The majority of mid-market businesses are under the mistaken belief that, unlike the big corporations, they need not worry about cybersecurity. The facts, however, show that small and medium businesses are the primary targets for cyber attacks, making up 43 percent of all attacks versus all other entity types.
Not only are cyber attacks a real threat but there are federal, state, and even international regulations that require certain cyber security protocols be followed. Whether you like it or not, your company may be subject to cyber compliance laws and ignoring these requirements may cause you to face legal consequences if your company faces a data breach.
People care about privacy. Your employees, clients, and business partners have a right to understand what information you may have collected on them over the course of your business relationship. This includes simple pieces of information like name, email address, and phone number. You have a legal obligation to disclose what you have on file if you are asked to by an individual.
Each geographic region has nuances to data privacy you must comply with. Each state in the U.S. has a different version of this. In the EU, GDPR is most prevalent. Industries like healthcare finance and government entities also have specific requirements.
STATE DATA PROTECTION REGULATIONS
The federal regulations do not cover every person, business, and scenario. Individual states have the prerogative to decide where and how to fill in the gaps left by federal cyber security laws. Every state has laws designed to protect data but not all take into account cyber threats. That fact is changing every year, however.
States legislatures are constantly considering and adding new cyber laws to keep pace and address cyber security concerns. In 2019, for instance, 45 states and Puerto Rico introduced or considered cybersecurity bills.
Most of the cybersecurity laws apply to state governments and their agencies but as of 2019, half of all states have data security laws in place that apply to private businesses. The majority of these laws apply to private businesses that have personal information about a state resident and require the implementation and maintenance of reasonable cyber security procedures. The majority of the state laws that apply to private entities simply require that companies have some sort of reasonable cybersecurity system in place to protect personal data.
All states, however, have security breach notification laws. That is, when a breach of private data occurs, the business that was breached has the burden of reporting the impact of the breach to effected parties.
FEDERAL DATA PROTECTION REGULATIONS
There are a handful of federal regulations concerning cybersecurity that every company should be aware of. As major breaches start to appear regularly in the news cycle, however, the federal government is keen to add cybersecurity laws to address the changes in the cyber landscape.
The Health Insurance Portability and Accountability Act of 1996 (HIPAA) is known for the establishment of rules for protecting the privacy of patient health information. HIPAA also has a security component specifically designed to protect the creation, use, transfer, and maintenance of electronic personal health information.
The HIPAA Security Rule establishes several safeguards to protect the confidentiality of electronic personal health records. The general requirements are the following:
- Ensure confidentiality of all electronic protected health information created, received, maintains or transmits
- Protect against any reasonably anticipated threat or hazard to the security or integrity of such information
- Protect against any reasonably anticipated uses or disclosures of such information that is not permitted
- Ensure compliance among covered entity’s workforce
Covered entities include health plan providers, health care clearinghouses, and health care providers such as doctors, dentists, pharmacists, etc. Business associates that are working with covered entities also must abide by HIPAA. For instance CPA’s or lawyers who receive protected health information may be subject to the HIPAA security rule.
While HIPAA allows for some leeway in how companies ensure security, there are specific administrative standards and requirements entities must follow.
First, covered entities must conduct a risk analysis to assess potential risks and vulnerabilities to their network that could be exploited to expose protected health information. They are also required to implement security measures that sufficient reduce the risks and vulnerabilities.
The HIPAA security rule also addresses the fact that a large majority of cyber attacks come via social engineering. The “Sanction Policy” addresses this by requiring that there be appropriate sanctions against employees who fail to comply with the security policies of covered entities.
Finally, organizations bound by HIPAA must implement procedures to regularly review network security.
While many states are just now recognizing the threats posed by cyber threats, the federal government has established data security specific regulations since 2002. The Federal Information Security Management Act (FISMA) was enacted to create data compliance standards for government agencies and for companies that contract with the government.
Even though only government agencies and contractors are subject to FISMA, its requirements are what every organization should be doing to protect themselves from cyber attacks. Below is an overview of the main requirements of FISMA.
- Inventory and Categorize Information Systems
- Choose Baseline Security controls
- Perform Risk Assessment
- Create System Security Plan
- Certification and Accreditation by Designated Security Official
- Continuous Monitoring
The Gramm-Leach-Bliley Act (GLBA), also known as the Financial Services Modernization Act of 1999, established security requirements for financial institutions. Financial institutions includes the following:
- Tax return preparers
- Debt collectors
- Real estate settlement services providers and appraisers
- Loan brokers
- Certain financial or investment advisers
GLBA established mandatory regulations to protect the personal data of consumers. This includes creating a policy to protect nonpublic personal information and personally identifiable information. There are three components that GLBA codifies in furtherance of this end.
- Financial Privacy Rule – This rule requires that when a consumer establishes a relationship with a financial institution that the institution provide notice explaining the information collected on the consumer, who the information is shared with, how the information is used, and what protections are in place for the information.
- Safeguards Rule – This requires a written information security plan that selects at least one employee to manage safeguards; describes a risk analysis plan for each department that handles sensitive data; develop, monitor, and test the information security system and; Update safeguards as needed.
- Pretexting protection – This rule requires financial institutions to create safeguards to prevent social engineering attacks such as phishing attacks. This may come in the form of training employees to know how to spot and avoid phishing attacks.
INTERNATIONAL DATA PROTECTION REGULATIONS
The term ‘world wide web’ has never been truer. Everything we do online has a connection to another part of the world but there are few data protection regulations that reach across borders. The most significant of international data protection laws is the General Data Protection Regulation (GDPR) of the European Union.
The GDPR not only subjects entities in the EU to its rules but also subjects entities that are using or processing the personal information of EU citizens. This means a company in America that has data of a citizen in the EU potentially would have to comply with the GDPR or face a significant fine.
Personal data that is protected by the GDPR includes any personal identifier such as:
- Location Data
- Online alias/persona
- Identification Number
- Physical, physiological, genetic, economic, or cultural identifiers
The GDPR gives EU citizens more control over this type of data. Companies processing and controlling this data are required to design and implement safeguards to keep personal information safe which includes things such as pseudonymization and encryption. EU citizens must also be notified of why their data is being processed and they have discretion to revoke their consent at any time.
ALLIANT CYBERSECURITY CYBER COMPLIANCE
With cyber laws and regulations constantly changing every year, Alliant Cybersecurity and our team of industry experts are always up to date on the latest changes and trends. We can make sure your organization becomes and remains compliant under state and federal law.
The simple truth is that almost all cyber laws require that companies and agencies maintain basic cyber hygiene. This means at a minimum, running a risk assessment, identifying vulnerabilities, developing and implementing a security system, and monitoring. Alliant Cybersecurity can help with every step. Reach out to us for a risk assessment today.