Shop Talk

Column: Small businesses must follow the law, report cybersecurity breaches

Working on the Shop Talk story about cybersecruity last week freaked me out a bit.

Initially, it was like that creepy feeling of someone from across the world crawling through my wireless connection and hijacking my computer.

But it evolved into a fear that small-business owners are not consistently reporting data breaches.

For the cybersecurity story, I reached out to multiple sources to connect with businesses that might have experienced a breach. Everyone (except franchisees that are associated with national breaches) declined to talk because they didn’t want to be associated with such a story.

When I looked at the 12-page list of businesses that have reported data breaches this year in the state, I recognized names of medical companies, larger corporations, colleges and state agencies, but I didn’t see a lot of small, retail businesses.

Craig Petronella, president of Petronella Technology Group in Raleigh, likened the situation to someone who never visits a doctor, so they don’t know what diseases could be lurking underneath their skin.

Small-business owners are more likely to mistake a malware intrusion as a “pesky nuisance,” he said.

“Big deal,” they think when they get popups or their computer is going to weird websites, he said. Instead of assessing the possible implications of such an intrusion, he said, they take it somewhere to be repaired.

North Carolina Attorney General Roy Cooper said maybe cybercriminals are focusing on larger companies, or maybe owners of small companies aren’t aware that they have to report security breaches.

According to state law, companies that take the personal information of customers, employees, business associates and others, are compelled to protect it and dispose of it properly. If they don’t, they face fines of $5,000 per incident and could have actual damages in civil lawsuits tripled.

“It’s bad business to put your customers at risk,” Cooper said.

I agree. I understand that it happens, but owners shouldn’t ignore it and need to be savvy enough to protect customers’ information.

In August, I received a letter from Harry Barker, a South Carolina-based company where I had recently bought two dog collars, indicating they had discovered a breach.

Just as North Carolina law requires, the letter explained the actions the company took after the discovery and outlined steps I could take to monitor my credit reporting.

I would rather learn that way than from a credit card agency representative calling me about unusual charges on a company card at a New Orleans jewelry store. That’s what happened to my husband three years ago, 24 hours after he used his credit card at a local restaurant.

Cooper also said that, according to state law, consumers can freeze their credit reports, which I am now considering to protect myself from breaches I might not know about.