Small Business Vulnerable to Data Security Proposals

Rep. Sodrel (R-Ind.) brought up his own small-business background to warn how Main Street could buckle beneath laws designed for large corporations. In his field of trucking, firms had to add several officers over the years simply to comply with federal regulations; will even a 5-person business need an information security officer if legislation passes, Sodrel asked rhetorically. “We could basically kill the small business guy with these rules and regulations,” Chmn. Akin (R-Mo.) said. He said information on him was taken in the Veterans Administration data theft (WID May 23 p7).

Small businesses face an disproportianate threat from cyberattacks, given their scarce resources and weaker infrastructures, said Paul Kurtz, Cyber Security Industry Alliance exec. dir., in prepared testimony. A Symantec report this year found small businesses were in the top 3 most targeted groups for cyberattacks, a point Kurtz made in a March subcommittee hearing. But those firms can improve security through many federal programs, such as the National Institute of Standards & Technology’s (NIST) SecureBiz workshops and NIST’s computer security publications available online, in addition to low-cost security suites and development by businesses of best practices, Kurtz said. The Small Business Administration “can show a leadership role” as well, Kurtz said in the hearing, by surveying small businesses on cybersecurity and conducting outreach through town hall meetings, similar to the FBI’s successful Infragard program.

On the other hand, small businesses don’t face the same risks as larger peers, said Mark MacCarthy, Visa senior vp- public policy, responding to Akin’s question about his dry cleaner’s obligations. Most don’t link the point of sale terminal to the cash register, meaning they don’t retain card information, MacCarthy said. As they become midsized businesses, typically they do start retaining information, and data security proposals would apply to them, he added.

Data security proposals fail a cost-benefit analysis as applied to small businesses, Lenard said. Breach victims would receive $7.50-$10 as a result of a notification requirement, according to the study, because most breaches aren’t online; around 2% are victims of fraud, not full- fledged ID theft; and a good notification program will cancel only 10%-20% of expected costs for consumers. Notification is cost-effective only for “relatively large” programs, and most states have alternative notification programs beyond a monetary threshold, he said. At most, the FTC should work with breached firms to tailor notifications to people most at risk, Lenard added.

“Regulation is coming,” but “let’s not create a new set of victims by piling heavy regulations” on small businesses, said Assn. for Competitive Technology Exec. Dir. Steve DelBianco. Calling himself a “small business survivor” -- having sold his IT consulting business to found the Assn. -- DelBianco said small business owners don’t have the time to handle new regulatory burdens. “Roadmaps” through best practices and gathering input from IT vendors are better, he said. Credit-freeze provisions in state laws and some federal rules are “especially burdensome to small businesses,” said National Assn. of Mortgage Brokers Pres.- Elect Harry Dinham. He noted that preexisting customer relationships -- more common with larger institutions -- are exempt from credit-freeze provisions.

Preempting state data security laws is the most meaningful step Congress can take to help small businesses improve security without breaking the bank, all witnesses said. Lenard said it was the only provision likely to help small businesses in proposals on the Hill, under his cost- benefit analysis. The 30 state laws diverge on provisions such as harm threshold for issuing breach notifications, the definition of “personal information” and whether hard-copy records are covered alongside computerized data, said Hunton & Williams Chmn.-Privacy & Information Management Lisa Sotto. She supports Cal.’s “personal information” definition, which excludes less sensitive data like date of birth, and the exclusion of hard-copy records from coverage.

The feasibility of small businesses using encryption was contested between witnesses otherwise in agreement. “We wouldn’t be having the flash of news we're having today” if businesses had deployed encryption more widely, Kurtz said, adding that encryption is “more seamless and easy to apply today” than 4-5 years ago. Lenard called a safe harbor for data encryption a strike against small businesses: “Encryption is often quite expensive and its costs are not sensitive to firm size.” Sotto said one of her clients spent about $100 a laptop for encryption, but added that small firms have less bargaining clout to bring down vendor costs for security services.

Though Congress is considering a delay for small- business compliance with whatever data security measure is enacted, that’s not wise, Kurtz said in the hearing. He explained to us after that a federal delay won’t help businesses trying to comply with 30 state laws, and it’s better to handle implementation of all varying laws at once. The most important provision for small businesses is flexibility in implementing their own data security programs and tailored responses to breaches, Kurtz said.