Privacy Laws and Cybersecurity Issues for Businesses
The privacy and cybersecurity legal framework is an area under rapid development. It is becoming increasingly newsworthy as more and more businesses are suffering hacks and breaches to their networks and valuable data. It is important for every business to have a basic understanding of privacy and cybersecurity issues and their implication on operations. Below are a few areas that business executives and leaders should be aware of to keep their businesses safe:
The United States does not have a single comprehensive privacy law. Instead, the U.S. uses a a multi-level approach to privacy regulation. The U.S. follows industry-specific federal laws, including HIPAA/HITECH in the medical industry, the Gramm-Leach-Bliley Act for financial institutions/insurance companies, and FERPA for educational institutions. The Federal Trade Commission and states’ attorney generals are empowered with more general enforcement oversight for unfair and deceptive trade practices relating to privacy claims. Many states are passing laws (which often include extra-jurisdictional enforcement) governing businesses that collect, control, process or possess personal information of the applicable state’s residents requiring such businesses to implement commercially reasonable data security frameworks. This includes New York and California.
New York’s SHIELD Act, applicable to any entity that processes personal information of a New York resident, provides some direction on what would be considered commercially reasonable. Each company is required to implement commercially reasonable administrative, technical, and physical data security practices that protect the security, confidentiality, and integrity of personal information in the company’s possession. Often companies that are HIPAA- or GLBA-compliant are exempt from complying with the state laws, but this should be reviewed on a case-by-case basis as new state laws are implemented.
Many businesses use third-party vendors for their data security. The review of these agreements, including licensing arrangements, is important to protect a business. The EU-model for privacy frameworks places the burden of ensuring third-party contractors have reasonable data security practices on the initial data controller or the party obtaining the information for its business purposes. This model has been making its way into U.S. operations. It is important that, when businesses contract or negotiate with a vendor, the binding agreement is reviewed on the front-end to ensure that the business is properly protected.
ASSESSMENTS ON DATA
A risk assessment can also prevent possible issues and the potential misuse of personally identifiable information. A risk assessment looks at each user in a business and identifies who should and who should not have access to the information (personally identifiable or otherwise) necessary for that user to carry out its business purpose.
A business can invest in cyber insurance to protect the business and the data it houses. Like all insurance policies, cyber insurance policies are only as effective as their exclusions. It is important to review or have legal counsel review the cyber insurance policy to make sure that the policy properly covers a business. One increasingly popular provision excludes coverage if payments have been made on a ransom demand. It is also important to review a company’s other insurance policies, as business interruption related to cyber events can, in some instances, be covered by general business interruption insurance.
For questions about how to protect your business in the ever-changing world of technology and cyber security contact the author, Justin Molitoris, a business attorney and Certified Information Privacy Professional (US) by the International Association of Privacy Professionals, or a member of the Cybersecurity team at Barrett McNagny.