SMBs Don’t Understand Cyberbreach Notification Laws

Currently, 47 states have cyberbreach notification laws, according to a survey by Software Advice, a software selection consultancy. Yet, just one third of survey respondents, who are SMBs, are confident that they understand their state's laws.

Meanwhile, 14% said they were not confident at all that they new their state’s policies on what to do should they be a victim of a cyberbreach.

Time is definitely of the essence after an attack occurs. “Most of the time, when [valuable] information leaks out of a company, it is instantly being monetized on underground forums,” Bogdan Botezatu, senior e-threat analyst for antivirus firm Bitdefender, told Software Advice.

Having different laws in different states is confusing for business leaders, and having a single law across the entire company would certainly make it easier to create and implement a strategy. Until that happens, there is some clarification at hand.

Heather Buchta, partner at legal firm Quarles & Brady and an expert in e-commerce, software and technology law, told the study authors that “although state laws vary, they do share common features. When defining personally identifiable information, the statutes “almost always” include a combination of an individual’s name together with any “sensitive data elements,” such as SSN, driver’s license numbers, credit card PINs and account passwords, for instance.” However, she says, the definition of sensitive data elements is what can vary across states.

Less than 50% of respondents said they had breach response plans, while 29% reported having insurance.

Your first line of defense, the report cautions, is always your employees. Fully 74% responded that their staff was trained in security, but the report notes that training can mean different things to different people. Most companies simply communicate statements such as “never leave your laptop in a public area” and “change your password monthly.”

Arlie Hartman, security advisor for IT security solutions provider Rook Security, tells Software Advice that training should “incorporate cautionary tales of what regular users have done that led to a breach. The material must have metaphors that make it relatable to users. Institute a culture of security: It’s not a job position, it is a duty for all employees.”

Read the full report here.


  • Get the CEO Briefing

    Sign up today to get weekly access to the latest issues affecting CEOs in every industry
  • upcoming events