Personal, customer, and company information, stored on office computers, field laptops and tablets, and in the cloud is extremely valuable. But all too often, it isn’t treated that way by the holder, just by those who want to steal it.

When a company suffers a computer breach—a cyber-attack due to unauthorized access—not only can it cause brand damage and loss of customer trust, but it can also incur unexpected costs to investigate the damage and, in some cases, compensate the customer for damages. To prevent such events from occurring, it is important to review your company’s cybersecurity policies and take countermeasures.

A recent survey, by Japanese security firm Cyber Security Cloud, covering 50 medium-sized personal data breaches–cases with a damage scale of more than 1,000 datapoints and less than 1 million—caused by unauthorized access found the retail segment was the hardest hit. However, among public (stock issuing) companies, the manufacturing segment, including construction, was the one with the most listed companies affected.

Remember, when companies tell consumers they will safeguard their personal information, the Federal Trade Commission can and does take law enforcement action to make sure that companies live up these promises. The FTC has brought legal actions against organizations that have violated consumers’ privacy rights or misled them by failing to maintain security for sensitive consumer information or caused substantial consumer injury.

And it doesn’t matter if you are a small, medium or large company. For example, Kohl’s Department Stores agreed to pay a civil penalty of $220,000 to settle FTC allegations that the Wisconsin-based retailer violated the FCRA (Fair Credit Reporting Act) by refusing to provide complete records of transactions to consumers whose personal information was used by identity thieves.

The Commission alleges that Kohl’s refused to provide information identifying the thieves to identity theft victims, despite the fact that the FCRA guarantees victims access to this information. The FTC also alleges that the company failed to provide the information within 30 days, as required by the FCRA. The information sought by identity theft victims included records of sales made by the identity thieves using stolen personal information, along with the perpetrator’s name and contact information.

In addition to the civil penalty, Kohl’s is required to provide identity theft victims, who provide valid verification of their identity and the identity theft, with access to business transaction records related to the theft within 30 days. The company also must post a notice on its website informing identity theft victims about how to obtain records related to identify theft, and certify that it has reached out to victims who were unlawfully denied access to such records in the past.

Avoid these pitfalls by increasing the cybersecurity training of your employees, audit the security of your data storage and cloud services, and keep an eye on the latest scams and phishing techniques to prevent loss of your sensitive data and that of your customers.

Want to tweet about this article? Use hashtags #construction #IoT #sustainability #AI #5G #cloud #edge #futureofwork #infrastructure #cybersecurity