Your Guide to Cybersecurity and Compliance
Cybersecurity is one of the biggest issues for small, medium, and large businesses across the board. Yet, it often an area that goes unaddressed. This is your guide to everything you need to know about cybersecurity and compliance for your business as addressed in the recent webinar hosted by Tech42 owner Michael Pickreign and featuring Tom Fafinski who has been practicing technical law (including cybersecurity for 30 years).
What are the Legal Obligations?
Breaches in security and compliance failures have both state and federal reach. Most cybersecurity acts are put in place to protect personally identifiable information (PII). Federal legislation includes:
- Federal Trade Commission Act
- Gramm-Leach-Bliley Act
- Fair and Accurate Credit Transactions Act Disposal Rule
- Health Insurance Portability and Accountability Act (HIPPA)
- Family Educational Rights and Privacy Act
- Communications Act
States nationwide tend to have uniform customer protection laws geared towards how businesses store, protect, and handle PII. This also includes social security number protection laws and disposal of PII regulations.
What is Personally Identifiable Information?
Personally, Identifiable information is more commonly known as PII. This includes any information directly linked to a person, including name, email address, credit card information, bank account number, phone number, medical history, etc.
Almost every Managed Service Provider (MSP) and their customers collect, store, manage, and dispose of PII. Both MSPs and their customers must take steps to prevent breaches.
How Do You Know if a PII Breach Has Occurred?
There is the misconception that a breach has only occurred when data has been stolen and malicious action taken. This is not true. A breach occurs whenever PII has potentially fallen into unauthorized hands or used for unauthorized purposes. Events that should signal a breach include PII that is:
- Lost or stolen
- Obtained, copied, or accessed by an unauthorized person
- Used by an unauthorized person
- Obtained by a person with permission for unpermitted purposes
Who Should You Notify When a Breach Has Occurred?
As soon as you are aware of a PII breach, you should alert the following parties:
- All affected consumers, employees, and related third-parties
- Law enforcement and/or regulatory agencies
- Credit reporting agencies
- Business partners and investors
Have NIST in Place
The National Institute of Standards and Technology (NIST) is a published Framework for Improving Critical Infrastructure Cybersecurity. Even though it is voluntary, it is now recognized as the standard of care taken when handling PII. You are more likely to be able to defend a claim against your company if you have a NIST in place.
The WISP Plan
Under the NIST, it is advisable to have a Written Information Security Program (WISP) plan in place as well. This is a plan for ensuring that PII is protected by detailing how it will be handled and by whom. The plan should include administrative, physical, and technical safeguards that your business has implemented. When developing your WISP with your MSP, it is also advisable to involve your attorney. The reason is that if your attorney is present in the process, then attorney-client privilege is afforded you if a negligence or malpractice claim is brought against you. The information discussed concerning what security measures you chose to take and those you chose to forego, and the reasons why can’t be revealed under the law.
Both your company and MSP should be aware of the following when taking measures to protect PII:
- How PII is collected, stored, accessed, transferred, and disposed of
- Employee awareness – training employees so that they know how to handle PII at every stage safely
- Implementing identity safeguards
- Minimizing accountability gaps – make sure there is always an accountability chain
- Compliance with privacy policies and legislation
- Care of older PII – Keeping data you do not need only increases liability. It is recommended to properly dispose of data you no longer have a use for.
It is advisable to consider an IT security audit or independent review to learn your company’s vulnerabilities and fix them before those with malicious intentions find them.
Failure to Protect Your Company
If you think it can’t happen to a small or medium-sized business like yours, think again! Those behind cyberattacks are opportunistic and will exploit any vulnerability they can find. After all, if mega enterprises like Home Depot, Target, and eBay can be victims of hackers, so can your company. Failure to protect your business can have devastating consequences, including lawsuits that end in large settlements and loss of trust in consumers.
When hiring an MSP, it is advisable to hire someone who has had cybersecurity issues and has the experience to handle them quickly while minimizing damage. Those who claim to have never had any issues may not know how to handle one if you happen to be the first.
The bottom line is that cybersecurity breaches can happen in the blink of an eye. While it is impossible to predict every issue that may come your way, you must work closely with your MSP and attorney to take the steps necessary to protect your company and your customers’ data from a PII breach.