If you run a small or midsize business (SMB) and you’re concerned with phishing protection, there was a lot to read in the news last week. Let’s get the bad news out of the way.

According to an article on Security Week website, Karl Racine, attorney general for the District of Columbia introduced a new bill, the Security Breach Protection Amendment Act of 2019. The bill expands the types of information companies are held accountable for.

The article states that, “Current legislation covers social security numbers, payment cards, and driver’s license numbers, and the new bill would also add passport numbers, military IDs, biometric data, health information, taxpayer identification numbers, health insurance info, and genetic information and DNA profiles to that list. The bill also requires companies that own, maintain, license or handle personal information to implement security measures to prevent unauthorized access and data misuse. Companies that expose social security numbers will be required to provide affected customers free identity theft protection services for a period of two years.”

Almost every SMB maintains personal information—all it takes is a single employee or contractor. What this bill means is it’s now the law that you must implement security measures to protect your employees’ personal information. And the penalty for not doing so can cost a lot more than the protection itself.

You can protect up to 100 of your employees with advanced phishing protection for less than 50 bucks a month. I doubt you can provide identity theft protection for 100 employees for that.

Now for the good news. It looks like SMBs are getting the message. According to an article on Help Net Security website, SMBs are willing to spend what it takes to protect their business. The article points out that “79% of SMBs are planning to invest more in cyber security in the next 12 months.”

What’s even more encouraging, is that the SMBs are willing to forego penny-pinching when it comes to protection. “SMBs are willing to pay 24 percent more on average for the right cybersecurity offering. Nearly half of all SMBs surveyed in the US (47 percent) would pay at least 20 percent more for the right cybersecurity solution.”

SMBs are not just looking for cybersecurity protections, they are ready to invest more to protect their businesses,” said Brian Downey, Senior Director, Security Product Management at Continuum.

If you run an SMB and you haven’t yet taken advantage of low-cost, cloud-based phishing protection technology, it’s time to start protecting your employees. After all, it’s the law.