If you are a business owner in the Inland Empire, what would you identify as the greatest threat to the security of your data? Is it hackers looking for credit-card numbers? Could it be foreign governments stealing industrial secrets? Depending on the nature of your business, it could be one of those well publicized threats – but the most likely cause of a data breach and financial liability for your business is much closer to home. It is you and your employees.

According to statistics collected by the insurance industry involving cybersecurity claims made in 2013, the majority of incidents where data were compromised involved actions by employees at companies who have an annual revenue of $300 million or less.

Many of these incidents involved employee theft, but the majority were the result of accidents, negligence and poor data hygiene. The cause of these data breaches included the failure of a company to adequately secure data, the accidental release of sensitive documents by employees and the theft or loss of computer hardware or mobile devices used by employees that contain sensitive information.

If your business provides services for other companies that involve holding or having access to their private personal data or helping your customer secure that data, then the negligent act of an employee may not only compromise your business, but the business of your customers as well.

California currently requires businesses and government agencies to report any data breach involving personal information. However, this is just the first step in a long process of managing risk and liability. Depending on the nature of the incident and the personal data that have been disclosed, a business may face regulatory fines and lawsuits from employees and customers. Increasingly, banks and credit-card issuers are also filing lawsuits against companies if the release of data results in losses from identity theft or other criminal activity. Several states (not including California) have adopted laws that impose fines and financial responsibility for data breaches, and there is a lot of activity in Congress to do something similar at the federal level. The average cost to a business per record lost in cybersecurity claims in 2013 was $956, which included compliance costs, legal fees and settlements. Accordingly, even a relatively small breach of a few hundred records could have a significant financial impact on a local business.

A company can go a long way toward mitigating the risk of liability from a data breach by taking some simple steps:

• Perform an annual audit of sensitive data that are held by the company and review how that information is protected.
• Limit access to sensitive data to only those employees who need such access to perform their jobs.
• Make certain that sensitive data are encrypted when being transferred between the company and customers, employees or third parties who are authorized to receive the data.
• Make sure all sensitive data that are stored on laptops, mobile devices or in cloud applications are encrypted at all times.
• Make certain that all printed documents with sensitive data are properly stored in a secure location and shredded with a cross-cut shredder when disposed of.
• Have an internal process to monitor and control employee use of sensitive data, particularly where employees work remotely or use laptops or other devices to access and store sensitive data.

Adopting good practices not only prevents self-inflicted wounds, but will help to mitigate regulatory fines and financial liability by demonstrating that you have exercised reasonable care to protect sensitive data.

* This article first appeared in The Press-Enterprise on Nov. 29, 2015. Republished with permission.