Personal Identifiable Information: What SMBs can learn from FEMA and Facebook

2019 started off with a bang for the Federal Emergency Management Agency (FEMA) when the media got wind of a major security breach. Within days, the country was in an uproar about FEMA’s lax security practices.

They hadn’t been hacked. It wasn’t even an “inside job” in the traditional sense. An employee had merely sent a contractor more Personal Identifiable Information (PII) than the contractor had requested.

Approximately 2.3 million records had been sent, but along with the 13 types of PII required to administer the Transitional Sheltering Assistance (TSA) program, the employee sent six unnecessary types as well, including full street address and financial institution info, down to electronic funds transfer numbers.

Before we start crying government, let’s also remember 2018. Facebook’s undisciplined approach to data resulted in the potential abuse of 50 million accounts. In this case, PII was kept in an insecure spreadsheet where any employee could access it.

These are high profile companies, but if SMBs think that they won’t be held to the same standards, they need to think again.

States are holding SMBs to task for their errors. As an example, Colorado passed one of the most “demanding” consumer data protection laws on September 1, 2018. Less than six months later, the law had forcibly exposed 33 cybersecurity breaches impacting 91,235 Coloradans. These 33 businesses notified their customers, and some were the subject of derogatory media attention.

Indeed, small and mid-sized companies are significantly impacted by consumer data laws. What is worse, these companies do not have the leverage of Facebook and FEMA. Facebook’s stock price is equal to what it was worth one year ago, but small and mid-sized businesses might not bounce back from a breach.

Colorado’s Protections for Consumer Data Privacy Act

The prospect of a hack is serious enough. But now consumer data protection has entered a new phase. Businesses are being held to a higher standard. They must protect themselves from external AND internal threats.

Your business is subject to the Protections for Consumer Data Privacy Act IF:

  • Your business keeps paper documents containing Coloradans’ Personal Identifying Information (PII)
  • Your business keeps electronic documents containing Coloradans’ PII

Do you retain records of your customers’ phone number? Address? You are required to follow the Act.

Businesses subject to the Protections for Consumer Data Privacy Act are required to:

  1. Have a written policy detailing procedures for handling personal information and enforce the policy.
  2. Alert consumers that their data has been compromised within 30 days if a breach is detected. In cases where over 500 Coloradans are compromised, we are required to alert the attorney general. If over 1,000 are compromised, we must also contact the three major credit reporting agencies.
  3. We must take “reasonable” steps to protect personal information.*

*More detailed information available at the Attorney General’s FAQ on the Consumer Data Privacy Act

Trusting employees is no longer enough. Keep in mind that FEMA did have a detailed written policy but still failed to follow through. The law is not a guide on how to secure PII info. It is only a manual for how to press charges against infringements. And infringements can come from mistakes that any employee, executive or owner might make.

This is actually not so different from network security. For years, employees have held the keys. Any Pandora could wreak havoc on the network by opening a bad email attachment. Now the same is true when sending information to contractors.

Whenever changes like these occur, Platte River Networks updates our Corporate & User Policy Templates & Management. We also suggest our clients review their security policies annually in order to keep themselves, and their customers, safe. For more information on how to protect your company please contact us.