“My Data’s Been Breached! What Do we Do?” Focus 1: Data Protection Laws
Cybercrime is an insidious and prevalent problem. Experian just released its Fifth Annual Data Breach Preparedness Study, and it indicates that a majority of businesses fear their IT security may not be comprehensive. Approximately 33% of businesses know full well that their data is not well protected. No business or industry is immune from the possibility of a devastating data breach: it may be accomplished by an outside hacker, an employee committing fraud, or an unintended consequence such as a lost laptop.
When this happens, it is important to assess the who, what, when, where, how, and why of the situation.
Who: Who is responsible for the data breach, if it can be determined?
What: What needs to be done to report, remediate and recover?
When: When did the incident occur?
Where: Where did the data breach occur? At a specific work station or end point? Where in the network was the system breached?
How: How will the data breach impact the business? Consider the full projection.
Why: There are two perspectives of Why to consider:
1) Why, as it regards the motivation for the particular area of data breach that was targeted
(if the data breach was intentional).
2) Why was this area of data security left vulnerable in the first place?
To evaluate, let’s first look at data protection laws. These will impact the What and How of this data breach response rubric as it applies to your business, and put you on track to prioritizing your response steps.
List and Links of Data Protection Legislation
Different industries have different data protection laws impacting data protection requirements. Following is a quick list that will take you where you need to go to get the full information that pertains to your business:
Banks, Financial Institutions, and Insurance Companies
You may have caught wind of the Equifax hacking scandal that happened back in 2017. In it, almost 150 million Americans were put at risk of identity theft by virtue of Social Security identity numbers being exposed. The investigation and litigation is still ongoing. New developments on civil action against Equifax was in the news just this past week.
All firms operating in the field of the financial services industry are governed by the FDIC. Data security is governed by:
- The Gramm-Leach-Bliley Act Explanation and Resources
- Section 6802 Specifics
- Section 6285 furthermore lays at the feet of financial institutions that they are to “prescribe such revisions to such regulations and guidelines as may be necessary” to ensure data protection and privacy, ensuring the close of any culpability loopholes.
Equifax insists that it had in place sufficient data protection, but that is not likely going to save them. “Regulators now have put emphasis on investigating and penalizing the victims of data breaches with multi-million dollar fines for ‘allowing’ data breaches to happen due to allegedly insufficient data security policies.” Clearly, with 150 million personal records exposed, Equifax’s data protection measures were insufficient. Make sure your financial institution does not meet a similar fate. If your financial institution has experienced a data breach, be prepared that you may be held responsible for not exploring, identifying, and protecting areas of vulnerability on your own.
Medical and Healthcare Institutions
The Health Information and Accountability Act (HIPAA) governs what data can be collected from patients, and privacy rules that regulate how the data is collected and protected. Quick links to the related provisions that regard data breach response and liability:
- Subpart D Section 164
This provides expectations of immediate notifications, administrative required actions and burden of proof.
- Further explanation and directions for a data breach incident response is provided at the HHS.gov website.
- HIPAA violation response and enforcement has been recently updated.
- Violations and fines can be severe, depending on what Tier the violation falls under. Learn about HIPAA violation tiers and review this recent lawsuit/settlement story to understand how litigation may ensue after a data breach.
Practically every private sector business collects customer data. It may be interesting to know that the US does not have significant federal regulations governing data privacy or dictating how to manage and report a data breach outside of the healthcare and financial sectors. Data protection and liability regulations for private companies are instead enacted at the state level, and include private data security, non-personally identifiable information privacy rules, breach notification protocols, and data disposal regulations. All 50 states have legislation in place to address these areas of data security.
- Digital Guardian has compiled a list of state-by-state data breach laws and related penalties.
- Certain business operations may be subject to both state as well as federal laws and penalties. For instance, a private healthcare clinic will be subject to both HIPAA and state regulations where the two do not overlap. If this situation applies to your business, be aware that while a federal law may pre-empt a state level law, it also may not pre-empt a similar state law. Furthermore, some state laws are more restrictive than the federal counterpart. So please do your own due diligence on how data breach laws will be handled in your state with your business.
The state level data privacy laws apply to online businesses as well, but the lack of federal regulation overseeing online business conduct will not last long. Europe now has in place the General Data Protection Regulation (GDPR) to govern online data collection and management practices for private sector ecommerce. The US is sure to soon follow suit. In fact, California just passed a bill very much like the GDPR, called the California Consumer Privacy Act (CCPA) and may be a model for a federal standard.
Aside from the state laws, these federal laws might also apply to private industry include:
- The Children’s Online Privacy Protection Act prohibits the online collection of any information from minors (under age 13).
- The Video Privacy Protection Act prohibits disclosure of data records related to online streaming of audio and video material.
There are other acts that affect data management and data breach incidents, such as that which is gathered by state and public organizations, telemarketing companies, and credit reporting operations. These are all included in ICLG’s 2018 Data Protection Guide
If you have specific questions regarding the protection of your business & system data, contact Secure Networkers and let us help. The strongest businesses invest in the strongest defenses. They prepare fortifications against both internal and external threats. A good provider of outsourced IT services can assist with any or all of these solutions.