The internet has been a game changer for small businesses, allowing them to reach new markets, hire nonlocal talent, and compete with larger companies. Not having an online presence where customers can discover and interact with your business is now almost unthinkable. You may also have remote team members and vendor partners that are vital to your success.

But the power and convenience of the internet is not without downsides for businesses. You have probably considered the threat of a cyberattack and how it could impact your business’s operations. The threat is not one you can afford to ignore. Small businesses are vulnerable to cyberattacks—failure to defend against an attack could cost you everything.

American Small Businesses Are Experiencing a Wave of Cyber Crime

Data is the lifeblood of both large and small businesses. The more information you have about your customers and operations, the more you can improve the customer experience, develop better products and services, and improve efficiency.

The data businesses maintain, however, is also valuable to online thieves. Cybercriminals traffic in personal information. Hackers who steal user data sell it to other criminals who use it to perpetrate identity theft, launch bot and spam campaigns, and engage in other illegal activities.

Prices for stolen data sold on the dark web range from around $35 to $75 for a hacked social media account, $25 to $250 for stolen credit card and banking information, and $50 to $100 for a Social Security number.[1] Hackers therefore have an incentive to steal data in bulk. This leads them to target businesses that hold the personal information of many individuals.

In 2021, the FBI Internet Crime Complaint Center received nearly 850,000 complaints about cyberattacks and malicious cyber activity. Most of the victims were small businesses.[2]

More than 40 percent of all cyberattacks are against small businesses,[3] which often make attractive targets because they lack the cybersecurity infrastructure of larger businesses. The smaller the business, the more vulnerable it may be due to resource constraints that prevent hiring security professionals. Verizon notes that even organizations with fewer than ten employees are vulnerable to cybercriminals.[4]

Cybersecurity Laws for US Businesses

The law struggles to keep pace with technological change. Nowhere is this more apparent than in the patchwork of laws that govern data privacy in the United States.

Unlike Europe, which implemented the landmark General Data Protection Regulation (GDPR) in 2018, the United States lacks a comprehensive federal data privacy law. Instead, it has largely left the matter of data security to the states, although there are several federal laws that protect specific types of data. These include the Health Insurance Portability and Accountability Act (HIPAA), which contains a security rule applicable to cybersecurity as it relates to protected health information. The following federal laws may also affect a company’s cybersecurity policies and practices:

  • Gramm-Leach-Bliley Act (GLPA) (consumer financial privacy)
  • Fair Credit Reporting Act (FCRA) (personal information in consumer credit reports)
  • Children’s Online Privacy Protection Act (COPPA) (personal info collected from children under age thirteen)
  • Telephone Records and Privacy Protection Act
  • Cable Communications Policy Act
  • Video Privacy Protection Act

In addition, the Federal Trade Commission (FTC), which enforces the COPPA, FCRA, and GLPA, has the authority to penalize companies for privacy policy violations that constitute “deceptive practices or acts.” However, there is no federal law requiring businesses to have a privacy policy.

The FTC has recently been more proactive about using its authority to regulate data privacy. It could eventually propose new rules applicable to commercial surveillance and data security.[5] For now, though, the authority to regulate cybersecurity largely falls on the states, not the federal government.

Currently, nine states—California, Colorado, Connecticut, Indiana, Iowa, Montana, Tennessee, Utah, and Virginia—have enacted comprehensive data privacy legislation. These laws give consumers rights and impose obligations on businesses. They have significant overlap but important differences as well.[6] For example, California’s privacy law, which permits data breach victims to sue businesses, is considered one of the most consumer-friendly of all of the state privacy laws passed to date.

