I was once again surprised by the laissez faire attitude I got when I was explaining to a prospect why they needed to improve the security of their network - a cheap personal firewall; everyone had administrator rights; no security policies preventing users from copying data to USB drives – these were just a few of the holes; Needless to say, a CPA firm has all sorts of information about their clients and thinking that "it’s not that big a deal" really surprised me. "We’ve never been hacked before and we’re so small, why would anyone want any of our information?" was the Managing Partner’s response. Like I said, I don’t get it. I went on to describe California’s "Database Security Breach Notification Act" and all that it’s about. Apparently, he had no idea about SB 1386…
Specifically, SB 1386, codified as Civil Code § 1798.82, et seq., requires "any person or business that conducts business in California, and that owns or licenses computerized data that includes personal information, [to] disclose any breach of the security system…to any resident of California whose unencrypted personal information was, or is reasonably believed to have been, acquired by an unauthorized person." The statute imposes specific notification requirements on companies in such circumstances. The statute applies regardless of whether the computerized consumer records are maintained in or outside California.
Basically, this means that if for any reason someone gets to personal information (SSN, credit card info, bank accounts, etc.) about your clients from your network, you need to immediately inform them that this has happened. Literally, it’s a crime to even investigate what happened if you haven’t already told them about it first. Again, I don’t know that people really understand what this all means. Imagine the impact to your position as a trusted advisor if your clients thought you didn’t even do the bare minimum to ensure their private information stayed private! I would think your business would come to a screeching halt, let alone the impact from the cost of litigating this.
I went on and asked some additional questions - Are their tax returns stored in PDF’s encrypted? Or, can anyone get to them? How is the security designed and managed around your document storage? Who has access to what information? Who can copy the files onto a USB drive? Which employees have business email on their personal devices? What would you do with that device and those emails if they left? While his head was swirling, I still wasn’t sure if he really got my point or he thought I was just there trying to scare him into action.
Needless to say, security is more complex than ever before and the ramifications are more far-reaching than most realize. While this law may seem draconian, the reality is the biggest ace in the hole is actually included in it. There you’ll find the words "reasonable effort". To me this means that if you’ve acted in good faith and have done what most in the industry are doing to prevent or reduce your exposure, then you should be covered. This is where Managed Services, Managed Security, and a proactive approach to technology comes in. This is where most companies are moving to and where the mindset for those who haven’t has to change. If you’re not managing your network proactively and aren’t working with a trusted advisor like FPA, then how can your clients look to you as a trusted advisor?
Beyond all that you’re doing for your clients, if you’re not doing all you can to ensure your network’s secure - are you really a trusted advisor to your clients?