Cyber Security Regulations for Small and Medium Size Businesses

As cybersecurity concerns increase, so have government regulations. The problem, however, is that these regulations are not all enforced on the federal level, and sometimes pertain only to specific types of businesses. It is important for  businesses to understand the regulations for their industry and/or geographic location and take steps to put the right cybersecurity program in place in order to comply. To help with that process, here is a short guide to four of the most important cybersecurity and privacy regulations in the U.S. today.

  • HIPPA –  The Health Insurance Portability and Accountability Act of 1996 (HIPPA) is one of the oldest and well-known federal privacy regulations in the U.S. These regulations requires that all companies within the healthcare and health insurance industry implement administrative, physical, and technical safeguards to ensure the protection of all electronic health information. This includes periodic risk assessment reports, workforce training and management, and access and audit controls. More information on HIPPA and how to ensure compliance can be found here

 

  • NYSDFS Cybersecurity Regulations – In 2017 The New York State Department for Financial Services put in place regulations for all financial institutions requiring a license to operate in New York. These regulations require that a comprehensive cybersecurity program be put in place including the designation of a Chief Information Security Officer, the implementation of cybersecurity policies based on  a comprehensive risk assessment, and periodic penetration and vulnerability tests. The regulations require businesses to provide cybersecurity training for employees, limit the amount of time data is retained, encrypt all nonpublic information, audit their third party vendors, develop an incident response plan, as well as notify the NYSDFA of any breach of nonpublic information. 

 

  • Securities and Exchange Commission: As of 2018, the SEC has put in place cybersecurity initiatives designed to protect retail investors from cyber-related attacks. These regulations effect all investment and public companies operating in the U.S. The role of these initiatives is primarily to provide resources for business to identify and assess cybersecurity risks, detect compromises to systems, plan for response to compromises, and steps to recover stolen data. However, SEC does require companies to report how data is being secured, and any cyber-related incidents such as data breaches. You can find the SEC’s resource page here. For even more information, the Financial Industry Regulatory Authority has additional resources and checklists for small business.

 

  • California Consumer Privacy Act (CCPA): The CCPA is one of the newest regulatory laws in the U.S. and provides consumers extensive control over how businesses collect and use personal information. The law applies to all for-profit entities doing business in California that collect personal consumer data. According to the CCPA, companies must provide consumers information on what data is being collected, and gives consumers the right to opt-out of the sharing or selling of personal information. Consumers additionally have the right to sue if a breach occurs when the company used careless or negligent means to protect data. The CCPA will go into effect in January 2020, and the full initiative can be found here

 

 

While not all of these regulations are will pertain to your business, it is likely that such initiatives will be standardized across industries and states in the near future. It is therefore essential that businesses begin to put some of these practices in place now. Here are some basic steps that can be taken today:

  1. Develop a cybersecurity policy. Two tools that can help come from the National Institute of Standards and Technology (NIST), which provides security and privacy controls for federal organizations, and the International Organization for Standardization (ISO), which specifies the requirements for establishing, implementing, maintaining and continually improving an Information Security Management System (ISMS) within the context of the organization.
  2. Work towards improving the security controls in the organization with special emphasis on access control, data encryption, security governance, incidence response, vulnerability management (eg: patching and scanning), and vendor management.
  3. Train everyone on their role in cybersecurity
  4. Have someone in the organization responsible for cybersecurity and make sure they are getting training.

Finally, while the emphasis in this post is compliance, recognize who you are really doing this for:  your customers, your employees, your investors and yourself.

Google Fined 50 Million Euros for Violations of EU’s New GDPR

The Commission nationale de l’informatique et des libertés (CNIL), France’s nation data protection authority, has just levied a 50 million euro fine on Google for violations of the EU’s General Data Protection Regulation. The GDPR was implemented in May of last year and, widely considered the strictest data regulations in effect, notably gives much of the control back to the consumer, including opt-in consent for the use of private information. Google is appealing the decision.

