Cybersecurity Laws Remind Businesses to SECURE Their Data

Data privacy laws seldom comprehensively address data security. However, California, Massachusetts, New York, and other states have enacted laws under which businesses can be sued for cybersecurity breaches. This has contributed to significant growth in corporate spending on cybersecurity. According to CSO, an online news, analysis, and research outlet for security and risk management, 62% of organizations plan to increase cybersecurity spending in 2020. Cybersecurity spending is also expected to continue increasing beyond 2020. We suggest that in order to implement cybersecurity safeguards in your business to mitigate the risk of significant financial and reputational consequences, you implement the series of steps described later that form the acronym “SECURE.”

Recent State Laws on Data Privacy

The California Consumer Privacy Act of 2018 (CCPA) permits consumers to institute a civil action in the event of a breach of nonencrypted and nonredacted personal information that results from a business’s “violation of the duty to implement and maintain reasonable security procedures and practices." Although what would constitute “reasonable” security procedures and practices is not made clear by the CCPA statute or the final regulations, the California Attorney General previously published two reports, in 2014 and 2016, that suggest various “reasonable” safeguards such as using encryption, frequent trainings, and firewalls. 

New York’s Stop Hacks and Improve Electronic Data Security Act (the SHIELD Act) similarly requires reasonable safeguards, which include administrative (e.g., designating one or more employees to coordinate the security program, providing employee training, selecting service providers that maintain appropriate safeguards), technical (e.g., detecting, preventing, and responding to attacks against or failures of networks and software for managing private, personal information), and physical (e.g., protecting against unauthorized access to or use of private, personal information during or after the collection, transportation, and destruction or disposal of the information).

Massachusetts’s cybersecurity law, known as “Standards for the Protection of Personal Information of Residents of the Commonwealth,” goes a step further by requiring businesses to implement minimum security standards, which include a written information security program, secure user authentication protocols, secure access control measures, encryption, reasonable monitoring of systems, firewalls, malware protection, and training of employees.

To implement cybersecurity safeguards in your business, consider carrying out the following process, whose steps form the acronym "SECURE," to make sure you are implementing procedures and tools that fulfill your statutory obligations.

Survey

It is difficult to implement appropriate cybersecurity safeguards without knowing what data your business collects, how your network is structured, your current policies, who has authority over cybersecurity activities, and what cybersecurity laws apply to your business. The safeguards a business should implement will vary based on the context of the business’s industry and the business itself. One helpful way to survey the data landscape of your business is to ask all departments to create a data map that answers What? When? Where? Why? Who? and How? about the data they collect and to have the IT department summarize the data protections that are in place.

Evaluate and engage

Once you have conducted a survey, the next steps are to evaluate current safeguards in light of potential risks and engage various stakeholders to develop and maintain adequate cybersecurity processes. Safeguards need to protect your organization from the potential risks that affect your particular business, including employee negligence, data breaches, ransomware, and theft. We suggest that you review news articles about data breaches that have occurred in your industry. If there are industry groups that provide specific guidance for cybersecurity in your industry, we suggest reviewing those materials as well. Ask your employees and IT professionals where they perceive risks. You should also engage your service providers to ensure that they have appropriate safeguards and are contractually obligated to maintain them. Last, it would be helpful to engage a cybersecurity expert on a semi-regular basis to identify weaknesses in your network and recommend updated safeguards to address them. Armed with all of this information, you can then create safeguards, policies, and procedures that fit your business and the risks that you face.

Communicate

After evaluating your current safeguards and engaging your stakeholders, it is vital to communicate policies and procedures to your employees and service providers. The use of webinars to deliver frequent trainings is particularly apt during COVID-19. Inform employees of password policies and how to detect phishing scams (see our recent client alert regarding cybersecurity concerns associated with work-from-home protocols). Make sure that employees know whom to contact if they have cybersecurity questions or discover an incident.

Update

Communication should not end with trainings. Whenever your company detects a phishing attempt, employees should be put on alert for similar attempts. As cybersecurity laws evolve, your policies, procedures, and safeguards will likely need to evolve, and with these updates, employees will need to be re-trained.

Review

In order to determine the effectiveness of your company’s cybersecurity policies and procedures, you should conduct periodic reviews and audits. These audits can determine whether employees and service providers adhere to your company’s policies and to contractual obligations. If you find that not all of them do, you should review how your company enforces these obligations and can make changes going forward. This review process is meant to expose any weaknesses in your cybersecurity plan, but it also identifies areas in which your company is succeeding.

Execute

The financial and reputational consequences of a data breach or other cybersecurity attack can be significant. Failures to create incidence response plans for data breaches and to execute those plans in the event of a data breach, only make things worse. An IBM/Ponemon Institute study published this year estimates the average cost of a data breach at $3.86 million. Another study from the Ponemon Institute estimates that 65% of consumers lose trust in an organization after a data breach. Thus, planning for a data breach and executing that plan if necessary are critical to mitigating risk. Preemptive investments in cybersecurity can reduce the risk of these breaches and therefore decrease the risk of significant financial and reputational losses in the future. One such investment is to designate an incident response team and procedures that your company, including the response team, and external advisors can execute easily and quickly to respond to a breach, initiate mitigation measures, evaluate the impact of the breach, and improve data safeguards to prevent another similar breach.

A business's response to the enactment of cybersecurity laws should go beyond legal compliance and encompass SECURE data. If you need assistance to SECURE your business’s data, respond to a breach, or comply with cybersecurity or data privacy laws, please contact one of our Cybersecurity & Data Privacy attorneys.

Firm Highlights
News

Kansas City Office of Lewis Rice Names New Member

More
News

Lewis Rice Wins Significant Victory for Atlanta Landowners Impacted by the Belt Line Rail-Trail

More
Client Alert

Have You Done Your Annual CCPA Housekeeping?

More
News

Jerina D. Phillips Offers COVID-19 Vaccination Advice for Employers in St. Louis Magazine Article

More
News

David W. Sweeney Interviewed in Realtime REALTOR® Podcast on Changes to Elections in the City of St. Louis

More
News

Lindsay S. C. Brinton and Meghan S. Largent Negotiate $1.4 Million Settlement for Landowners along Legacy Trail

More
Diversity & Inclusion

Apollo Carey Selected for Leadership Council on Legal Diversity’s (LCLD’s) 2021 Fellows Program

More
Client Alert

Employers, Start Planning Now – Get Ahead with the Upcoming H-1B Cap Season

More
News

Lewis Rice Names Brian J. Figueroa Member of the Firm

More
News

Jeremy P. Brummond’s Article on Waivers of Consequential Damages is Published in Construction Executive

More
News

Paul R. Himmelstein Joins Lewis Rice Kansas City Office

More
Client Alert

Supreme Court Decision Provides Good News for Creditors

More
News

David W. Sweeney Named to Missouri’s POWER List for Lawyer-Lobbyists by Missouri Lawyers Media

More
Client Alert

New York State Regulator Discourages Ransomware Payments and Publishes New Cyber Insurance Risk Framework

More
Client Alert

Virginia Passes Sweeping Data Privacy Legislation Similar to CCPA and GDPR

More
Client Alert

City of St. Louis 2021 Primary Municipal Election: Meet the Candidates

More
Diversity & Inclusion

Jerina D. Phillips Selected for Leadership Council on Legal Diversity’s (LCLD’s) 2021 Pathfinder Program

More
News

Brian P. Pezza Discusses Vaccination Considerations for Employees in Society for Human Resource Management (SHRM) Article

More
Diversity & Inclusion

Fatima G. Khan Elected President of South Asian Bar Association of Metropolitan St. Louis

More