Windham Region Chamber of Commerce

cybersecurity

by

NEW LAW-MUST REPORT CYBERSECURITY BREACHES

Connecticut state law requires any person who conducts business in the state and experiences a breach of security involving computerized data to provide notice to the Office of the Attorney General in addition to state residents who may be affected.

Anyone who conducts business in Connecticut and who– in the ordinary course of business– owns, licenses or maintains computerized data that includes personal information is required to disclose a security breach to state residents whose personal information is believed to have been compromised. Notice to consumers must be made without unreasonable delay but not later than ninety days from discovery of the breach.

The details of Connecticut’s reporting requirements are outlined in Connecticut General Statutes § 36a-701b.

Business owners must also notify the Office of the Attorney General, no later than when the affected residents are notified, according to the law. Failure to provide such notice may be considered a violation of the Connecticut Unfair Trade Practices Act (CUTPA).

To assist business owners in complying with this requirement, the Office of the Attorney General has a dedicated email address for reporting: ag.breach@ct.gov.

To simplify the process and minimize the need for the Office of the Attorney General to request additional information, business owners are asked to include the following in any breach notification:

  • A general description of the breach, including the date(s) of the breach, when and how the breach was discovered, and any remedial steps taken in response to the breach.

  • The number of Connecticut residents affected by the breach.

  • A detailed list of the categories of personal information subject of the breach.

  • The date(s) that notification was/ will be sent to the affected Connecticut residents.

  • A template copy of the notification sent to the affected Connecticut residents.

The name and contact information of person reporting the breach, and name and address of the business that experienced the breach, along with the type of business should also be provided.

 The office should also be informed as to whether credit monitoring or identity theft protection services has been or will be offered to affected Connecticut residents, as well as a description and length of such services. As of October 2018, the required minimum length of credit monitoring is 24 months.

 The legislation is Public Act 21-119, An Act Incentivizing the Adoption of Cybersecurity Standards for Businesses goes into effect on October 1, 2021.

According to a 2018 CBIA survey, nearly one-quarter of Connecticut businesses experienced a data breach or cyberattack in the previous two years. And 90% of those were small businesses with less than 100 employees.

by

DONT HAVE AN IT GUY? HERE ARE SOME THINGS TO DO TO PROTECT YOUR COMPANY

Cyber attacks are a growing threat for small businesses, and a recent U.S. Small Business Administration survey estimates that an astonishing 88% of small business owners are concerned about being vulnerable to cyber attacks. Many entrepreneurs don’t have the capability to afford IT professionals or don’t know where to start, but it’s important to learn about common threats, understand where your business might be vulnerable, and take concrete steps to improve your cybersecurity.

Below you will find some tips and best practices to protect your small business from cyber attacks.
Be smart about passwords

To improve your cybersecurity, use strong passwords that are unique to your various accounts. While it might be challenging to remember them, being diligent about your passwords will pay off in the long run.

The National Cybersecurity Society has developed a short guide to creating secure passwords for small businesses.
Stay alert

Whether you or your employees are entering data into your systems, sharing information with other partners or just ringing up a sale, it’s critical to be aware of possible phishing attacks. Phishing is a type of cyber attack that uses email or is a malicious website that can infect your computer with viruses to collect your sensitive information.

Phishing emails appear as though they’ve been sent from a legitimate organization or known individual, and these emails often entice users to click on a link or open an attachment containing malicious code. Check out this cheat sheet to keep yourself and your employees aware of possible phishing attacks.
Use antivirus software

Equip your business’ computers and systems with antivirus and antispyware software. You can find an array of programs readily available that fit your small business needs, so make sure to choose a vendor that will configure automatic updates to correct security problems and improve functionality.
Protect your payment processors

Work with your financial institution or payment processor to ensure you have a complex payment system. To help you identify the best system for your business and how to protect it, check out this guide to data security essentials for small merchants.
Set up multi-factor authentication

Whenever appropriate and available, set up multi-factor authentication for your accounts. This process requires small business owners and their employees to provide additional information to add a second layer of security to log in and access sensitive information. Some companies automatically give you the option to set up multi-factor authentication to log into their accounts, so check with your financial institution and other vendors to see if they offer this feature.
Evaluate your business’ cybersecurity preparedness

We encourage you to take the NCSS online survey to assess your business’ vulnerability to cyber attacks and how you may improve your cybersecurity.

For additional how-to guides and frequently asked questions about how to protect your small business from cyber-attacks, visit the National Cybersecurity Society.

Reference:  Venturize