Issues on the Employment Law Horizon


Employers Should Consider Requiring all Employees to Keep Time Records

Cybersecurity Compliance: Small Businesses Need to Protect DataBruce E. Loren, Esq. and Michael St. Jacques, Esq. | Mar 26 2018

In January we published an article highlighting the importance of obtaining a “cyber” liability insurance policy. This article provides an overview of the types of data that businesses are required to protect, the growing body of regulations that businesses must comply with, survey results identifying primary cybersecurity threats and resources to help evaluate your company’s vulnerability to cyber-threats.

Understanding Protected Categories of Sensitive Data

Sensitive data typically refers to an individual’s personal information, medical records and financial information. There are a number of laws designed to protect sensitive information from unwarranted disclosure and unauthorized access. Some of the well-known Federal laws include:

• HIPPA - protects health, medical and psychological information;
• FERPA - protects student grades and financial aid/grant information; and
• Gramm-Leach-Bliley Act - protects financial information in connection with lending.

In addition, many states have passed or adopted cybersecurity legislation specifically aimed at protecting an individual’s sensitive information. The Florida Information Protection Act of 2014 (FIPA) was enacted to protect “personal information” in electronic form in the possession of commercial entities. Under FIPA, personal information (PI) means:

• an individual’s first name (or first initial) and last name in combination with a social security number, driver license or identification card number, passport number, military identification number, or other similar number issued on a government document used to verify identity;
• financial account number or credit or debit card number, in combination with any required security code, access code, or password that is necessary to permit access to an individual’s financial account;
• any information regarding an individual’s medical history, mental or physical condition, or medical treatment or diagnosis by a health care professional; or
• an individual’s health insurance policy number or subscriber identification number and any unique identifier used by a health insurer to identify the individual; or
• a user name or e-mail address, in combination with a password or security question and answer that would permit access to an online account.

Covered entities under FIPA are required to protect PI from unwarranted disclosure. In the event of a data breach, the breaching entity must report its failure to protect PI.

Threats to Security of Sensitive Data

The Florida Center for Cybersecurity’s 2017 Report - The State of Cybersecurity in Florida (the “Report”), identifies three categories of threats, environmental, human and social. Florida is second only to California for risk of environmental disaster (hurricanes, flooding, humidity, power loss, water intrusion).

Human threats can come from within the organization or outside. Internal threats can result from intentional acts or employee negligence. According to the Report, 48% of companies responding to a survey indicated that the root cause of the data breaches experienced by the company were the result of a negligent employee or contractor. The second highest reported cause was “third party mistakes,” while “error in system or operating process” took third place. The key is that human error accounted for the significant majority of data breaches, while external attacks only comprised 27% and malicious insiders a mere 5%. The good news is that the vast majority of data breaches were reportedly caused by friendly error, which can be managed.

Resources for Developing a Complete Internal Cybersecurity Strategy

Each organization has different needs depending on its business and level of vulnerability. A complete strategy covers all aspects of each business from the server(s) to physical building access to each employee’s smart phones and flash drives. Best practice is to hire a reputable information security professional to analyze your system and provide you a vulnerability assessment and recommendations with respect to (1) Data Security, (2) Access Security, (3) Network Security, (4) Physical Security, (5) Mobile Device Security, (6) Email Security, (7) Removable Media Security and (8) End User Security.

Florida’s Agency for State Technology (FAST) provides polices and procedures for Florida state agencies, which are identified under Florida’s Administrative Code Chapter 74-2, Information Technology Security. In addition, FAST provides examples of best practices for consideration, a few of which include: (a) segmenting network (if one segment of network is breached others may remain safe); (b) implementing two-factor authentication (when user signs onto system with password must also verify from a personal device before allowed access); and (c) blocking malicious code (applications or code cannot be introduced to system without approval).

FAST also provides Cyber Security Tips:

1. Think before you click – images and ads can now contain malware.
2. Protect data that can be used to steal more data about you.
3. Patch your devices and software.
4. Use strong passwords; and try to use different stronger passwords for financial and health systems.
5. Don’t share devices and accounts.
6. Back up your files – bad cyber actors will try to lock them and make you pay to retrieve, it’s easier and cheaper to recover from a backup.
7. Use security connections – protect your data while it passes through cyber-land.
8. Install protective software – use desktop firewalls, antivirus, and other services that can help you protect your data.
9. Be aware of emerging threats and attack vectors – know what they want, how they will attempt to steal it and what they will do with it.

Reports suggest that successful implementation results from ownership and management setting the tone and leading by example. Where management identifies cybersecurity as an urgent priority, the team will follow leadership cues. We sometimes come across employees and even managers who resist technology (or change in general) and demonstrate an anti-tech mentality. Best practice is to train the team well, coach the team repeatedly and firmly deliver the message that cybersecurity protocols are a mandatory first priority.

Procuring a cyber policy is an important component to help minimize the impact on small businesses that have suffered a data breach, cyber-attack or other event. However, purchasing a cyber liability policy does not amount to a cybersecurity strategy. The goal is to implement an effective risk management strategy to minimize claims.

The take away is that small businesses need to implement a cybersecurity plan and will probably need some help from an information security professional to do so effectively. As with most issues, front end compliance is far less expensive than getting caught out of compliance.

Bruce Loren, Esq. and Michael St. Jacques, Esq. of the Loren & Kean Law Firm are based in Palm Beach Gardens and Fort Lauderdale, Florida. Among other areas, Mr. St. Jacques focuses on Internet Marketing Law and the issues that surround this unique practice. Mr. Loren and Mr. St. Jacques can be reached at and or by phone at 561-615-5701.