As a business owner you have a crucial role to play in risk management. While you and your team grinds out the day to day operations, it’s also your responsibility to stand on the top of the mountain scanning the plains for threats that could bring your business to its knees.
You have the unenviable task of identifying the unknown – those ‘Black Swan’ events that seem so rare, they couldn’t possibly happen to you.
… But this is dangerous thinking.
There is one “it will never happen to me” threat that most business owners are ignoring.
That threat, is criminal prosecution, under data protection laws.
The Biggest Data Mistake You Don’t Want To Make
Do you have confidential client data stored in Cloud services such as Dropbox, Google Drive, OneDrive, and iCloud? If so, you could be in breach of these data protection laws.
On September 22nd 2016, Yahoo Inc. was sued by Ronald Schwartz over the 2014 hack, which compromised the data of 500 million accounts. The case is Schwartz v. Yahoo Inc., U.S. District Court, Northern District of California, No. 16-05456.
In a quote from Yahoo tech,
“The lawsuit suggested that the breach might have been warded off had Yahoo, having been targeted by hackers before, lived up to its promise of taking user privacy “seriously” and bulked up its security measures… Yahoo demonstrated “reckless disregard for the security of its users’ personal information that it promised to protect”
… “Having been targeted by hackers before” …Don’t say you weren’t warned. If you are storing client data on a service that has – and can be hacked – you may just be in breach of data protection laws.
So again, lets ask the question. Is your confidential client data stored on Dropbox, iCloud, OneDrive or Google Drive? These have been breached by hackers before, and are being targeted by hackers now.
It’s not a secret. It’s an identified risk. (SOS Online Backup helps you negate this risk. We’ve got a free trial here).
In the United Kingdom, the Information Commissioner’s office (ICO) is investigating the August data breach from global accounting software firm Sage. Under the Data Protection Act 1998, they could be found guilty of negligence.
And in another case from the ICO…
“Telecoms company TalkTalk has been issued with a record £400,000 fine by the ICO for security failings that allowed a cyber attacker to access customer data ‘with ease’.”
How To Identify Data Negligence And Prevent Criminal Prosecution
In the UK, their Data Protection Act States –
- Appropriate technical and organisational measures shall be taken against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data;
- Personal data shall not be transferred to a country or territory outside the European Economic Area unless that country or territory ensures an adequate level of protection for the rights and freedoms of data subjects in relation to the processing of personal data (Wikipedia).
And in the US….
“Most US businesses are required to take reasonable technical, physical and organizational measures to protect the security of sensitive personal information”. – DLA Piper (Global Law Firm)
It can be safe to say that : reasonable, technical, physical and organizational measures means, never store data on a known hackable site!
The Best Risk Management Advice For Business Owners
As a business owner it’s your job to identify risk, and take reasonable measures to prevent it. Any avoidance, puts you in the firing line for negligence.
Here are some best practices for your data:
- Move all client files to a secure online backup;
- Never store sensitive files on Cloud platforms with a proven ‘hack record’;
- Always change passwords regularly, and frequently (hackers are fast);
- Use different passwords across multiple sites;
- Create strong passwords – use a password generator.
We cannot urge you enough to consider removing your data from these Cloud platforms and moving to secure online backup like SOS. It only takes one disgruntled ‘Schwartz’ to land you in court.
The laws are clear and the risk has been identified. You now have the knowledge to take reasonable action.
So, what decisions will you make today about your data protection?