In addition to comprehensive state privacy laws, there are laws that regulate certain aspects of cybersecurity, such as data breaches. All fifty states and the District of Columbia, Guam, Puerto Rico, and the US Virgin Islands have data breach laws that protect consumers. These laws generally empower those states’ or territories’ attorneys general to impose penalties and fines on companies that violate data breach requirements.[7]

Consumers may also file cybersecurity lawsuits under other state-specific laws or based on the tort of negligence. Illinois’s Biometric Information Privacy Act[8] is one of the strongest data privacy laws in the country applicable to biometric information. Utah has a general data privacy law and a law outlawing social media ads to minors.[9] And the Ohio Data Protection Act provides an incentive-based program for businesses to improve their cybersecurity practices.[10]

Regardless of where a business is based, it must comply with local cybersecurity laws, including laws in other countries, if it conducts business in a jurisdiction with relevant laws on the books. The laws are designed to protect the citizens of each of those jurisdictions: California’s Consumer Privacy Act protects Californians, the GDPR protects European citizens, Brazil’s General Data Protection Law protects Brazilian citizens, the Quebec Access Act applies to Quebecers, etc.

Importantly, not all cybersecurity laws apply to all businesses. Data privacy laws typically have size, revenue, and data-handling thresholds that companies must meet for compliance purposes.

Another piece of good news is that developing a compliance strategy for one state or country—especially those with strong privacy protection laws, such as California and Europe—usually makes it easier to comply in other regions.

Cybersecurity best practices (i.e., implementing data protection by design and by default) go a long way toward building a modern security and privacy program. Information about best practices is available from the U.S. Small Business Administration, the FTC, and the Cybersecurity & Infrastructure Security Agency.

Many Small Businesses Are Lax about Security despite Data Breach Costs

Cybercrime takes many forms, including malware, viruses, ransomware, spyware, and phishing. While some criminals may be out to steal state secrets or sow digital chaos, most of them are interested in the monetary value of stolen data.

Data breaches, whether they occur from compromised email credentials or a software vulnerability, are very costly to businesses. For small, medium, and large organizations, estimates of the average cost of a data breach range from $108,000 to around $4 million.[11] For small businesses, that number is closer to $3 million—and growing. Data breach costs primarily take the form of lost business, including increased customer turnover, lost revenue from system downtime, and the higher cost of acquiring new business due to reputational harm. Costs are also incurred when investigating and responding to data breaches. Companies that fail to secure customer data can face fines, penalties, and lawsuits.

These costs may end up being more than a major inconvenience. They could ultimately end up dooming a business. In fact, an estimated 60 percent of small businesses that suffer a data breach close their doors permanently within six months.[12]

With so much on the line in a data breach, many small business owners appear surprisingly indifferent to the data breach threat. Only 37 percent of owners told CNBC/SurveyMonkey that they were concerned about being a cyberattack victim.[13] Only 4 percent said cybersecurity was the biggest risk facing their business, and two-thirds expressed confidence that they could quickly move past a cyberattack.

Perhaps reflecting this laissez-faire attitude to cyberattacks, a separate study found that nearly half of businesses with fewer than 50 employees lack a dedicated cybersecurity budget. And just 18 percent of businesses with more than 250 employees have a dedicated cybersecurity budget.[14]

The top reasons cited for not implementing stronger security measures were a lack of resources and a knowledge gap regarding the complexity of cybersecurity. Bigger companies are more likely to report having a chief information security officer and internal staff responsible for planning, overseeing, and executing cybersecurity policy. Smaller businesses are more likely to outsource cybersecurity efforts.

Small Business Attorneys

Small businesses often say that they cannot afford professional cybersecurity solutions. Yet they may not be able to afford the costs of a cyberattack, either.

Businesses that do not have a plan to prevent cybercrime are courting disaster. You would not leave a physical business unlocked and unsecured. Your online business should be no different. Leaving your systems unsecured is practically inviting cybercriminals to break into them.

A basic cybersecurity plan starts with assessing your operations, identifying vulnerabilities, and understanding applicable cybersecurity laws. From there, you can create a cybersecurity and data privacy action plan tailored to your business needs.

