Recent Cyber Legislation that Will Impact Businesses with the Definition of “Reasonable”

State lawmakers are stepping up to the table and passing new legislation when it comes to cyber security and protecting personal data, some of it the first of its kind.  Many will argue that its about time.  2018 was another brutal year when it comes to data breaches, with 4.5 billion records being compromised worldwide in the first half of 2018.  The data storage surface that holds the personal information of the public citizenry is growing exponentially while the attack surface of the enterprises that host that storage is equally expanding.  In other words, there is more personal data than ever before, and more ways than ever for hackers to exploit it.  As a result, the public is angry over the vulnerability of their hosted data, while users experience cyber security fatigue as both policies and rules seem to change constantly.  It is at times like these that legislators and politicians become involved. 

California Sets Out to Better Secure IoT (Internet of Things)

Perhaps the biggest trepidation amongst cyber security professionals is the issue of IoT, and rightly so.  $235 billion was spent on IoT in 2017 and that figure is supposed to double in 2021.  Unlike traditional enterprise infrastructure, security has been an afterthought for many IoT device manufacturers.  With the proliferation of these devices throughout enterprises today, any disregard to securing them is a troubling concern.  California has now made it clear that IoT manufacturers can no longer put security on the back burner when it comes to the devices they design and manufacture. In passing Senate Bill 327, California becomes the first state to have an IoT cyber security law.  The California Governor signed the bill last September that will take affect January 1, 2020.  Like many such laws, SB 327 doesn’t come out with a list of specific measure and actions.  What it does require is a “reasonable security feature or features to protect the device and any information contained therein from unauthorized access, destruction, use, modification, or disclosure.”  California has clearly given the signal that total lackadaisicalness concerning IoT security is no longer going to be tolerated.

The Ohio Data Protection Act

It seems that technology today is only restricted by the creativity of its architects and designers.  Perhaps its time that lawmakers started getting equally creative as well when it comes to legislating cybersecurity.  The state of Ohio took an interesting step last November, adhering to an entirely new approach to addressing data protection.  Rather than regulate through the pronouncement of penalties and punitive measures, SB 220 uses the carrot metaphor in trying to steer organizations towards taking necessary measures to protect personal data.  As part of the CyberOhio Initiative, the Ohio Data Protection Act is an incentive-based compliance act that encourages “covered entities” to implement reasonable cyber security policies in order to gain limited safe harbor against tort actions involving data breaches.  Basically, if a company is actively taking reasonable measures to protect personal data, those measures can be used as a defense, even while not contesting the facts of the breach.”

South Carolina Targets the Insurance Industry

South Carolina put themselves on the map as well by being the first state to specifically target the insurance industry as it relates to cybersecurity.  The Insurance Data Security Act that was signed on in May of 2018 was enacted on the first of this year.  The law requires that all non-exempt insurance licensees in the state of South Carolina must develop, implement and maintain a documented and comprehensive security program.  Like other recent state driven cyber security legislations, the new law doesn’t just apply to covered entities that reside within the state.  Like GDPR, it applies to South Carolina citizens and their data, not just its native insurance companies.  Rather than start from a fresh canvas, state lawmakers modeled the set of regulations after the National Association of Insurance Commissioners’ (NAIC) Insurance Data Security Model Law that provides a blueprint regarding how insurers, agents and other licensed entities approach the issues of data security.  In addition to other provisions, the state compliance requires a mandatory a cyber security risk assessment.

Vermont Regulates Data Brokers

As of January 1, 2019, Vermont became the first state to regulate data brokers that collect and sell personal information about consumers through the enactment of a new legislation known as H.764.  The new law regulates data brokers who buy and sell personal information.  H.764  defines a data broker as a business entity or unit that collects, sells or licenses to third parties that broker personal information of consumers with whom the business does not have a direct relationship.  Data brokers must register with the Vermont Secretary of State on an annual basis.  During the registration process they must provide information concerning their business practices and outline a comprehensive information security program that contains appropriate administrative, technical, and physical safeguards.  Those who covered entities that fail to register are subject to financial penalties that cap at $10,000 per year.

What All States Require is Reasonableness

These state-initiated legislations may be the first of their kind, but they aren’t asking covered entities to reinvent the wheel.  They certainly don’t expect the same level of security for a small business as they do a multiregional corporate giant.  What they do expect is for reasonable actions and effort concerning the practice of securing data.  It seems simple, but the vagueness of defining what is “reasonable” can be confusing and troubling at the same time.  Navigating this new maze of regulatory compliances and legal obligations is challenging for any company today.  That is why it so important to utilize the services of someone who not only fully understands the legal requisites for your concerning cybersecurity, but can provide the expert guidance and granular methodology to ensure those obligations.

“Reasonable” Resources

COMPLIANCE WEEK Webinar: The Questions a Judge Will Ask You After a Data Breach – Complimentary webcast (with CPE) that will explain judicial balancing tests, how they relate to regulatory definitions of “reasonable” risk, and how to conduct risk assessments that prepare you to answer the tough questions before you need to be asked.

Duty of Care Risk Assessment (DoCRA) Checklist

Reasonable Security Duty of Care DoCRA

Co-authors of CIS RAM, HALOCK can help determine your risk criteria, conduct risk assessments, establish your legal obligations and aid you in designing a comprehensive cyber security plan that meets your needs, and the directives of legislators. 

HALOCK is headquartered in Schaumburg, IL, in the Chicago area and services clients throughout the US.