Cybersecurity used to be considered “an IT issue.” Keeping data and files safe was the domain of the CIO, and no one else paid much attention as long as operations were running smoothly. Because data has become an enormous business driver for all types of companies, and cybersecurity laws have become stricter and more specific to address the growing risks for consumers and businesses, CEOs and other company leaders have begun to realize that staying on top of cybersecurity isn’t just a smart IT practice. Cybersecurity is now a critical business issue that impacts the health of the organization.
A Brief Overview of Current Cybersecurity Law
Depending on the industry you’re in, you’re probably aware of regulatory laws and standards that affect your organization. Healthcare and life sciences organizations, for instance, are beholden to HIPAA regulations. The Health Insurance Portability and Accountability Act, passed in 1996, upholds national standards for electronic healthcare transactions and protects the privacy and security of individually identifiable health information. Companies that violate HIPAA code are subject to civil and criminal penalties.
Cybersecurity standards such as NIST 800-171 and PCI DSS also exist that, while technically not laws, are accepted best practices for companies in various industries. For instance, for any merchant that accepts credit card payments in the U.S., the Payment Card Industry Data Security Standard (PCI DSS) ensures that it’s maintaining a secure environment for these transactions.
While these cybersecurity standards might be good practice, they’re not heavily enforced by the rule of law – at least not at the federal level, but some states have in recent years passed laws that penalize companies if they have a cybersecurity incident where data is compromised because they didn’t meet standards such as the PCI.
Recently, a new law passed that has greatly impacted companies in the U.S. and around the world. The General Data Protection Regulation (GDPR) strictly regulates data protection and privacy for individuals and closely monitors how you use the personal data of your customers.
GDPR is a European law, but it affects any company that might touch the personal data of any individual anywhere in the EU. If you sell products online and someone in France buys something from you, you’re under the domain of the GDPR. In fact, if someone in Sweden or Switzerland so much as signs up for your email newsletter or accesses your website with a local IP address, you must comply with GDPR rules. For this reason, GDPR affects most companies in the U.S.
A Sea Change in Cybersecurity
GDPR is a sign of a sea change happening around cybersecurity law. As compliance laws have become stricter, your business is responsible for much more than basic internal cybersecurity. Your company may also be bound by the laws that affect companies you work with. For instance, companies that do business with the U.S. government – or do business with another company that does business with the U.S. government) – are also subject to specific compliance with cybersecurity standards (e.g. NIST 800 or FedRAMP) and data privacy laws because of that relationship.
As data continues to proliferate, applications become increasingly more connected, and everything moves to the cloud, compliance laws and regulations are getting stricter and more specific. This is happening as cybersecurity threats are on the rise – a condition that doesn’t just potentially expose your or your customers’ data but opens you up to a dangerous level of liability if you haven’t taken reasonable measures to protect this information from a breach.
Real and specific laws are beginning to take shape. Here in Ohio, Governor John Kasich recently signed State Bill 220 into law. This piece of legislation incentivizes businesses to invest in stronger cybersecurity policies and procedures to better protect the data of consumers, employees and others they engage with during the course of business. If a company meets the requirements outlined in the law, Ohio will provide that company with a so-called “safe harbor” or affirmative defense in the event of a data breach.
“This legislation benefits Ohio’s businesses and Ohio’s business climate by incentivizing businesses to invest in, and maintain, reasonable cybersecurity measures to protect employee, customer, and other private information.”
— Ohio Chamber of Commerce
This type of bill is what you might call a “carrot instead of stick” approach. Rather than penalizing those who do not take robust cybersecurity precautions (beyond the letter of the existing law), it incentivizes businesses to be proactive in preventing future cybersecurity breaches. If you choose not to follow one of the common cybersecurity frameworks and suffer a data breach, your company will be vulnerable to liability and litigation that could impact your business and credibility. If you do comply with the standards put forth in SB 220, however, the State will offer you legal protection.
If you’re not protecting yourself with an active cybersecurity program that uses one of these standards, it’s not a matter of if, but when, you’ll suffer a costly cyber incident that will affect your reputation and your pocketbook.
Contact us today to find out how you can better protect your company’s data and avoid future liability.