New privacy regulations are making cybersecurity a necessity
Let’s start with the good news. Many states within the USA are implementing privacy regulations to protect our individual data. As individuals, this is good for us. Finally, companies will face serious consequences in the form of substantial fines for collecting more information than they disclosed, for sharing our information without our explicit consent, or for failing to take reasonable measures to protect our information.
Keep that phrase, “reasonable measures” in mind. We’ll come back to it.
This started with the European Union implementing the General Data Protection Regulation (GDPR) back in May 2018. California was next, with the California Consumer Protection Act (CCPA). Now New York has joined the party with its (awkward acronym award winner) Stop Hacks and Improve Electronic Data Security Act (SHIELD). There are many, many more to come. And federal legislation is in the works as well. You may think that in this highly partisan political environment it’s unlikely federal legislation will pass, but this issue has significant bi-partisan support.
For purposes of this article, we are only focusing on one aspect of these new laws, something they all have in common. The requirement of “reasonable measures” to protect information.
That means cybersecurity.
Let’s look at the SHIELD Security Act which, in spite of its forced acronym, might be the most clearly written of these new regulations. Here is what it requires for compliance:
“...reasonable administrative, technical and physical safeguards that are appropriate for the size and complexity of the small business, the nature and scope of the small business’s activities, and the sensitivity of the personal information the small business collects from or about consumers.” (https://www.nysenate.gov/legislation/bills/2019/s5575).
Note that the word “reasonable” has a specific legal definition with a long history within the legal system (cool fact, one of the people most connected to this standard was, no joke, named “Learned Hand”). For purposes of “reasonable” cybersecurity measures, the FTC provides this language:
“Employing reasonable safeguards to protect the confidentiality, integrity or availability of data given the type, amount and sensitivity of that data in relation to the size, sophistication and capability of the organization.”
But SHIELD provides more definition, which is quite helpful for those looking to achieve compliance. SHIELD suggests that a “reasonable” cybersecurity program should include, at a minimum:
- designation and training of employees to coordinate cybersecurity compliance;
- the use of third-party service providers capable of maintaining appropriate cybersecurity practices, with safeguards required by contract;
- risk assessment of the company’s cybersecurity program, including both the network and software design and the information processing, transmission and storage;
- processes and physical safeguards to detect, prevent and respond to attacks or system failures;
- monitoring and testing of the effectiveness of the cybersecurity program;
- processes to safely, securely and permanently dispose of data within a reasonable amount of time after it is no longer needed for business purposes; and
- updates to the program periodically to address changes in the business or circumstances that would require the program to be changed
Also note that these regulations have requirements for data breach notification. In plain english, if you expose my data to an unauthorized party, you have to tell me about it. Most regulations require notification within 72 hours of discovering the breach.
If you want to take a deeper dive on these privacy regulations, I recommend you take a look at the terrific guide put together by Whole Whale, A 2020 Pragmatist’s Guide to US Digital Privacy Laws: CCPA, SHIELD.
If you want to get your cybersecurity program in shape (or, for many of you, simply start a cybersecurity program), then prepare for a shameless plug.
Defendify by RoundTable provides the very definition of “reasonable measures” for cybersecurity. You can learn more at the link, or attend our Defend and Protect webinar on February 27th, or, of course, reach out and talk to us!
Whatever you do, please be reasonable.