There is a TON of content online that relates to cybersecurity. To the lay person or even the sophisticated professional, cybersecurity is usually thought of as the obligation to protect personal information from exposure to computer hacks.

The depth of a business’ involvement in cybersecurity depends on different factors: the type information stored, where and how the information is maintained, the size of the organization, the industry in which it operates, etc. As a simple example, the amount of resources a public company like JP Morgan Chase dedicates to cybersecurity far exceeds how your local chiropractor handles data security.

Yet despite the disparities in data security management between global financial institutions and local businesses, New York law still imposes cybersecurity obligations on even the smallest of businesses so long as private information is being stored: social security numbers, driver license information, account data, etc.

General Business Law § 899-bb states that small businesses are in compliance if “the small business's security program contains reasonable administrative, technical and physical safeguards that are appropriate for the size and complexity of the small business, the nature and scope of the small business's activities, and the sensitivity of the personal information the small business collects from or about consumers.”

Typical legal speak, right? Awesome.

What constitutes “reasonable administrative, technical and physical safeguards” includes but is not limited to taking action such as, “identif[ying] reasonably foreseeable internal and external risks,” “detect[ing], prevent[ing] and respond[ing] to attacks or system failures,” and “assesses risks of information storage and disposal.”

How does a small business such as a local dentist identify reasonably foreseeable internal and external risks to the integrity of patients’ social security numbers? How does he or she prevent attacks or system failures?

They rely on affordable service providers to store and protect the private information. When it comes to cloud computing, sure, some providers may be more secure than others but the business has to weigh the cost of increased security against the likelihood of a breach based on the what information is being stored and the amount of information stored.

If a business does not rely on cloud storage and instead leverages local computers and external hard drives, it’s even easier to protect your data: don’t share it online and keep your computers and hard drives out of the hands of strangers. But even a scenario in which data is stored 100% locally is unlikely considering the availability and affordable costs of web-based business tools: Amazon Web Services, Dropbox, QuickBooks, Google Drive, Square, etc.

In other words, as the owner or manager of a small business, you’re not expected to be an expert in data security. However, you are expected to take measures to ensure that the systems on which you rely for data storage offer a level of security commensurate with the information on hand. So if you Google “least secure cloud storage system” and you find several tech sites who have listed cloud storage options that offer next to no data security, should a small business leverage those offerings? You know the answer to that.

On the other hand, if you choose to store private information in a well-known provider such as Microsoft’s OneDrive and you actually set up strong passwords to protect private information, then you’re probably within the boundaries of what the law considers to be “reasonable administrative, technical and physical safeguards.”