Cybersecurity and Data Protection Laws 101
Aside from the obvious need to protect your business, customers and reputation, there is another reason for businesses of all sizes to use cybersecurity to guard users’ personal information: staying compliant with the law.
As things stand, federal laws in the United States deal mainly with who is obligated to implement cybersecurity protections (bottom line: except for healthcare and financial institutions, these laws don’t touch private businesses). State laws determine what a business’s obligations are in the event of a data breach compromising the personal information of users.
What are your business’s cybersecurity obligations under federal laws?
There is no comprehensive federal cybersecurity law in the United States, but rather separate laws pertaining to specific industries. Healthcare organizations are covered by the Health Insurance Portability and Accountability Act of 1996 (HIPAA). Financial institutions are covered by the Gramm-Leach-Bliley Act (GLBA), also known as the Financial Services Modernization Act of 1999. In all other cases, businesses currently have no cybersecurity or data protection obligations under federal law (although there has been talk of introducing legislation on these subjects).
HIPAA comprises a Privacy Rule, outlining healthcare organizations’ obligations regarding the use and disclosure of protected health information; and a Security Rule, outlining what healthcare organizations must do to safeguard protected health information.
To comply with the HIPAA Security Rule, all covered entities must:
- Ensure the confidentiality, integrity, and availability of all electronically protected health information;
- Detect and safeguard against anticipated threats to the security of the information;
- Protect against anticipated impermissible uses or disclosures; and
- Certify compliance by their workforce.
For more on HIPAA, see these useful resources from the Centers for Disease Control and Prevention and the Department of Health & Human Services.
The GLBA requires financial institutions – companies that offer consumers financial products or services such as loans, financial/investment advice, or insurance – to explain their information-sharing practices to customers and safeguard sensitive data.
To comply with the GLBA Safeguard Rule, each company must:
- Designate one or more employee to coordinate its information cloud security program;
- Identify and assess the risks to customer information in each relevant area of the company’s operation, and evaluate the effectiveness of the current safeguards for controlling these risks;
- Design and implement a safeguards program, and regularly monitor and test it;
- Select service providers that can maintain appropriate safeguards, make sure your contract requires them to maintain safeguards, and oversee their handling of customer information; and
- Evaluate and adjust the program in light of relevant circumstances, including changes in the firm’s business or operations, or the results of security testing and monitoring.
For more on the GLBA, see this useful guide from the Federal Trade Commission.
Note that despite its name, the NIST Small Business Cybersecurity Act of 2018 doesn’t impose any obligations on SMBs. In actual fact, it obligates the National Institute of Standards and Technology (NIST) to help SMBs identify, assess, manage, and reduce their security risks. Click here for NIST’s guide to small business cybersecurity.
What are your business’s data protection obligations under state laws?
There is no American equivalent to the European Union’s General Data Protection Regulation (GDPR), which imposes a multitude of obligations on organizations all over the world, so long as they target or collect data related to people in the EU. The closest laws to the GDPR in the U.S. are the California Consumer Privacy Act of 2018, which gives California residents the right to know personal data is being collected about them and whether any third parties have access to that data. Other states are expected to follow suit; and the New York State Department of Financial Services Cybersecurity Regulation, which requires all regulated financial services institutions to notify regulators and affected end-users of any cybersecurity breaches within 72 hours.
In the U.S., the states have taken it upon themselves to decide what a business’s obligations are in the event of a cybersecurity breach. California was the first to address this issue with the Notice of Security Breach Act in 2003. Today, all 50 states (and the District of Columbia) have laws requiring businesses to notify users of security breaches, although the exact rules vary from state to state.
The following table, based on information from the BakerHostetler Breach Notification Law Interactive Map, shows how states vary on three key clauses:
- Risk of harm analysis. Most states allow businesses to use forensic investigation to assess whether personal information has been compromised before triggering a notification to users. However, six states do not permit analysis, and require businesses to notify users even when it is not clear if personal information has been compromised.
- Standard for triggering. Most states do not require businesses to notify users if there has been a data breach but personal information has not been compromised. However, in five states, businesses are required to notify users even if no personal information has been compromised. (N.B. This is subtly different from risk of harm analysis – as always, check the statute in your state or consult a legal professional for more information).
- Notice to AG or state agency. In 37 states and DC, businesses are required to notify state authorities and users when a notice of security breach is triggered. In the remaining 13 states, businesses only have to notify users.
| Risk of harm analysis not permitted | Notification triggered by only access | Notice to AG or state agency required | |
| Alabama | ✓ | ||
| Alaska | ✓ | ||
| Arizona | ✓ | ||
| Arkansas | ✓ | ||
| California | ✓ | ✓ | |
| Colorado | ✓ | ||
| Connecticut | ✓ | ✓ | |
| Delaware | ✓ | ||
| DC | ✓ | ||
| Florida | ✓ | ✓ | |
| Georgia | ✓ | ✓ | |
| Hawaii | ✓ | ||
| Idaho | ✓ | ||
| Illinois | ✓ | ✓ | |
| Indiana | ✓ | ||
| Iowa | ✓ | ||
| Kansas | |||
| Kentucky | |||
| Louisiana | ✓ | ||
| Maine | ✓ | ||
| Maryland | ✓ | ||
| Massachusetts | ✓ | ||
| Michigan | |||
| Minnesota | ✓ | ||
| Mississippi | |||
| Missouri | ✓ | ||
| Montana | ✓ | ||
| Nebraska | ✓ | ||
| Nevada | |||
| New Hampshire | ✓ | ||
| New Jersey | ✓ | ✓ | |
| New Mexico | ✓ | ||
| New York | ✓ | ✓ | |
| North Carolina | ✓ | ||
| North Dakota | ✓ | ✓ | |
| Ohio | ✓ | ||
| Oklahoma | |||
| Oregon | ✓ | ||
| Pennsylvania | |||
| Rhode Island | ✓ | ✓ | |
| South Carolina | ✓ | ||
| South Dakota | ✓ | ||
| Tennessee | |||
| Texas | ✓ | ✓ | |
| Utah | |||
| Vermont | ✓ | ||
| Virginia | ✓ | ||
| Washington | ✓ | ||
| West Virginia | |||
| Wisconsin | |||
| Wyoming |
Regardless of the local regulations, it is critical to acquire cybersecurity protection with threat intelligence and incident response capabilities for your business. Not only does having cybersecurity minimize the risk of having to send notification of data breach to customers, which in itself can be costly, but it also minimizes the risk of a wider cybersecurity breach with the potential to send you bankrupt.
It’s worth noting that attackers have been known to perform reconnaissance on companies adhering to only regulatory requirements to understand what controls are in place for them to manipulate and bypass. Therefore, it pays to have stronger cybersecurity protection than those required or recommended by regulators in your industry.