Cybersecurity is one of the more pressing topics for small businesses around the United States. With almost all business activities now taking place online, cyber criminals are taking advantage. Although there is no federal cybersecurity law yet, individual states are taking the matter into their own hands to protect their citizen’s personal information. 

Even if you don’t conduct much business online, you still must worry about your company and your employee’s personal data being targeted. Cybercriminals are quickly adapting.

For example, a cybercriminal can gain access to your work email. By gaining access, they can email anyone while pretending to be somebody who exists in the company. This can then allow them to access sensitive information, like bank account information and Social Security numbers. 

Some states recognize this threat and are working to make sensitive information tougher to access, in turn cutting down on identity theft and data breaches.

Washington’s Data Breach Notification Law

In May 2019, Washington state’s data breach notification law was amended by Governor Jay Inslee.

The update to the law states, “any person or business that conducts business in this state and that owns or licenses data that includes personal information shall disclose any breach of the security of the system following discovery.” Click here to read the full legislation.

Before this amendment, organizations based in Washington only needed to notify consumers about a data breach if their name was compromised along with their Social Security number (SSN), driver’s license number, state ID number, or financial account information.

The change adds the following to the above list: 

  • Birth Dates
  • Health Insurance ID Numbers
  • Medical History
  • Student ID Numbers
  • Military ID Numbers
  • Passport ID Numbers
  • Usernames & Passwords
  • Biometric Data
  • Electronic Signature

The notification letter sent to those in jeopardy due to a breach must include exactly what was exposed, the date it happened, the date of discovery, the length of the breach, and how many Washingtonians were affected.

This amendment to the previous law, expected to take effect March 1, 2020, was a result of a 26% increase of data breaches from 2017 to 2018.

California’s Cybersecurity Laws

In late September 2018, California Governor Jerry Brown passed a law requiring companies that make connected devices (full description here) to include specific safety features by Jan. 1, 2020. 

Another law passed by CA last year is reminiscent of Europe’s General Data Protection Regulation (GDPR) and is the California Consumer Privacy Act (CCPA). Going into effect on Jan. 1, 2020, the law states that businesses must provide the information they’re collecting on consumers when requested.

New York State Department of Financial Services (NYDFS) Cybersecurity Regulations

Housing Wall Street, New York wanted to develop a law that would require specific cybersecurity measurements to take place by financial institutions. From there, NYDFS cybersecurity regulations were born.

Every year, financial institutions must comply with the regulations by completing certifications to meet the requirements.

Some examples of covered institutions include:

  • Mortgage Companies
  • Insurance Companies
  • Licensed Lenders
  • State-chartered Banks
  • Private Banks
  • Foreign banks with the license to operate in NY.
  • Service Providers

According to NYDFS, the regulations are designed to help the customer and the business stay safe against cyberattacks. While this regulation was originally issued in early 2017, final provisions of the law came into effect on March 1, 2019.

These regulations pose as great protection against a large breach for financial institutions, however the penalties for noncompliance are ambiguous with simply just a mention of a fine.

Upcoming Legislation

Washington, California, and New York are leading the way for cybersecurity rules and regulations and other states are watching. Across the country, almost every state has proposed a cybersecurity bill.

According to the National Conference of State Legislatures, one area of focus is strengthening security practices for the government. Click here to learn about more areas that we could soon see legislation on.

Preventative Measures Your Small Business Can Take Now

Banking information (the company’s and each employee’s) is just one example of sensitive information that your company handles consistently.

Take extra precaution if an employee needs to make a change to something like their banking info. Make sure the request is in writing and adopt a bank change request form accessible through a secure company intranet or your HR department directly.

The more you educate yourself and your employees, the better prepared your business will be to stay vigilant in your cybersecurity efforts. 

How you process your payroll matters.

PrimePay is an SSAE 18 Type II compliant payroll company. Meaning, we've undergone a rigorous auditing process to provide the peace of mind that our company is secure.

One way our Online Payroll clients can ensure their banking changes are protected and legitimate, text messaging alerts are sent after a change to confirm its authenticity.

Those that utilize our Hands-off Payroll solution work closely with their dedicated Client Success Representative to make sure that every request is in writing, but all of the secure and critical details are submitted through specific forms and encrypted email communications.

With PrimePay, Your Payroll is Safe & Secure

Your business matters. Start working with PrimePay today to ensure your business is safe from payroll fraud. Not to mention, our all-inclusive payroll, tax, and HR bundle lets you focus on what matters most!

Click here to learn more or fill out the form below. 

Disclaimer: Please note that this is not all inclusive. Our guidance is designed only to give general information on the issues actually covered. It is not intended to be a comprehensive summary of all laws which may be applicable to your situation, treat exhaustively the subjects covered, provide legal advice, or render a legal opinion. Consult your own legal advisor regarding specific application of the information to your own plan.