NCCWe are not the size of Target or Home Depot, we won’t be a target of cyber-attack.  This is a dangerous assumption.  Recently reported in the news was that ISIL (a terrorist organization) had hacked and taken over certain websites of small companies posting the ISIL logo and the message, “Hacked by Islamic State 2015.  We are everywhere.”  Granted, the chances of being your company being digitally attacked by a terrorist organization are fairly slim; however, the lesson is quite clear.  Medium and small organizations present soft targets for all manner of attack.

Moreover, just because your company is not a mega-corporation does not mean that you do not have a similar liability profile.  What does this mean?  Simply put, the size of a corporation—by whatever measure—does not directly correlate to the information it has and the associated liability for loss of control of that information.  In example, assume you are small medical practice, by definition the practice will possess the most intimate of personally identifiable information.  Should you lose track of this information, e.g. social security numbers, dates of births and names for patients going back possibly for decades, your risk profile may far outstrip the going concern value of the practice.  The Health Information Portability and Accountability Act (HIPAA) plays its part, but so do Florida’s (and possibly other jurisdiction’s) data breach notification laws, Federal Trade Commission jurisdiction and recent developments in class-action privacy law.  The same is true for companies that routinely deal in credit card information, certain types of demographic information or your own employee’s personal information.

What then should the company do?  There are several things that can be done, but the first is to “organize your house”.  What information do you have?  Where is that information located and who has access to it?  Consider whether your company needs the information or whether it may safely be deleted.  Then you should develop a policy on privacy for your company which includes, among other things, thoughtful decisions on the type of information the company maintains, how it will be maintained (including safe-guards on access and control), for how long it will be maintained and what to do if control is lost.  This internal privacy policy should usually be written, taught and verified for compliance.  Similarly, if you do business through a website, best practices suggest inclusion of a privacy policy that expressly sets forth the type of information that is collected through the website, how it will be used and the like.  Keeping your house in order in a privacy sense will usually help avoid or mitigate catastrophe in the event of cyber-attack or data breach.