Anthem's Big Security Breach: 3 Lessons for Small Business Owners
Anthem Blue Cross, the nation's second-largest health insurance company, announced Thursday that a hack into its systems may have exposed the records of up to 80 million customers. This breach included Social Security numbers, addresses, and health care information, but no credit card numbers (which is really immaterial, with all that other information).
Small businesses, just as much as large businesses, need to take steps to ensure the security of customer data. Here's what business owners need to know:
1. Encrypt Your Data! Geez!
Incredible as it may seem, The Wall Street Journal reported that Anthem didn't encrypt any of its data. Oh, sure, it encrypted data that left the company, but when it was stored internally, it was apparently secured only by passwords -- which didn't work so well, given that hackers were able to steal 80 million records with a single compromised password.
Hopefully we don't have to say that these are some pretty poor security practices. Data should be protected with multiple layers of security, including passwords, but also including encryption. Data access should be tiered so that employees are given access only to what they absolutely need to do their jobs.
2. It Can Happen to You, Even If You're a Small Company.
Anthem might be great bait because it has lots of juicy information, but small businesses are just as much at risk for security breaches -- in fact, possibly more so, as a hacker could infer that small businesses have weaker security and poorer security practices than large companies. (Businesses that aren't publicly traded don't, for example, have to engage in onerous Sarbanes-Oxley compliance.)
If you store any sensitive data at all, whether it's names and addresses or credit card numbers, you should take steps to ensure that the data are secure. There's no "flying under the radar" here; hackers don't have the same economy of space and time that, say, bank robbers do. A hacker can send out millions of virus-infested emails with a single click.
3. You Can Be Held Liable for a Data Breach.
Failing to adhere to industry standards when it comes to securing digital information could make your business liable in the event there's a data breach. As the Target and Home Depot episodes (among others) have demonstrated, "Gee whiz, I'm real sorry" isn't going to cut it -- and those companies are paying for it.
Even a simple negligence cause of action could potentially apply. Negligence means failing to act as a reasonable person would, and if a jury finds that a reasonable person would have used stronger security measures, but you didn't, then you could be on the hook for the damages.
The moral of the Anthem hack story? Now's a good time to conduct a security audit to make sure your data are as secure as possible.
Follow FindLaw for Consumers on Google+.
Related Resources:
- The Small-Business Owner's Guide to Secure E-Mail (Entrepreneur)
- After Sony Hack, 3 Things Businesses Are Doing Differently (FindLaw's Free Enterprise)
- Target Sued Over Customer Data Breach (FindLaw's Injured)
- Home Depot Data Breach: 56M Payment Cards May Be Affected (FindLaw's Free Enterprise)