Cybersecurity is a major concern for all organizations today that utilize digital technology, and one of the initial questions for any organization must be, “What are my legal obligations when it comes to cybersecurity?” Of course all organizations want to protect their intellectual property, their reputation and their technology capital investments. To do this, every organization needs to develop a cybersecurity strategy that will serve as the blueprint that will direct the focus and resources in order to secure the enterprise. While it is natural to emphasize the creation of policies and selection of required security tools that make up an effective multilayer security strategy, one must not forget the legal aspects involved in protecting personal data.
This is a core question that cannot be ignored because cybercriminals are not going to ignore you. As the Forbes Technology Council so directly states, there are certain laws when it comes to cybersecurity. The first two are:
- If there is a vulnerability it will be exploited
- Everything is vulnerable in some way
Of course these are facetious laws concerning the challenging reality of cybersecurity today. The blaring truth that they convey however warrants the necessity to fully understand what is legally required when it comes to securing the personal data of employees, customers and third parties. Like all legal matters, your company’s legal obligations depend on your circumstances such as country and state of origin as well as the industry you are in. So the first thing you must understand is the scope of your legal obligations.
We live in a global economy today in which the lines of international boundaries are increasingly difficult to discern in a digitally connected world. Multi national companies must concern themselves with issues such as data sovereignty, protecting the transfer of data and securing the personal information of citizens from across the world. This is why companies must understand the international laws that they fall under. Two notable examples are the EU-US Privacy Shield and the General Data Protection Regulation (GDPR).
The EU-US Privacy Shield is a program designed by the U.S. Department of Commerce and the European Commission that ensures that companies on both sides of the Atlantic have adequate data protection when transferring personal data in transatlantic commerce. GDPR is a comprehensive set of data protection legislation that applies to any organization which stores the personal data of its citizenry regardless of geographical location or origin. For instance, a MSP that resides in the U.S. providing storage services for a company that deals with the personal data of European citizens can be found liable and subject to excessive fines in the event of a data breach.
United States Legal Obligations
The U.S. Government has a number of protection agencies that most people are familiar with such as the FTC, FCC and SEC. These agencies create and enforce regulations and compliances for the industries that fall under their jurisdiction. The federal government also has several mandated compliance regulations involving cybersecurity. These include:
- The Federal Information Security Modernization Act of 2014 (FISMA Reform) – This act was signed into law in order to establish a set of guidelines and security standards that federal agencies must meet concerning the handling of personal data involving U.S. citizens.
- The Health Insurance Portability and Accountability Act (HIPAA) – Any company or organization that deals with personal health information (PHI) of people must comply with the security provisions outlined by HIPAA concerning the handling of that data. HIPAA falls under the jurisdiction of the U.S. Department of Health and Human Services.
- Sarbanes-Oxley Act (SOX) – Although SOX doesn’t specifically pertain to cybersecurity, there are sections of it that do relate to the security of data. SOX was created to protect shareholders and thus applies to publicly traded companies.
The necessity to enforce the security of personal data has not gone unnoticed by state governments. Just last year the state of California passed the California Consumer Privacy Act that will go into effect in 2020. Like GDPR, its data privacy protections follow its citizens across state lines so that companies that reside outside of California will be forced to comply with their security requirements or face stiff penalties. This legislation most likely have far reaching effects for companies nationwide.
Nearly every state has some sort set of regulations regarding the safeguarding of personal data. Massachusetts enacted 93H requires all businesses residing in that state to comply with provisions that outline the protection of data by encryption as well as the proper disposal methods of that data. Another example is Illinois’s Personal Information Protection Act that specifies security measures concerning the protection of data and establishes the required expectations of an organization in the event of a data breach.
The Challenge of Open Ended Guidelines
One big challenge for those organizations which fall under the jurisdiction of one or more of these national and international compliance regulations is that these guidelines offer little specificity as to how to achieve actual compliance. They serve as a starting point only, forcing many organizations to seek methodical guidance from information security service providers.
Some industries have been forced to enforce their own set of security of standards in order to assure the necessary confidence amongst their customers in order to operate. One example is the payment card industry. If the holders of these cards lost confidence in the security of their transactions, they would abandon the practice of using them, forcing dire consequences for not only the payment card industry, but retail as well. The Payment Card Industry Data Security Standard (PCI DSS) mandates how any company that accepts credit card payments must store and transmit credit card data during and after a payment transaction.
Duty of Care Responsibility
When it comes to issues of liability, cybersecurity is no different than any other type of issue of accountability. Whether a case concerns the incident of who is responsible for someone injuring themselves while slipping on a wet floor, or a group of people whose personal information was compromised as a result of a data breach, the issue of duty of care comes to fruition. In the occurrence of a liquid that was spilled on the floor of a retail establishment, the determination of what a reasonable person would do to eliminate that risk would be the center of an involved legal case. Similarly, the question of what steps a reasonable person would have implemented to protect the personal data it stored would be a determining factor as well.
The Need for Duty of Care Guidance
Of course, we have only skimmed the surface of the legalities involved in cybersecurity today. The fact is that navigating the growing maze of regulatory compliances and legal obligations is challenging for any company today. That is why it so important to understand the legal requisites for your concerning cybersecurity and granular methodology to ensure those obligations.
Do you know reasonable? Organizations need to balance their compliance requirements, cybersecurity safeguards, and the effects on customers and public. In essence, organizations must find the right blend of their mission, objectives, and obligations in order to implement the most effective cybersecurity strategy for their unique situation.
How Do We Achieve that Balance?
CIS RAM – CIS® (the Center for Information Security) Risk Assessment Method (RAM)
This risk framework enables organizations to build reasonable and appropriate cybersecurity safeguards for their specific environments. This methodology helps you define your acceptable risk level, achieve compliance and ensure that your organization devotes the proper amount of resources to security.
CIS RAM is based upon the Duty of Care Risk Analysis Standard (DoCRA). DoCRA offers principles and practices for analyzing risks that addresses the interests of all parties potentially affected by those risks. DoCRA processes allow organizations to evaluate risks and safeguards and develop an analysis that can be easily communicated to authorities such as regulators, judges and other parties who may be harmed by those risks.
Leveraging the DoCRA method gives a process of determining your risk criteria in order to meet your legal obligations and standard of due care.
Resources to Define Acceptable Risk