 

The CNIL found Google in violation of two aspects of the GDPR:

 

First, Google failed to make properly transparent information regarding the use of consumer data. According to the report, “essential information, such as the data processing purposes, the data storage periods or the categories of personal data used for the ads personalization, are excessively disseminated across several documents, with buttons and links on which it is required to click to access complementary information.”

 

Second, Google failed to gain valid consent to process data for ad personalization. The key word here is valid. Google does in fact obtain consent from users, but the CNIL found this consent was not sufficiently informed. “The information on processing operations for the ads personalization is diluted in several documents and does not enable the user to be aware of their extent.” Moreover, the consent obtained was not considered to be “specific or unambiguous”. Google allows users to access ad configuration, however, “the user not only has to click on the button ‘More options’ to access the configuration, but the display of the ads personalization is moreover pre-ticked.” The consent is therefore not obtained with the “clear affirmative action from the user” required for the consent to be considered valid.

 

While Google is not the first company to be fined for violating the GDPR, it is the largest fine received under the new regulations by far. However, the damage could have been a lot worse for Google. Organizations can be fined up to 4% of their annual global revenue, and with 33.7 billion in revenue last quarter alone, Google might consider themselves lucky.

 

Google’s Appeal May Help Clarify the Scope of the CNIL’s Ruling

 

In a statement to Politico, however, Google confirmed they will be appealing the CNIL’s decision: “We’ve worked hard to create a GDPR consent process for personalized ads that is as transparent and straightforward as possible, based on regulatory guidance and user experience testing. We’re also concerned about the impact of this ruling on publishers, original content creators and tech companies in Europe and beyond. For all these reasons, we’ve now decided to appeal.”

 

Google’s claim that their consent process is based on regulatory guidance and user experience testing may point to their argument:  that they followed in good faith regulator guidance (either specific and targeted guidance or public guidance) and the user testing; the regulators may say the consent is not informed and Google might try to refute that via an analysis of its user testing.

 

Google is also appealing to the concerns from companies in other industries on how the GDPR may affect them. Echoing these concerns, CCO of the Financial Times, Jon Slade, told Digiday “the interpretation of GDPR has been inconsistent at best, and in some cases has willfully chosen to ignore both the letter and the spirit of the regulation. The industry now can’t say it hasn’t been warned.” While Google is likely overstating their concern for other industries, the appeal process may at the very least lead to clarify the definition and scope of certain aspects of the GDPR.  


The CNIL’s decision is therefore an essential reminder for any business that transparency and consent is increasingly becoming the name of the game. As the example of Google makes clear, simply having information available to consumers is not enough, that information needs to “intelligible and easily accessible.” While in the United States there are no federal data protections laws with the same scope of the GDPR, states such as California are beginning to pass regulations similar to those in the EU. Companies not currently affected by such regulations therefore still prioritize data processing and put in a place a plan that would allow quick and easy compliance with any new regulations that may be implemented. Or, as Jon Slade puts it, “anyone handling data would be crazy not to look at this strong enforcement of GDPR and double-check themselves.”

 

     

    First Insurance Data Security Act Goes into Effect in South Carolina

    As of the first of this year the South Carolina Insurance Data Security Act has gone into effect. These regulations are based primarily on the National Association of Insurance Commissioners’ Data Security Model Law and are the first of its kind in the U.S. However, given increasing public scrutiny on how business handle sensitive information, it is likely such regulations will be taken up by other states in the years to come. New York, for instance, already has in place similar regulations via the Department of Financial Services. Not even to mention the California Consumer Privacy Act of 2018. Insurance Carriers, brokers, agents and other licensed entities should therefore take some time to familiarize themselves with these new regulations.

     

    The South Carolina Insurance Data Security Act contains two major aspects:

     

    1. It requires any “person licensed, authorized to operate, or registered, or required to be licensed, authorized, or registered pursuant to [ ] insurance laws” to notify the state within 72 hours of any cyber security event. The regulation defines such an event as any “resulting in unauthorized access to or the disruption or misuse of an information system or information stored on an information system.”

     

    1. Licensee’s are required to maintain a comprehensive information security program that details how the company will protect the security and confidentiality of private information against the outside threats. Companies must conduct a full risk assessment of a cyber security event in order to then design and implement a program to mitigate identified risk.

