Too Small to be Hacked?
We are not the size of Target or Home Depot, we won’t be a target of cyber-attack. This is a dangerous assumption. Recently reported in the news was that ISIL (a terrorist organization) had hacked and taken over certain websites of small companies posting the ISIL logo and the message, “Hacked by Islamic State 2015. We are everywhere.” Granted, the chances of being your company being digitally attacked by a terrorist organization are fairly slim; however, the lesson is quite clear. Medium and small organizations present soft targets for all manner of attack.
Moreover, just because your company is not a mega-corporation does not mean that you do not have a similar liability profile. What does this mean? Simply put, the size of a corporation—by whatever measure—does not directly correlate to the information it has and the associated liability for loss of control of that information. In example, assume you are small medical practice, by definition the practice will possess the most intimate of personally identifiable information. Should you lose track of this information, e.g. social security numbers, dates of births and names for patients going back possibly for decades, your risk profile may far outstrip the going concern value of the practice. The Health Information Portability and Accountability Act (HIPAA) plays its part, but so do Florida’s (and possibly other jurisdiction’s) data breach notification laws, Federal Trade Commission jurisdiction and recent developments in class-action privacy law. The same is true for companies that routinely deal in credit card information, certain types of demographic information or your own employee’s personal information.