Security threats are becoming more and more prevalent, making it essential for businesses to act.  An alarming percentage of all consumers have experienced a cybercrime, with an 186% surge in breached personal information, a 466% increase in phishing reports as of Q1 for 2025¹.  In 2024, the FBI received on average about 2,354 internet crime complaints per day², and total losses were about 16.6 billion dollars.  The need to protect yourself and your customers from the threat of cyber criminals has never been greater; One accidental click can make all the difference" becomes "A single careless click can have devastating consequences. Businesses must prioritize cyber security to protect themselves and their customers.

A major push from consumer advocacy groups and law makers is forcing businesses to provide retribution to customers whose data is in their care.  From simple phone numbers to detailed medical records, any identifying information that has been breached is now subject to civil lawsuits.  California and New York have changed their laws in favor of the consumer, making it customary to provide two years of credit monitoring for any person impacted by a data breach. 

For example, the New York State SHIELD Act reads: “Disclosure of the breach must be made in the most expedient time possible.”  The law requires businesses to inform multiple agencies, including the Attorney General’s office, New York Department of State, and the New York State Police.  “Under the SHIELD Act, the Attorney General may seek injunctive relief, restitution, and penalties against any business entity for violating the law.”  At the time of writing this article, failure to provide timely notification may result in New York court imposing civil penalties of up to $20 per instance of failed notification (not to exceed $250,000)³.  If the affected business fails to maintain reasonable safeguards of customer data, the court may impose a civil penalty of up to $5,000 per violation.  Consult an attorney and/or a knowledgeable broker familiar with the rules, penalties and requirements for coverage in your business’ operating area.

Currently the North Carolina State Department of Justice currently requires that a business or agency that owns or licenses records which contain data with personal information that has been subject to a breach must notify the owner or licensee of the information that the data has been compromised.  Additionally, the notification must contain the following items.

• General description of the security breach incident.
• The type of personal information breached.
• General description of your efforts to avoid further unauthorized access to personal information.
• The Telephone number where people can call for more information and assistance, if one exists.
• Advice for people who are affected; and
• Contact information for the major consumer reporting agencies, the Federal Trade Commission and the North Carolina Attorney General’s office.

Usually, the insurance company will provide a questionnaire to understand your data protection practices and associated risks.  Using these as a guide, you can fortify your physical and digital protection systems and procedures.  Below are some areas of concern:

• Enforce password management practices (i.e. change passwords every 90 days, minimum lengths, etc....) including multi-factor authentication (MFA/2FA)
• Utilize anti-virus/anti-malware software
• Implement a patch management process
• Train employees on phishing and social engineering detection
• Use a well-defined backup procedure and protect backups with MFA and encryption
• Encrypt data during storage and transit
• Have a formal business continuity plan and/or disaster recovery plan
• Use of a formal incident response plan for any type of intrusion or breach
•  Enable a SPAM filter for email
•  Ensure access is limited to critical data (both physical and digital forms)
•  Document a formal privacy policy and review it yearly (at a minimum)

When working on your data security and procedures, it helps to adhere to some well-accepted guidelines and practices.  Depending on the industry and market you operate in, this will determine the regulations to be followed.  Below is a short list of some of the regulatory groups and standards they require members to implement:

It is important to consider the extent of coverage when purchasing cyber liability insurance, including outages or unauthorized use of corporate services and systems.  For example, a customer had their phone system hacked, resulting in over $6,000 in long distance calls over one weekend.  Although this qualified as a breach of the company’s services, the insurance carrier did not cover this event, the customer was responsible for the thief’s charges.

If you need a review of your security procedures or wish to discuss any of these topics in more detail, please do not hesitate to contact me.

Meeting customers’ IT needs since 2002.

CMC Dataworks, Inc.

13000 S. Tryon St.

Suite F-112

Charlotte, NC 28278

NC: (704) 981-1399

www.cmcdataworks.com

www.cmcforensicworks.com

• Taken from Q1 Gen Press Release (https://newsroom.gendigital.com/2025-05-28-Q1-2025-Gen-Threat-Report-Reveals-AI-Driven-Scams-Redefining-Cybercrime)
• 2020 FBI Internet Crime Report (https://www.ic3.gov/AnnualReport/Reports/2024_IC3Report.pdf)
• NY State Shield Act (https://ag.ny.gov/resources/organizations/data-breach-reporting/shield-act)