When discussing cybersecurity, what usually comes to mind are threats like malware, DDoS attacks, and malicious activity, as well as countermeasures like firewalls, encryption, and antimalware solutions — all of which make up the technical side of cybersecurity. But there’s another equally important aspect of cybersecurity handled by lawyers and legislators instead of CISOs, SOC analysts, and system administrators. It’s the legal side of cybersecurity, guarded by lawyers who ensure a company’s data privacy and cybersecurity techniques remain above board and in line with legal standards.
Major cybersecurity and data privacy laws companies need to be aware
As companies climb higher up the digital transformation ladder, they accumulate large amounts of data that may contain personally identifiable information (PII), a valuable asset to both marketers and cyber criminals. As data collection, storage, and processing continues to rise, threats to PII will also increase. To help mitigate these threats, federal, state, and international governments have begun developing data privacy laws to ensure the security of peoples’ personal information. A few regulations and laws to note include the following:
General Data Protection Regulation (GDPR)
Of the data privacy laws that exist today, no other law is as stringent and as far-reaching than the European Union’s (EU) recently enforced GDPR. This regulation imposes strict obligations on companies worldwide that store, collect, or use EU individuals’ data and require companies to implement adequate cybersecurity solutions to protect consumer data. Violators of this regulation could be fined up to €20 million or 4% of their annual worldwide turnover of the preceding financial year, whichever is greater.
U.S. legislative response to GDPR
In terms of one all-inclusive and comprehensive federal data privacy law, the U.S. lags behind the EU. However, privacy advocates and some legislators at the federal level are well aware of that deficiency and are making moves to formulate a national legislative response to the GDPR.
Although federal legislation similar to GDPR is still in the works, that doesn’t mean the U.S. is totally devoid of protecting personal data. There is a patchwork of federal, statewide, and industry-specific data privacy laws currently in place for organizations until more comprehensive legislation is brought into play.
Health Insurance Portability and Accountability Act (HIPAA)
HIPAA is a healthcare industry-specific data privacy law that’s aimed at protecting what is known as electronic protected health information (ePHI)—essentially health data that is considered as personally identifiable information (PII).
At the heart of HIPAA are three critical rules: the Privacy Rule, Security Rule, and Breach Notification Rule. Each of these rules, tasked with protecting the privacy and security of individual health information, place strict requirements and great emphasis on ensuring covered entities (e.g. doctors, clinics, pharmacies, health insurance companies, etc.) and their business associates (e.g., service providers, contractors, etc.) utilize specific safeguards to protect the integrity, availability, and confidentiality of the ePHI entrusted to them. Violations of HIPAA may result in civil monetary penalties, and in some cases, criminal penalties enforced by the U.S. Department of Justice.
Gramm-Leach-Bliley Act a.k.a. Financial Services Modernization Act of 1999
Another industry specific privacy law that is unique to the financial services industry is the Gramm-Leach-Bliley Act (GLBA). Under GLBA, financial institutions that offer consumers financial services and products (e.g., banks, credit unions, etc.) are required to disclose to the consumer the institutions’ information sharing practices and to implement safeguards to protect sensitive data. This requirement not only ensures financial institutions maintain some level of transparency with consumers, but also makes sure they engrain security best practices when offering and promoting financial products and solutions. An institution’s failure to comply with this law includes severe criminal and civil penalties, including fines up to $100,000 per violation, plus individual liability for certain officers of up to $10,000 per violation.
Although HIPAA and GLBA are federal laws, they only apply to certain verticals. There are certainly other federal laws that protect personal data, but people who seek protection of their personal data can turn to their state of residence’s privacy laws. As of this writing, all 50 states, as well as the District of Columbia, Puerto Rico, and the US Virgin Islands have already enacted some form of legislation that protect personal information. Of particular notice are the laws enacted by Massachusetts and recently, California.
Massachusetts data protection and privacy law
Formally known as the “Standards for The Protection of Personal Information of Residents of the Commonwealth,” the Massachusetts data protection and privacy law is considered one of the two most comprehensive statewide legislations of its kind (the other being the California Consumer Privacy Act). For one thing, it has an extensive collection of technical, physical, and administrative security provisions for the protection of personal information, giving consumers greater protections against data breaches.
This law requires companies to establish an information security program and develop a regularly written, reviewed plan that includes security policies which detail the measures taken to protect consumer’s personal information. In addition, it also requires companies to assign 1 or 2 employees to take charge of evaluating and monitoring the effectiveness of their security plan and corporate policies. A company’s failure to oblige with the law may lead to severe civil monetary penalties.
California Consumer Privacy Act (CCPA)
Recently passed and expected to become effective January 1, 2020, the California Consumer Privacy Act (CCPA), is what appears to be the most stringent and comprehensive statewide data privacy law in the United States. Rightfully so, considering California’s dense population of tech companies (especially in Silicon Valley) that collect vast amounts of personal data.
Among several other things, the CCPA empowers consumers with several privacy-related rights, including:
- The right to require their data to be deleted;
- The right to request a company to disclose how their personal data will be collected and shared; and
- The right to prohibit a company from selling their personal data.
With these new California consumer rights, companies that operate in California and collect personal information of California residents have less than one year to comply with the CCPA’s requirements, which include updating their privacy policies and data collection business practices to protect consumer data. The penalties for non-compliance, like other privacy laws, include severe monetary penalties.
Why these laws are important
As the world continues to digitally transform, personal information will consistently transfer between individuals and businesses. Thus, data privacy laws are being created and enacted primarily to compel organizations to take privacy seriously by establishing controls for securing personal information. This is crucial, as personal data is now constantly being threatened by identity thieves and other cybercriminals looking to get their hands on it for fraudulent and criminal purposes.
Without these laws, most organizations wouldn’t be willing to invest in people, processes, and technologies that would ensure the security of personal data. Indeed, without them, data privacy would often be at the bottom of an organization’s checklist. But, since these laws include onerous penalties that can cost up to millions of dollars for non-compliance, companies are forced to adhere to them.
Much like cybersecurity as a whole, the legal side of cybersecurity is also a vast, complex, and constantly evolving landscape. It gets even more complicated for companies that operate across the U.S and internationally, as they have to deal with a hodgepodge of varying state-wide, federal, and industry-specific laws and regulations. Without an attorney who is well-versed in cyber and data privacy legalese, it would be nearly impossible for companies to keep track and interpret these laws.
When companies set out to hire legal experts, they’re usually faced with two choices — maintaining in-house counsel or outsourcing to a firm.
Benefits of having in-house counsel vs. outsourcing a firm
The 3 primary benefits of having an in-house legal counsel for cybersecurity and data privacy are that:
- They understand your business needs because they are a part of the business;
- You have a legal expert on staff to immediately address the need; and
- They can quickly analyze the legal and security risk(s) your company faces, giving you peace of mind to address the concerns.
Though these benefits exist, it doesn’t mean you can do away with an external firm altogether. While in-house counsel can take care of most legal concerns, in-house counsel may need to reach out to external lawyers in certain situations. For example, in the event of a data breach, in-house counsel will manage the immediate aftermath of the breach with internal technical teams and executives but will eventually have to reach out to an external firm, who will take charge of litigation if the incident calls for it.
Cybersecurity is by no means a purely technical industry. As this article has proven, the legal side of cybersecurity demands attention in every organization’s IT program. A good understanding of your legal obligations in the cybersecurity and data privacy space can help you mitigate the risk of non-compliance and the penalties that come with it.