Ongoing employee training is another important part of cybersecurity. Many of the steps that businesses take to protect their data—two-factor authentication, requiring complicated passwords that must be changed occasionally—feel like a hindrance to workers, who will begin to look for shortcuts.
“You want to make it as easy for them as possible, but also secure,” McLaughlin said. “There’s a balance, and a lot of times little businesses lean toward convenience, rather than security. They don’t have the money or time to do the security piece.”
Encryption helps prevent data from being used by thieves if they gain access to it. Most states, including Colorado, don’t require businesses that suffer a data breach to report it if the data that was exposed was encrypted, Sherman & Howard’s Keimig said.
Reacting to a data breach
Cyber threats are constantly evolving, and despite your best attempts to thwart an attack, there may come a day when a hacker gains access to your network anyway. What then?
Colorado law requires that if a breach exposes customers’ personal information, the business must notify affected customers within 30 days, with the caveat that notification happen “in the most expedient time possible and without unreasonable delay.”
Information covered by the law includes customers’ first names or initials and last names, in combination with Social Security or ID numbers; account numbers with any PINs or access codes; medical information or health insurance identification; biometric data; or usernames or email addresses.
If that information is encrypted, it doesn’t trigger the reporting requirement, unless of course the encryption key was also compromised.
If 500 or more Colorado residents are affected by the breach, businesses must also notify the attorney general.
[Related: State-of-the-art goes standard]
Builders’ legal responsibilities are more complicated if they have clients who live in another state, Keimig said. Say, for example, a builder has a client who lives in Connecticut, but is building a second home in Vail.
“These laws typically protect the state resident,” she explained, “so even though the breach may have occurred here, even though the data may have been residing here, what matters is what law protects the person whose information it is.”
That means part of the recovery process following a data breach is an audit of where each affected customer lives to determine whether the builder will be subject to any other state’s laws.
McLaughlin said it also depends on what kind of data has been compromised.