I've been doing this a long time - 27 years and counting. And it still amazes me by the laissez faire attitudes I get when I discuss the value of securing a business' network. When I initially speak with most people, all too often we're discussing what we do, how we do what we do, and what a successful client's technology footprint looks like, and then we dive in to the need for addressing security. On the surface, everyone says they want to secure their technology. But then as we dive deeper we find things like no firewall or a cheap non-business level firewall, every user having Administrator rights, no security policies, no approach to keeping patches up-to-date, and on and on and on. Scary stuff to say the least.
Unfortunately, IT is all to often a big, black box. And most people don't know what to expect nor what to require with it - other than to expect that it works and doesn't cost too much to keep running. The last thing on their minds is - is it secure? Unfortunately, now a days this should actually be a priority. At least it should be a priority for the person responsible for your IT.
As with most companies, a CPA firm or Investment Advisor has all sorts of information about their clients and thinking about security without acting on it still surprises me. To often I've heard, "we’ve never been hacked before and we’re so small, no one wants any of our information."
Consider this - California’s "Database Security Breach Notification Act" SB 1386…
SB 1386, codified as Civil Code § 1798.82, et seq., requires "any person or business that conducts business in California, and that owns or licenses computerized data that includes personal information, [to] disclose any breach of the security system…to any resident of California whose unencrypted personal information was, or is reasonably believed to have been, acquired by an unauthorized person." The statute imposes specific notification requirements on companies in such circumstances. The statute applies regardless of whether the computerized consumer records are maintained in or outside California.
Basically, this means that if for any reason someone gets to your clients' personal information (SSN, credit card info, bank accounts, etc.), you need to immediately inform them that this has happened. Literally, it’s a crime to even investigate what happened if you haven’t already told them about it first.
Again, I don’t know that people really understand what this all means. Imagine the impact to your client relationship if you're not doing the bare minimum to ensure their private information stayed private! Your business would come to a screeching halt, let alone the impact from the cost of litigating this.
Here are some questions to consider - Do you store any PDF’s with your client or customer's information in them? Are they all encrypted or password protected? If you answered yes, how do you know for sure every one is? Or, how do you know that you have the correct processes in place to ensure no one can get to them? How is the security designed and managed around your document storage? Who has access to what information? Who can copy the files onto a USB drive? Which employees have business email on their personal devices? What would you do with that device and those emails if they left?
And this is only the tip of the security iceberg.
Needless to say, security is more complex than ever before and the ramifications are more far-reaching than most realize. While this law may seem draconian, the reality is the biggest ace in the hole is actually included in it. There you’ll find the words "reasonable effort".
To me this means that if you’ve acted in good faith and have done what most in the industry are doing to prevent or reduce your exposure, then you should be covered. This is where Managed Services, Managed Security, and a proactive approach to technology comes in.
This is where most firms need to move to and where the mindset for those who haven’t has to change. If you’re not managing your network proactively and aren’t working with a trusted advisor like FPA, then how can your clients look to you as a trusted advisor?
What are you doing to ensure your clients' information is safe and secure? Have you run into any compliance issues along the way? Let us know your thoughts in the Comments section below or feel free to send me an email to discuss this in more detail.