Remember that cybersecurity is about more than checking legal compliance boxes. Cybersecurity should be integrated into every aspect of business planning, practices, and operations. Only by taking a proactive, comprehensive approach to digital security can you hope to stay one step ahead of cybercriminals.

If taking on full-time cybersecurity staff is beyond your current budget, outsourcing can be a way to strategically address security gaps. We can be part of your cybersecurity team. To talk with our attorneys about the legal issues related to your cybersecurity concerns, please contact us and schedule a meeting.

[1] Ravi Sen, Here’s How Much Your Personal Information Is Worth to Cybercriminals—and What They Do with It, PBS News Hour (May 14, 2021), https://www.pbs.org/newshour/science/heres-how-much-your-personal-information-is-worth-to-cybercriminals-and-what-they-do-with-it.

[2] Ian Thomas, The FBI Is Worried about a Wave of Cyber Crime against America’s Small Businesses, CNBC Small Bus. Playbook (Dec. 16, 2022), https://www.cnbc.com/2022/12/16/fbi-7-billion-lost-in-criminal-hacks-most-victims-small-businesses.html.

[3] Verizon, 2019 Data Breach Investigations Report (2019), https://www.verizon.com/business/resources/reports/2019/2019-data-breach-investigations-report.pdf.

[4] Verizon, DBIR: Data Breach Investigations Report 2008-2022 (2022), https://www.verizon.com/business/en-gb/resources/2022-data-breach-investigations-report-dbir.pdf.

[5] Commercial Surveillance and Data Security Rulemaking, Fed. Trade Comm’n (Aug. 11, 2022), https://www.ftc.gov/legal-library/browse/federal-register-notices/commercial-surveillance-data-security-rulemaking.

[6] Anokhy Desai, US State Privacy Legislation Tracker, IAPP (May 26, 2023), https://iapp.org/resources/article/us-state-privacy-legislation-tracker/.

[7] Data Breaches, Nat’l Ass’n Att’ys Gen., https://www.naag.org/issues/consumer-protection/consumer-protection-101/privacy/data-breaches/ (last visited Jun. 9, 2023).

[8] 740 Ill. Comp. Stat. 14, https://www.ilga.gov/legislation/ilcs/ilcs3.asp?ActID=3004&ChapterID=57.

[9] The Associated Press, Utah’s New Social Media Law Means Children Will Need Approval from Parents, NPR (Mar. 24, 2023), https://www.npr.org/2023/03/24/1165764450/utahs-new-social-media-law-means-children-will-need-approval-from-parents.

[10] David J. Oberly, Ohio’s Data Protection Act, Ohio Bar (Jul. 1, 2019), https://www.ohiobar.org/member-tools-benefits/practice-resources/practice-library-search/practice-library/2019-ohio-lawyer/ohios-data-protection-act/.

[11] IBM, Cost of a Data Breach Report 2021, https://www.ibm.com/downloads/cas/OJDVQGRY; Kaspersky, IT Security Economics in 2019, https://go.kaspersky.com/rs/802-IJN-240/images/GL_Kaspersky_Report-IT-Security-Economics_report_2019.pdf.

[12] Luis A. Aguilar, The Need for Greater Focus on the Cybersecurity Challenges Facing Small and Midsize Businesses, U.S. Secs. Exch. Comm’n (Oct. 19, 2015), https://www.sec.gov/news/statement/cybersecurity-challenges-small-midsize-businesses.

[13] Brianna Richardson, CNBC|SurveyMonkey Small Business Index Q4 2022, SurveyMonkey, https://www.surveymonkey.com/curiosity/cnbc-small-business-q4-2022/ (last visited Jun. 9, 2023).

[14] Lauren Winchester et. al., Corvus Risk Insights Index: Ransomware Trends & Cyber Readiness, Corvus Ins., https://insights.corvusinsurance.com/cyber-risk-insight-index-q1-2022/survey-findings-smb-cyber-readiness (last visited Jun. 9, 2023).