this particular lawsuit, it will be argued that the customers will now be more susceptible to phishing scams as hackers have their email addresses. Whether it’s a valid argument, however, is yet to be decided.
Spain has jumped on the anti-piracy bandwagon and recently adopted an anti-internet piracy law which could force internet service providers (ISPs) to shut down offending websites within ten days. The law is in reponse to a report which found that nearly 98% of music consumed in Spain is done so illegally.
The so-called Sinde Law allows rights holders to report infringing websites to the newly created intellectual property commission, who will decide whether to take action against the websites or ISPs which support them.
Those from the creative industry are pleased but many internet activists, including bloggers and tech professionals, are protesting, saying it infringes on freedom of expression. The same battle is raging across several other European countries as well and in America, the Stop Online Piracy Act (Sopa) is wrapped in controversy as it could require search engines, domain name registrars and ISPs to all play a part in taking down offending material. Firms such as Google and Twitter have spoken out against it, saying that the law is tantamount to censorship.
Just like fashion and cuisine, it turns out that in California, certain types of class action lawsuits can also be in vogue. The Data Privacy Monitor reports that the latest is a series of lawsuits arising out of California’s 2003 “Shine the Light” law which requires almost all businesses with 20 employees or more to either allow customers to opt-out of having their information shared or the company must make a detailed disclosure of how it uses personal information for marketing purposes.
Because personal information can include everything from name and address to political party affiliation and bank details, most companies that deal with the public in any way will be liable to adhere to this law. If they don’t, they can be made to pay everywhere from $500 to $3,000 per violation. Naturally, plaintiff attorney’s are now trolling the web looking for possible violators and pulling together vast cases accordingly, some asking for billions of dollars even without the proof of actual damages.
What should you do if you do business in California? Learn how you can be “Shine the Light” compliant before it’s too late.
If you’ve used a credit card to pay at a Subway in the last couple of years, it turns out you may have paid more than you bargained for. Four Romanian hackers have recently been charged with stealing over 80,000 credit card details from 150 franchises of the American sandwich chain and, according to arstechnica.com, lack of formidable security is partly to blame.
Although Subway dictates to all its franchises that it should have point-to-point encryption and other necessary cyber security precautions in place, many of the franchises hacked were not following these rules. This left glaring gaps in its systems, which hackers took advantage of with relatively unsophisticated methods. The Justice Department alleges that the hackers gained access by cracking uncomplicated or obvious passwords, such as “password”, and then deployed common hacking tools to log credit card scans.
This type of attack is becoming more and more common for small businesses especially. Following Sony’s breach, large companies are beginning to realise the importance of safeguarding themselves against hack attacks and privacy breaches, whilst smaller companies are taking a little longer to catch on. Partly, it’s because the risk, especially for small retailers and franchises such as this, seems remote, making it easy to cut corners.
Hackers, however, seem to be changing their tactics. This particular band of criminals allegedly stole from 50 other small retailers at the same time as Subway. Although the benefits of hacking a large company might appear greater, this type of attack is much easier and can slip under the radar for a longer period of time. This is something small businesses everywhere should be considering now and in the future.