Cybersecurity Risks for Small Businesses, Part I: What are my Cybersecurity Liabilities as a Small Business?

Cyber Security

Cybersecurity is a major concern in our inter-connected world. NH SBDC is taking small, vetted steps to provide NH small businesses with information on the topic. Thank you to Anthony Perkins and Eric Langland, Bernstein Shur, for contributing this article series. 


Part I: What are my cybersecurity liabilities as a small business?


“I’m a small business. Hackers won’t target me.” Many small businesses may think they are immune from cyber attacks and data breaches because the payoff for criminals isn’t lucrative enough. On the contrary, small businesses should be more concerned than big businesses when it comes to cyber risks. In 2017, sixty-one percent of data breach victims were businesses with fewer than 1,000 employees. Even more concerning, forty-three percent of all cyber attacks were targeted at small businesses! The problem isn’t limited to just getting hacked either, as many data breaches result from employee error or negligence.  What does this mean for your business?

Implementing new measures

Preventing a breach out of the gate is easier and often less costly than repairing the trust and confidence of your customers after a cybersecurity incident.  After a breach, most companies will assess their current security program and enact new measures to prevent future incidents. The implementation of new security policies and technologies on an expedited basis often takes more time and money than upfront preventive measures would have.

Lawsuits and other penalties

Data privacy and data security laws can vary significantly from state to state, and you may be subject to individual or class action lawsuits as a result of a data breach.  In addition, failure to follow notification provisions in state data breach laws could result in penalties by state enforcement agencies.  Collateral damage to the company can also include loss of business and damage to the company’s reputation.

Government enforcement actions

State attorneys general are empowered to investigate and penalize businesses that violate state unfair and deceptive acts and practices laws (UDAP). Originally designed to protect consumers from predatory and unscrupulous businesses, UDAP laws have been applied to businesses that fail to take reasonable measures to protect customer data. 

Outside forensic investigation and legal counsel

To determine the source and scope of a breach, you may have to outside hire forensic investigators. Similarly, you may have to consult with outside legal counsel prior to notifying consumers and state agencies. These steps not only add additional costs, but can potentially interrupt day-to-day business while the investigation is ongoing.  Depending on the results of the investigation, significant remediation efforts may be required to fix the problem and stem the breach. 

New Hampshire State Data Breach Laws

Under New Hampshire law, any person doing business in the state who owns or licenses computerized data that includes sensitive personal information must notify all individuals affected by a breach, in addition to notifying the regulator of its industry or the attorney general, as soon as possible after becoming aware of a security breach.  If the entity is required to notify more than 1,000 consumers, they also must notify consumer reporting agencies.  The notice to consumers must include a description of the incident, the approximate date of the breach, the type of personal information obtained, and the telephone contact information for the entity. Additionally, the business will need to comply with the data breach statutes in each state where its affected customers reside. For companies with a nationwide customer base, that could mean complying with 54 data breach statutes (don’t forget about D.C., Puerto Rico, Guam and the Virgin Islands). Unlike New Hampshire, most other state data breach laws include a requirement to provide the affected individuals with free credit monitoring for a period of one or two years.


Now that you know your liabilities, what measures should you take to reduce your risks? Stay tuned for Part II of this Blog series: What measures can I take to reduce my cybersecurity risks?


Check out this client story about a company that survived a hacking incident!  Secure data communicated securely:  Building a viable business

Part II: What measures can I take to reduce my cybersecurity risks? 

Reducing a Small Business’ Potential Cybersecurity Risks Checklist


Cybersecurity image thanks to