Editor’s Note: This is the first in a two-part series of cyber security articles. Part two can be found here.
Is there anything more financially fragile than a small business in the U.S. today? As we climb out of the Great Recession, many of the surviving small businesses were forced to cut corners, often making compromises on the IT side. Combine this with an unprecedented rise in cyber crime that took the 2011 U.S. cost of security breaches to $32 billion, and one can easily predict the future security troubles of many small businesses.
As legal, and sometimes operational and financial, advisers to small businesses, law offices should be more aware than ever of the security risks to small business clients, understand how to mitigate these risks, and lend support when a security breach occurs.
These considerations are also important for attorneys to make regarding their own online presence and security risks, especially solo/small firm practitioners.
While I can’t cover IT security in its entirety here, I’ll touch on three areas, each of which should give you an idea of security troubles ahead and what you might be doing to anticipate these troubles:
- Professional and financial liabilities
- Reasonable contractual expectations
- Responses after a breach
To set the stage for my thoughts on the advice and support a law office might provide to small businesses, consider for themselves, or at least be aware of, let me start by sharing a few details of my background. I am the managing partner of 403 Web Security, a web application security company, and WDDinc, a software development firm with close to 20 years of developing software, much of it for small businesses. While I am not a legal expert, I have seen more than my share of software related contracts and have a firsthand view of the risks these organizations place themselves under.
For the sake of simplicity and to take full advantage of my experience, I’ll limit my notes to web application security – more commonly known as security within small business web sites.
Professional and Financial Liabilities
Without hesitation, I can say that the vast majority of small businesses not only have inadequate security protections in place, but also are oblivious to the fact they are security risks. Even worse, recent headlined security breaches of high-profile companies seem to engender only a misguided belief that they are immune from security attacks because they are small fish in a huge ocean.
The truth is, not only are small businesses not immune from attack, they are prime targets because of their lack of security. Consider the monetary value of even small, undetected breaches – unlimited time to exploit compromised data and the opportunity to revisit the sources months and years into the future.
When considering security liabilities, I like to separate small businesses into two categories. The first would be those businesses that collect and save protected data (i.e., medical, identity) within their own environments. The web sites that support these businesses tend to be custom built by design or development companies that have little or no experience in creating secure web sites, and almost never have the capabilities of testing new sites for security vulnerabilities. These companies potentially are open to huge fines when their data is compromised.
The second, and larger, category is small businesses with e-commerce components. These businesses usually, and wisely, use well-established (and secure) external web services to handle credit card and other payment transactions. Unfortunately, this approach is successful only when the business’ basic web site is secure. The point almost always missed is that a hacker does not always breach a web site for its underlying data. For example, a hacked site may be modified in subtle ways to take an unsuspecting consumer to a fraudulent e-commerce service that will happily collect and exploit the consumer’s credit card as soon as it is entered. Or, one of my favorite security flaws, Cross Site Scripting (XSS), might allow a hacker to take over a legitimate user’s browser – effectively compromising that user’s e-commerce transactions or invading the user’s entire computer.
In either case, a small business may be financially and legally liable for the fraud and illegitimate use of information from its security breaches. Perhaps just as importantly, the loss of reputation and consumer confidence alone might be enough to ruin any small business.
A proactive law firm might be in a unique position to address potential security issues and breach consequences with their clients. This should be part of the support of any client and attorneys should heed the same advice themselves.