     

    1. Licensees will also be required to implement a third party provider program and to require their providers implement appropriate administrative, technical and physical measures to protect non-public information and relevant systems.

     

    It must be noted that these regulations not only pertains to insurance companies, but will also impact insurance brokers, agents other licenses and their third party vendors. The first deadline is a written security program in place by July 1, 2019.  The implementation of a third party provider program needs to be in place by July 1 2020.

     

    Moreover, the regulations themselves could easily be applied to fields outside of insurance. The concept of an information security program, for instance, is something that any business handling private information should begin considering in the event that similar regulations are applied across other states and in different sectors.

     

       

      Privacy is coming out of the shadows. Should businesses be scared?

      Just a few months after Facebook’s highly-publicized data breach California passed the strongest regulations on the collection and sale of personal information that the U.S. has ever seen. Around the same time, the EU passed the General Data Protection Regulation (GDPR) that even surpass the new regulations in California. Then, late last month, Google admitted to a breach of information on their Google+ platform that potentially affected over 500,000 users.

      What businesses now need to realize is that such high-profile scandals will likely have direct impacts not simply in Silicon Valley, but on a national and even global scale.

      In fact, on October 22, Google, Facebook, Apple and Microsoft are endorsing a federal privacy law based upon a framework developed by the Information Technology Industry Council.

      To help businesses better understand the impact privacy regulation may have for them, we have put together the top three implications these new regulations could have on businesses in the coming months.

      Consumers will play an active role in how companies collect and use personal information

      Perhaps the strictest aspect of California’s new regulations is the central role consumers will now play in deciding how (or if at all) their information is used. Consumers now have the right to request from companies not only what information is being collected (even allowing the consumer to request an accessible copy of that data), but also for what purpose. Moreover the law allows consumers to request that companies deleted their personal information and can even opt-out of the sale of such information.

      A broader definition of protected private data.

      The California Privacy Act substantially broadens what is considered ‘personal information’ and therefore increases the scope of regulations beyond what we generally consider tech companies. Under the new regulations, ‘personal information’ now includes the consumers’ internet activity, biometric data, education and employment information, as well as information on the consumer’s purchases and personal property. Broadening the definition of personal information therefore implicates far more businesses than the likes of Facebook and Google. Now, any company that collects or uses such consumer data will be subject to regulation.

      Targeted advertising will become less effective

       The effectiveness of targeted online advertising campaigns relies on the extreme specificity enabled by access to consumer data. As Dipayan Ghosh of the Harvard Business Review points out, these regulations will have any impact on any business that makes use of online advertising. Targeted campaigns will become less precise and may therefore “significantly cut into the profits [ ] firms currently enjoy, or force adjustments to [ ] revenue-growth strategies.”

       Any business that has customers in California need to be seriously considering how they will now comply will these new regulations. What’s more, discussions of putting in place federal regulations are well underway and it is possible that California’s new private information laws could form the basis of such regulations. It is therefore in the best interest of any business that makes use of consumer data to seriously consider what impact such regulations could have in the coming months and years.

       What should businesses be doing now, even if they don’t fall into under California or GDPR privacy regulations?

      1. Know what data you are capturing and where it is stored.  Review your data flows in your customer, accounting, employee and other databases so you know what you are capturing, the reason you are capturing it and where you are storing it.  Keeping an accurate data inventory is critical. And, it makes good sense.
      2. Be Transparent to your users with what you are doing with their data.  Review your privacy policies.  Make sure they are free of legalese and clearly explains what you will doing with the data, who (if any) will you share the data with and what rights the user has if they want to have the data changed or removed.  Try not to think of this as a compliance exercise. Think of it as customer engagement. By doing so, you can create a better relationship with your customers because you show that you respect them and their information.
      3. Ask before you Capture — Where possible, get the user’s consent prior to capturing the data.  You will have better customers if they opt in to the relationship rather than finding themselves in one.

      Privacy does not have to be viewed as compliance or even a restriction on doing business.  In fact, successful businesses going forward will use privacy as a tool for increased customer engagement.