1. IDENTIFY APPLICABLE LAWS AND CONSIDER COMPLIANCE.
Numerous laws and regulations address privacy and cybersecurity, and nearly all of them cover the concept of data breaches. Distillers doing any sort of retail business are likely familiar with Payment Card Industry Data Security Standard (PCI-DSS), as PCI-DSS sets the information security standard for all businesses that accept payment card information. Businesses with operations in the European Union have no doubt heard of the General Data Protection Regulation (GDPR) and its strict rules related to EU personal data. In general, distillers need to educate themselves about their legal landscape and take a reasonable approach to compliance. In the event of a breach, a business will find itself front-and-center with its privacy regulators, and those regulators will ask for an explanation related to its privacy and cybersecurity practices.
how to prepare for what experts have deemed is inevitable BY MARC E. SORINI AND LYNETTE R. ARCE
2. EDUCATE YOUR EMPLOYEES.
y now, everyone has either heard of a major data breach or been personally affected by one. A business that falls victim to a data breach can suffer serious financial losses, with a devastating effect on the business’ viability. These costs include the initial containment of the breach and resulting remediation, notification to affected individuals and regulators, associated third-party vendor fees, and potential litigation and regulatory scrutiny. Reputational harm can emerge as the most costly piece of a data breach, as breaches can result in decreased sales and the loss of repeat customers. Data security experts often say that there are two types of businesses: those that have been hacked and those who will be hacked. Many small business owners believe they are too small to attract a hacker or to fall victim to a breach, but this is not true. Hackers seeking money for their actions do not care about the size of the business so long as they got paid for the stolen data. Just look at Scotland’s Arran Brewery, which fell victim to a ransomware attack in 2018.1 Arran Brewery lost three months’ worth of sales data after a brewery employee opened an email attachment containing malware. The malware locked Arran Brewery out of its computer system and the attackers demanded two bitcoin as ransom, which totals around $13,000. Given the costs and broad reach of data breaches, small businesses must take a proactive role in preparing themselves for a breach and mitigating its effects. A small business can take practical steps to better protect itself and its brand from the effects of a data breach.
According to a 2018 study conducted by the Ponemon Institute,2 human error is the root cause of 27% of data breaches. Human error, of course, includes employees who report lost or GIVEN stolen laptops, mobile devices, or THE COSTS confidential documents. It also AND BROAD includes negligent employees who skirt company policies, REACH OF DATA mishandle sensitive inforBREACHES, SMALL mation, or email sensitive BUSINESSES MUST information out to unauthorized persons. These TAKE A PROACTIVE actions typically arise out ROLE IN PREPARING of carelessness. THEMSELVES FOR Businesses should ensure the adequate frequency of A BREACH AND training for all employees MITIGATING ITS on their policies related to EFFECTS. information security and proper information handling. Certain employees may also benefit from supplemental training directed at their roles within the company, such as those working in payroll or human resources. Businesses should
2 Ponemon Institute, “2018 Cost of Data Breach Study,” June 2018.
The magazine for craft distillers and their fans.