Considering the slew of headline-grabbing data breaches being reported, it should come as no surprise that small business owners are brushing up on their state data breach notification laws. However, one recent study found that only 33 percent of small business owners and decision-makers feel "very confident" in their understanding of their states' breach disclosure legislation.
Additionally, thirty-four percent feel "moderately confident," and 14 percent of respondents felt “not at all confident," according to a study conducted by security firm Software Advice, which surveyed 180 owners and decision-makers at U.S. organizations of 500 or fewer employees.
While more than half of respondents reported having a moderate understanding, they might not be aware of the full scope of the legislation, said Lisa Sotto, partner and chair of the privacy and cyber security group at Hunton & Williams, in an interview with SCMagazine.com.
“[Data breach notification laws are] a real maze to navigate,” she said. “And it's really difficult for a small business owner to have a good understanding of this maze and be able to implement the rules if needed.”
A research manager at Software Advice found the percentage of respondents who felt “very confident” in their knowledge to be low.
“We were surprised by that figure being low too, mainly in light of a lot of recent coverage of President Obama pressing the need for national regulation,” said Melissa McCormack in an interview with SCMagazine.com.
Furthermore, even those who might feel at least moderately confident with their states' legislation were not using their knowledge to devise a data breach plan. Forty-nine percent of respondents reported having a breach response plan in place, and 29 percent of respondents had cyber insurance.
The discrepancy between respondents understanding their laws and then implementing a data breach response plan could come from separate focuses, said David Singh, counsel in the Silicon Valley office at Weil, Gotshal & Manges, in an interview with SCMagazine.com. A company without a notification plan doesn't necessarily lack proper security, either, he noted.
The study, for instance, demonstrated that 82 percent of respondents said they encrypted customer personal information in some capacity.
The percentage struck both Singh and Sotto as somewhat high, however.
“It's great if there's such a high percentage of encryption,” Singh said. “I question self-reporting. It might be an influence of self-reporting [rather than what] might actually be the case.”
McCormack noted that the survey didn't explicitly ask how encrypted the data was, so it was left up to interpretation for respondents.
“We came to the conclusion that it's possible that folks think they are encrypting their data but haven't fully implemented an encryption solution,” McCormack said.