Compliance can be a daunting task, principally because it is new to most businesses.
Published in NH Business Review (11/22/2019)
Information security and privacy is daunting for most businesses. Sophisticated hackers victimize even large companies, like Yahoo!, Equifax, Marriott and Anthem. Can small- and medium-sized organizations protect themselves?
Making matters more urgent, diverse laws are emanating from foreign jurisdictions like the European Union, Great Britain and Canada, as well as populous states like Massachusetts, New York and California. What should businesses do? Here is a practical explanation and approach to cybersecurity.
Laws governing information privacy and security initially focused on specific industries and types of information. Examples include HIPAA for health information, FERPA for student information held by public schools and the Gramm-Leach-Bliley Act for banks.
Cybersecurity expanded significantly when states like Massachusetts and California enacted and began rigorously enforcing laws that require all types of business to implement technological, physical and administrative safeguards, written information security policies and workforce training designed to prevent the loss and theft of certain types of personal information.
Currently, at least 15 states have regulations requiring such preventative measures, including the most recent such law in New York, called the Stop Hacks and Improve Electronic Data Security Act, or SHIELD Act. These regulations apply not just to businesses that have operations, employees or customers in such states. Rather, they reach across borders, extending to businesses in other states that possess such information about residents of those states.
The cybersecurity movement grew in 2018, due to the adoption of a broad privacy law in the European Union and Great Britain, called the General Data Protection Regulation, or GDPR. Similar to expansive security laws in this country, GDPR applies to United States businesses that have European operations or employees, supply products or services in Europe, or sign a contract (typically with a European customer or vendor) agreeing to comply with GDPR.
Following that example, California recently adopted a similar privacy law called the California Consumer Privacy Act or CCPA, and comparable legislation is pending in several other states.
Unlike prior regulations, GDPR and CCPA are not focused on a specific industry, nor are they constrained to limited categories of information. Instead, they broadly protect almost all personal information, including simply name, address, email, etc. These laws require all businesses to provide notice and (in certain circumstances) obtain consent from the individual at the time the business collects and before it uses information about any individual who resides in those jurisdictions.
These regulations also grant individuals privacy rights, including the right to limit the use of their information, obtain a copy of their information from the business, require the business to give their information to another company and mandate that the business erase all information about them from its systems, known as the “right to be forgotten.”
Cybersecurity laws are too diverse with respect to the information regulated, individuals protected and obligations imposed for businesses to try to differentiate between the rules that apply to the various types of information they have about numerous customers, employees, vendors, etc. Businesses just do not store or use information in such a rigid way.
Instead, most businesses adopt a practical approach, applying accepted standards to all types of confidential, sensitive and personal information they possess.
Comprehensive risk assessment
For security law compliance, a seasoned cyber attorney amalgamates the standards from the most comprehensive information security laws and utilizes an accepted framework for the process, like the regimes promulgated by the National Institute for Standards and Technology, or the International Standards Organization.
For privacy law compliance, universal standards are more elusive because the regulations are less mature. Though GDPR and CCPA are the current benchmarks, an experienced attorney will work with the client to determine which standards the client can or must implement, how the client can feasibly and affordably do so, and the amount of time it should take for the client to achieve compliance.
The result is a business that not only conforms to the multiplicity of divergent regulations and is less vulnerable to cyber attack, but also one that safeguards all of its confidential, sensitive and personal information, and increases its value with potential acquirers and its profile with consumers.
A comprehensive risk assessment is critical for a business to achieve information security and privacy compliance. To identify and address risks and noncompliance, businesses must first inventory the information they possess, assess how they use it in operations, identify where they store it in hard copy and electronic format and who has access to it, determine how they transport it physically and transmit it electronically, etc.
Without that methodical analysis, a business is unaware whether the safeguards it has in place are sufficient or more effective ones are readily available, and whether it complies with applicable security and privacy laws. There is no shortcut for the detailed work conducted in a comprehensive risk assessment.
Cybersecurity compliance is daunting principally because it is new to most businesses. A practical approach to compliance involves:
- Working with an attorney who has cybersecurity expertise to guide the business through the process
- Conducting a comprehensive risk assessment to identify and remediate risks and areas of non-compliance
- Committing to integrate cybersecurity into everyday business operations.
Attorney Cameron G. Shilling, a director at McLane Middleton, is founder and chair of the firm’s Information Privacy and Security Group, can be reached at 603-628-1351 or [email protected].