NEW PRIVACY REGULATIONS ARE MAKING CYBERSECURITY A LEGAL REQUIREMENT
Let’s start with the good news. Many states within the USA are implementing privacy regulations to protect our individual data. As individuals this is good for us. Finally, companies will face serious consequences in the form of substantial fines for collecting more information than they disclosed, for sharing our information without our explicit consent, or for failing to take reasonable measures to protect our information. Keep that word, “reasonable,” in mind. We’ll be coming back to it.
GDPR GOT THE DATA PRIVACY BALL ROLLING
This started with the European Union implementing the General Data Protection Regulation (GDPR) back in May 2018. California was next, with the California Consumer Protection Act (CCPA). New York has joined the party with its (awkward acronym award winner) Stop Hacks and Improve Electronic Data Security Act (SHIELD) in March 2020. Of course, something else was going on in March 2020? No wonder we weren’t paying such close attention to new data privacy laws… There are many, many more laws to come, and federal legislation is in the works as well. You may think that in this highly partisan political environment it’s unlikely federal legislation will pass, but this issue has significant bi-partisan support.
LET’S BE REASONABLE
For purposes of this article, we are only focusing on one aspect of these new laws, something they all have in common. The requirement of “reasonable” measures to protect information. So, what do “reasonable” measures look like?
Note that the word “reasonable” has a specific legal definition with a long history within the legal system (cool fact, one of the people most responsible for the “reasonableness” standard was, no joke, named “Learned Hand”). For purposes of “reasonable” cybersecurity measures, the Federal Trade Commission provides this language:
“Employing reasonable safeguards to protect the confidentiality, integrity, or availability of data given the type, amount, and sensitivity of that data in relation to the size, sophistication, and capability of the organization.”
IF YOU COLLECT IT, PROTECT IT
But SHIELD provides more specific details, which is quite helpful for those looking to achieve compliance. SHIELD suggests that a “reasonable” cybersecurity program should include, at a minimum:
- Designation and training of employees to coordinate cybersecurity compliance;
- The use of third-party service providers capable of maintaining appropriate cybersecurity practices, with safeguards required by contract;
- Risk assessment of the company’s cybersecurity program, including both the network and software design and the information processing, transmission, and storage;
- Processes and physical safeguards to detect, prevent, and respond to attacks or system failures;
- Monitoring and testing of the effectiveness of the cybersecurity program;
- Processes to safely, securely, and permanently dispose of data within a reasonable amount of time after it is no longer needed for business purposes; and
- Updates to the program periodically to address changes in the business or circumstances that would require the program to be changed.
IF YOU FAIL ME, TELL ME
But SHIELD provides more specific details, which is quite helpful for those looking to achieve compliance. SHIELD suggests that
Also note that these regulations have requirements for data breach notification. In plain English, if you expose my data to an unauthorized party, you have to tell me about it within a reasonable timeframe. That timeframe ranges from law to law, but typically is between 72 hours at the minimum and 30 days at the maximum.
One aspect of the NYS SHIELD law that is ground-breaking is in how it defines what constitutes a breach. Under the law, a breach refers not only to unauthorized acquisition of protected information, but any unauthorized access to protected information.
For example, access would apply to a situation where an employee of an organization is the victim of a phishing attack, his or her credentials are compromised, providing a cybercriminal with access to personal information that the organization is storing. The cybercriminal does not have to obtain or copy information for it to be considered a breach by SHIELD standards.
If you want to take a deeper dive on these privacy regulations, I recommend you take a look at the terrific guide put together by Whole Whale, A 2020 Pragmatist’s Guide to US Digital Privacy Laws: CCPA, SHIELD.
If you want to get your cybersecurity program in shape (or start a cybersecurity program from scratch), then prepare for a shameless plug:
RoundTable’s Cybersecurity Program provides the very definition of “reasonable measures” for cybersecurity. To learn more about RoundTable’s Cybersecurity Program, book a brief discovery call with one of their experts or give them a call at 866-784-3543.
Whatever you do, please be reasonable.