The marquee breaches that have occurred recently (i.e. Anthem, Home Depot, Morgan Stanley, Target, Linked In, and Sony) have helped U.S. Fortune 1000 companies understand that data security must be taken seriously.  Not only must companies invest in their data security, but they must proactively manage and protect it.  Previously, large corporations generally considered hacking attacks and general security breaches as “Force Majeure” events in that they were both unpredictable and unpreventable.  Therefore, many of the Fortune 1000 purchased cyber insurance, rather than increasing capital investment in data security technology. See Philip Lieberman’s insightful article.

However, with the rising regularity of data breaches and the consequential lawsuits, insurers are no longer covering these events as readily as they did in the recent past, since they are not in the business of making capital investments into their customers’ businesses.  This has forced the Fortune 1000 to begin making the necessary capital investments and to begin sharing information about their data breaches, not only with the government, but also with each other.  This trend towards proactive management and information sharing will only increase with the White House’s recent proposal of the Cyber Threat Sharing Act of 2015.

As the Fortune 1000 strengthen their collective defenses, this reduces the amount of “low hanging fruit” available to cyber criminals, forcing them to target small and medium sized companies who often have weak defenses.  Currently 31% of hacks occur at companies with less than 250 employees.  That percentage will increase as criminals shift their focus to what may be perceived as “softer” targets.  Only 20% of small/medium companies have formal written information security plans that are barely more than “check the box” plans.  Complicating this picture for small and medium sized companies: the plaintiff’s bar, having cut their teeth on earlier data breach class action law suits against the Fortune 1000, are improving their techniques.  Future lawsuits may not be dismissed as readily for lack of damages as more and more complaints shift from alleging “data breach” to alleging “identity theft”.

The takeaway is that small and medium sized companies need to better understand the risks associated with the personal information that they collect, use, share, and store, and they have to be proactive in securing it.  Start with a privacy impact assessment, put the right policies and technologies in place, train your employees, and have a response plan.  You do not want to be low hanging fruit.