For many months we’ve been hearing GDPR could impose huge costs of companies which suffer data breaches. In fact penalties could be as high as 4 percent of global revenue or $24.5 million, whichever is greater.
In addition, the U.S. is contemplating similar regulations. Individual states have their own regulations and these are in a constant state of flux. Since federal regulations haven’t been implemented and states are acting on their own, companies are literally trapped between a patchwork of regulations which can often conflict.
According to New York Law Journal:
Currently, notification following a breach is governed by 50 different state laws, as well as sector-specific standards such as the Gramm-Leach-Bliley Act (applicable to the financial services industry) and the Health Insurance Portability and Accountability Act (applicable to personal health care information). These laws vary widely with respect to the requirements they impose on covered entities, including the categories of compromised data and types of compromise that trigger a notice requirement, the time frame within which notice must be provided, and the information that must be included in any notice.
In some instances, state laws even contradict each other: Massachusetts, for example, prohibits describing the nature of a breach in any notice, while some other states, including North Carolina, expressly mandate that such information be included. Moreover, states have been amending their breach notification laws with a frequency that complicates the challenge of complying with them. Since the start of 2018 alone, at least 30 states have enacted or are considering bills that would amend existing laws to, among other things, expand the range of covered information and impose stricter deadlines for providing breach notification. This web of varied and changing requirements can be challenging for any entity—and particularly one in the midst of a significant cybersecurity incident—to navigate.
While there may be significant benefits to a federal standard, it is critical that any standard incorporate the practical challenges of responding to a data breach. Beyond the fact that the proposed Senate bill would introduce yet another sector-specific breach notification law rather than a law of general applicability with preemptive effect, in our experience, the provision of notice to affected persons within 72 hours of learning of a cybersecurity incident is often very challenging, if not impossible, and may create substantial confusion for consumers as well as legal and reputational risks for the company.
Shark Tank’s Robert Herjavec (pictured) said the U.S. needs to get ready for cybersecurity laws and take the precautions needed to protect themselves.
According to Larry Szebeni, COO of Apex Technology Services, to minimize the risk of a data breach, companies should specifically do all of the following, right away:
- Cybersecurity training should be performed every six months. It should ideally be live and interactive. Human error is one of the greatest risks to customer data.
- Auditing and documentation must be performed regularly to ensure systems are secure. This should be done by personnel who don't run the day-to-day operations.
- Anomaly detection should be running constantly to detect threats as they emerge.
- Penetration testing (pen testing) shows if systems can easily be reached and breached. Here is a case where such a test might have saved the reputation of two companies. Annual or more frequent pen testing is optimal.
- An action plan to follow if a breach does occur. Once it happens, few will have the clear heads needed to “wing it” correctly. Equifax botched its response in what is being called a PR catastrophe.
There has been a tremendous increase in cybersecurity incidents. In addition to individual hackers and organized crime syndicates, terrorist groups like ISIS and nation-states like Iran, Russia and North Korea are targeting U.S. corporations and government agencies.
No company can be complacent about protecting customer data and remain in business as the threat is becoming greater, cybersecurity insurance rates are growing and government fines are increasing. The longer an organization waits to deal with these issues, the more peril they will likely be in.
Add to that this new patchwork of global regulations which are often in conflict and you realize that a breach will have massive technology and business downtime costs, a potential loss of customers, reputational damage and now, potentially spiraling legal costs to handle disclosure and compliance.
To ensure your organization is as secure as possible, consider the following APEX Connecticut cybersecurity training program included in its comprehensive cybersecurity solution which is the equivalent of the cybersecurity kit mentioned in the Connecticut Cybersecurity Action Plan.
For more information contact Apex Technology Services at 203-295-5050