New Study Shows Small Businesses Vulnerable to Cyber Attacks

The National Cyber Security Alliance recently released a new study with some startling numbers concerning small businesses and the threat of data loss, security breach, or cyber attack.  Some of the key numbers obtained from polling small business owners include:

  • 65% store customer information on computer systems
  • 43% store financial records
  • 33% store credit card information
  • 86% do not have anyone focused on system security
  • 11% of owners never check their computer security systems.
  • 75% use the internet to communicate with customers
  • 28% have formal internet security policies

What do these numbers suggest? Deborah Cohen, who covers small business for Reuters.com, published an article following release of the study and “confirmed that small businesses are among the most vulnerable to Internet crime. . .” She quoted Michael Kaiser, executive director of the National Cyber Security Alliance, who noted that “small businesses are pretty robust targets” for cyber attacks citing the lack of Internet protocol and employee training. Cohen’s article also offers some tips from Kaiser for small businesses to help confront cyber attacks.  

If you are looking for some guidance or help with cyber security, read here for some of my earlier posts.  If you are looking for a do-it-yourself placer to start, try the U.S. Chamber of Commerce.  The Chamber offers a great resource entitled“Common Sense Guide to Cyber Security for Small Businesses.” It’s a 12 step plan to increase cyber security. Here are some highlights:

·         Use strong passwords and change them regularly

·         Watch for strange email attachments

·         Install computer security software and network security

·         Keep software updated

·         Limit access to sensitive and confidential data

·         Establish and follow security plan

·         Maintain insurance coverage

The threat of data loss or security breach is not going away, but will only increase. Lawsuits concerning data loss and security breach are more frequent. Business owners need to stay on top of the threat by implementing a sound data loss and privacy plan. There is no one size fits all approach and every business will have its own risk exposures. If you are a business owner, consider having your business evaluated for risks of cyber attack or data loss. 

 

Do Not Count On Beating Goliath: Implement A Management Plan To Avoid Software Licensing Problems

This month’s business technology tip arises from the recent David v. Goliath story reported on by Douglas Malan of the Connecticut Law Tribune.  Kent Johnson, the owner of a small computer repair shop in Connecticut was sued by the software Goliath Microsoft for allegedly selling one improperly licensed version of Microsoft Office. Microsoft put 15 people on the case and sued Mr. Johnson in federal court for copyright infringement.  

Mr. Johnson represented himself against Microsoft and reportedly reached a favorable settlement.   Mr. Johnson has a website that provides all the details of the case form the very beginning.   As much as Mr. Johnson’s apparent success against Microsoft was unusual, the notion of Microsoft going after business owners for copyright infringement is not. 

Microsoft, and other software publishers, might pursue an infringement case directly or through enforcement groups such as the Business Software Alliance (BSA) and the Software & Information Industry Association (SSIA).  These groups estimate that piracy costs software publishers seven billion dollars annually.

When you purchase software for your business, the software comes with a license that restricts your use of the software.  If you violate the restrictions in the license by copying or distribution, software publishers consider it piracy.  For example, typically you cannot install a software program for several users on multiple computers without purchasing additional licenses.  Also, you generally cannot install a program on a network server and let multiple users have access to it without the proper number of licenses.

Violation of a software license or copyright can implicate significant civil (and potential criminal penalties) in piracy cases.  Penalties can range up to $150,000 per offense for copyright infringement and there may be additional damages for lost profits. Many of these cases result in significant financial settlements in favor of the software publisher. 

You might be wondering how Microsoft finds out about a small company violating its software license.   Typically, an anonymous informant (an employee or IT consultant) reports the company to the software publisher, BSA, or SSIA in hopes of recovering a reward.  These groups openly advertise rewards of up to a million dollars for anonymous tips that lead to successful enforcement  actions. 

Many times businesses can inadvertently run afoul of licensing restrictions without realizing it.  Violations can occur when trying to cut costs, relying on bad advice from IT professionals,  or an employee’s improper downloading of software.  When groups like the BSA become aware of allegations of software piracy, they usually issue a software audit letter to the business or initiate a lawsuit in federal court.  The BSA will request proof of proper licensing from the business.

After receiving an audit letter a business will have to decide to either fight it in court or cooperate.  Facing Microsoft or the BSA in court can be risky financially and many businesses chose to cooperate.  Problems often arise for businesses that cooperate because they cannot establish sufficient proof of licensing or the business is not aware of the extent of the infringement. 

The best way to prevent problems with software licensing or an audit is to implement a software asset management plan.  Ideally, the plan would include at a minimum a written policy covering: (a) terms for copying, use,and transfer of company software; (b)  the risks or improper use of software and piracy; and (c) disciplinary action for employee misuse.  The plan should also include software management including a system for record keeping of all receipts, licenses, and original copies of the software.  The plan should further include regular self-audits of company computer systems to verify proper licensing.

With a good software management plan in place, a business will be better equipped to defend a software audit or avoid it in the first place.  In either case, if your business is facing an audit or other enforcement action, you should seek legal advice.  If you face Goliath alone, do not count on obtaining the same success as Mr. Johnson.

Technology Tips For Connecticut Businesses To Avoid Litigation

As part of this Blog, I am going to regularly post technology tips for any Connecticut business to manage risks and avoid lawsuits. These tips will be based on a presentation I did for the Hartford Business Journal’s Etechnology Summit concerning technology bombs that can sink a business.

Here’s todays tip for Connecticut businesses to avoid financial loss as a result of datal loss and security breaches.

Implement a Data Loss Policy and Solution

Any business that stores third party information or personal indentifiers (credit card information, social security numbers) on its computer systems faces potential exposure under a host of privacy laws.  For a good resource on privacy laws go to the Privacy Law Blog by Proskauer Rose LLP.  For an example of a new privacy law in Connecticut, consider the“Act Concerning the Confidentiality of Social Security Numbers.”  Connecticut’s Unfair Trade Practices Act could also be implicated in a data loss case.

Data loss or a security breach can cause a huge financial problem, bad public realtions, and signficant down time.  Consider the recent case of TJX reported on by Sheri Qaulters for the National Law Journal.  Discount retailer TJX had a data breach involving exposure of 45 million credit and debit cards.   TJX entered into various settlements including payment of $9.75 million to 41 states; $30 to every consumer who used a credit or debit card; and an undisclosed settlement with three banks. Ouch.

TJX is an extreme example, but data loss can sink a small to medium sized business.  How can a business mimize its exposure to lawsuits from data loss or security breach?

Implement a data loss policy and solution for your business.   There is no one size fits all policy and solution and every business will have different needs.  If you already have a policy, you should have it reviewed regularly for changes in the law.  If you do not have a policy in place, you need to start somewhere.  For “do it yourselfers” there is the Federal Trade Commision’s Guide for Business and Protecting Personal Information.  The FTC’s guide is a 5 step plan from identifying your risk exposure to implementing procedures.

 In addition  to implementing policies, any business with a significant risk exposure for data loss (i.e. medical practice, retailers, e commerce) should consider purchasing a cyber liability insurance policy.  These policies are now more afforadable and many insurers such as The Hartford are now actively underwriting polices to cover first and third party data loss claims and providing ongoing resources and information.

The bottom line is, a business cannot afford to take the risk of ignoring data loss and security breach exposure.  Do not wait for the first breach or lawsuit.