Cybersecurity Laws Remind Businesses to SECURE Their DataAugust 7, 2020
Data privacy laws seldom comprehensively address data security. However, California, Massachusetts, New York, and other states have enacted laws under which businesses can be sued for cybersecurity breaches. This has contributed to significant growth in corporate spending on cybersecurity. According to CSO, an online news, analysis, and research outlet for security and risk management, 62% of organizations plan to increase cybersecurity spending in 2020. Cybersecurity spending is also expected to continue increasing beyond 2020. We suggest that in order to implement cybersecurity safeguards in your business to mitigate the risk of significant financial and reputational consequences, you implement the series of steps described later that form the acronym “SECURE.”
Recent State Laws on Data Privacy
The California Consumer Privacy Act of 2018 (CCPA) permits consumers to institute a civil action in the event of a breach of nonencrypted and nonredacted personal information that results from a business’s “violation of the duty to implement and maintain reasonable security procedures and practices." Although what would constitute “reasonable” security procedures and practices is not made clear by the CCPA statute or the final regulations, the California Attorney General previously published two reports, in 2014 and 2016, that suggest various “reasonable” safeguards such as using encryption, frequent trainings, and firewalls.
New York’s Stop Hacks and Improve Electronic Data Security Act (the SHIELD Act) similarly requires reasonable safeguards, which include administrative (e.g., designating one or more employees to coordinate the security program, providing employee training, selecting service providers that maintain appropriate safeguards), technical (e.g., detecting, preventing, and responding to attacks against or failures of networks and software for managing private, personal information), and physical (e.g., protecting against unauthorized access to or use of private, personal information during or after the collection, transportation, and destruction or disposal of the information).
Massachusetts’s cybersecurity law, known as “Standards for the Protection of Personal Information of Residents of the Commonwealth,” goes a step further by requiring businesses to implement minimum security standards, which include a written information security program, secure user authentication protocols, secure access control measures, encryption, reasonable monitoring of systems, firewalls, malware protection, and training of employees.
To implement cybersecurity safeguards in your business, consider carrying out the following process, whose steps form the acronym "SECURE," to make sure you are implementing procedures and tools that fulfill your statutory obligations.
It is difficult to implement appropriate cybersecurity safeguards without knowing what data your business collects, how your network is structured, your current policies, who has authority over cybersecurity activities, and what cybersecurity laws apply to your business. The safeguards a business should implement will vary based on the context of the business’s industry and the business itself. One helpful way to survey the data landscape of your business is to ask all departments to create a data map that answers What? When? Where? Why? Who? and How? about the data they collect and to have the IT department summarize the data protections that are in place.
Evaluate and engage
Once you have conducted a survey, the next steps are to evaluate current safeguards in light of potential risks and engage various stakeholders to develop and maintain adequate cybersecurity processes. Safeguards need to protect your organization from the potential risks that affect your particular business, including employee negligence, data breaches, ransomware, and theft. We suggest that you review news articles about data breaches that have occurred in your industry. If there are industry groups that provide specific guidance for cybersecurity in your industry, we suggest reviewing those materials as well. Ask your employees and IT professionals where they perceive risks. You should also engage your service providers to ensure that they have appropriate safeguards and are contractually obligated to maintain them. Last, it would be helpful to engage a cybersecurity expert on a semi-regular basis to identify weaknesses in your network and recommend updated safeguards to address them. Armed with all of this information, you can then create safeguards, policies, and procedures that fit your business and the risks that you face.
After evaluating your current safeguards and engaging your stakeholders, it is vital to communicate policies and procedures to your employees and service providers. The use of webinars to deliver frequent trainings is particularly apt during COVID-19. Inform employees of password policies and how to detect phishing scams (see our recent client alert regarding cybersecurity concerns associated with work-from-home protocols). Make sure that employees know whom to contact if they have cybersecurity questions or discover an incident.
Communication should not end with trainings. Whenever your company detects a phishing attempt, employees should be put on alert for similar attempts. As cybersecurity laws evolve, your policies, procedures, and safeguards will likely need to evolve, and with these updates, employees will need to be re-trained.
In order to determine the effectiveness of your company’s cybersecurity policies and procedures, you should conduct periodic reviews and audits. These audits can determine whether employees and service providers adhere to your company’s policies and to contractual obligations. If you find that not all of them do, you should review how your company enforces these obligations and can make changes going forward. This review process is meant to expose any weaknesses in your cybersecurity plan, but it also identifies areas in which your company is succeeding.
The financial and reputational consequences of a data breach or other cybersecurity attack can be significant. Failures to create incidence response plans for data breaches and to execute those plans in the event of a data breach, only make things worse. An IBM/Ponemon Institute study published this year estimates the average cost of a data breach at $3.86 million. Another study from the Ponemon Institute estimates that 65% of consumers lose trust in an organization after a data breach. Thus, planning for a data breach and executing that plan if necessary are critical to mitigating risk. Preemptive investments in cybersecurity can reduce the risk of these breaches and therefore decrease the risk of significant financial and reputational losses in the future. One such investment is to designate an incident response team and procedures that your company, including the response team, and external advisors can execute easily and quickly to respond to a breach, initiate mitigation measures, evaluate the impact of the breach, and improve data safeguards to prevent another similar breach.
A business's response to the enactment of cybersecurity laws should go beyond legal compliance and encompass SECURE data. If you need assistance to SECURE your business’s data, respond to a breach, or comply with cybersecurity or data privacy laws, please contact one of our Cybersecurity & Data Privacy attorneys.