Give SMBs A Break On Cyber Penalties, Researchers Argue

Two researchers from Bloomsberg University of Pennsylvania are arguing that small businesses should not be held accountable to the same level as large corporations when hit by a cyber attack that exposes sensitive data.

Reports in the Wall Street Journal on Sunday (November 25) said that researchers Loren F. Selznick, associate professor of business law and Carolyn Lamacchia, associate professor of information and technology management, argue that small businesses do not have the resources to remain resilient after government fines or lawsuit payouts following a cyber incident.

Their report, published in the Journal of Business & Technology Law, argues that small businesses need to be protected under federal law from such penalties that could threaten the future of those companies.

“We start with the unfairness of expecting a small business — a diner, a hair salon, a car service — to have the sophistication and expertise necessary to protect data today,” Selznick told the publication in an interview. “They don’t have the funds to hire a person with that kind of training.”

She added that policymakers have designed corporate cybersecurity penalties with large enterprises in mind, with some states requiring up to $2,500 in fines for each exposed customer record, even if the business is not shown to be at fault. Other requirements include customer identity theft protection services paid by the business, or rules that allow consumers that successfully sue a business to retain attorney’s fees from that business.

“We’re suggesting that small businesses obtain cybersecurity services from their information-technology vendors so they get the advantage of the abilities of the vendor,” Dr. Lamacchia added.

According to Selznick, the “ideal” would be to design safe harbor rules to protect small businesses from liability if they do not behave criminally. “But that doesn’t mean small businesses shouldn’t do anything to protect data,” she noted.