Companies often hire professionals to help achieve compliance with various data protection laws in the US and around the world. Surprisingly, the professionals hired to assist with legal compliance are not always lawyers. Thus, leading to situations where companies are left without basic protections recognized exclusively in attorney-client relationships.
Read MoreDeciding to migrate data to the cloud is an important decision that requires due diligence. Read more for tips and considerations.
Read MoreI’ve noticed an interesting conundrum: cybersecurity programs operating without consulting a privacy attorney.
When I first realized that cybersecurity was being implemented without consulting a privacy attorney, I thought, “how?” and “why?” How would you know which data requires cybersecurity if you don’t know which data is entitled to privacy? Why would you spend money on a cybersecurity program that might not help you avoid legal liability and fines?
From trade secrets to personal identifying information, we look to the law to understand which type of data is entitled to privacy. Some laws even dictate how we achieve privacy by mandating security measures such as encryption. The laws might also impose duties and obligations on companies that handle data. Failure to comply with privacy laws can cost companies a lot of money in the form of penalties, fines, expensive law suits, and crippling damage to reputation. Without a proper assessment of privacy law, a cybersecurity program might not include appropriate security measures that will reduce legal liability or allow the company to meet its legal obligations. Cybersecurity without data privacy is an expensive shot in the dark. I can only assume that when companies pursue cybersecurity without understanding data privacy laws, they do so out of ignorance or misunderstanding, but it is not intentional.
Rather than randomly apply cybersecurity measures, companies should narrow the focus of its cybersecurity program by tailoring it around potential legal liability. Of course, it is crucial to implement general cybersecurity to protect the company’s network from malicious attacks and intrusions, but it is also important to understand that some types of data require additional security, procedures for destruction, processes for obtaining appropriate consent and access, and other requirements depending on applicable privacy laws. Such requirements should be addressed in a comprehensive cybersecurity program.
Consider basic home security. We put locks on the outward facing doors and windows to protect ourselves and our belongings. Many of us even install alarm systems. We put locks on bathroom doors to protect privacy. But do we put locks on all doors? For some reason, we do not put locks on closet doors. It is another door, yet not deserving of a lock because of the general understanding about how closets are used and the expectations of privacy and security within a closet. Of course, you could add a lock to your closet door. Nothing is stopping you. You could add locks to every single door and cabinet in the house. But this would be unnecessary and inconvenient. Could you imagine having to unlock a cabinet door to get a cup for water? Even though it is possible, we simply do not need locks on every door and cabinet.
Unlike the common sense we share about home security and physical privacy, cybersecurity and data privacy are less intuitive. The good news is that rather than rely on common intuition, we have privacy laws to guide us in determining which doors in the cyber world require locks so that we are not wasting resources by installing locks that unnecessary and inconvenient.
Having a cybersecurity program without considering privacy law might not only be a waste of money, but it could also miss the target and leave your company exposed to legal liability.
You may have recently been instructed to “know where your data is located” or maybe you’ve been asked “where is your data”?
The location of your data refers to the physical location. Somewhere a machine is sitting in a room, storing your information. These machines are called servers, and there can be more than one. Your data could be fragmented among multiple services, in multiple locations. Here are few examples of where your data might be stored:
· Desktop computer
· Laptop computer
· Phone
· Printer
· Scanner
· Your personal server
· Server belonging to the cloud service provider
· Server belonging to a third party contracted by your cloud service provider
· Servers used by mobile applications that store your information
Admittedly, the above list starts off with no surprises and then trails off into the weeds. You may be wondering how you can possibly know anything about servers owned by other people. Many people ignore this information, but recent changes to data protection laws have increased liability for ignorance. To use software services, you consent to the terms of service or end-user agreement. Embedded in these agreements you will find details about how a company uses your information and where the servers are located. Hopefully, you also find details about any third parties with access to your data (i.e. storing your data).
You can audit yourself by listing all of the devices from which you can access your data. Then list all of the platforms you use to access data. These typically require, or at one point required some sort of login credentials. Review the terms of service and end-user agreements for each service provider. Finally, list the applications you use and review the terms of service.
With a simple audit, you will be more informed about where your data is located and be better prepared to answer the tough questions.
Small and medium-sized businesses (“SMBs”) are not immune from cyber liability and can be held responsible, not only for a cyber breach, but for laxed cybersecurity. Laxed cybersecurity will inevitably result in financial harm in the form of penalties or lost business.
Historically, SMBs may have thought of themselves as too small to be noticed in matters involving cybersecurity. Perhaps, the idea that SMBs could go unnoticed was reinforced by an assumption that only big businesses could be monitored or held accountable for a data breach. After all, why would anyone care to monitor the cybersecurity of a SMB?
With the strictest laws in data privacy and, effectively, cybersecurity, taking effect in May 2018, the days of going unnoticed are over. While the new laws might not directly affect SMBs, the indirect affects will be just as significant to the SMB’s existence.
For example, businesses directly impacted by the new laws will have a duty to ensure its third-party vendors have adequate security measures to protect data. The third-party vendors are often SMBs. The SMBs’ failure to use adequate security will cost the business substantial amounts of money. Rather than risk millions or billions of dollars (i.e. GDPR fines), the business directly affected by the strict laws will have a great incentive to trade the unsecure SMB for more secure alternatives.
As if a threat to a company’s existence is not sufficiently compelling, there are also U.S. laws that directly impact SMBs. Depending on the SMB’s industry and the type of collected data, laws that dictate data privacy might require strict security. Violations of such laws may subject SMBs to financial penalties, fines and other civil punishment.
To demonstrate that no business is small enough to go entirely unnoticed, imagine a boutique hair salon. The salon regularly purchases hair products from an international distributor. The salon uses an online portal to order supplies and since orders are fairly regular, they are scheduled automatically every few weeks. Imagine that the salon also accepts credit card payments and stores customer information to track a salon-awards program. The awards program offers customers credit at the salon for each fifty dollars spent. The salon has no cybersecurity policy because the owner believes the salon doesn’t work with “technical stuff” or “secrets” that a hacker would want. There is one administrative password shared by the staff. It is “password123”. The same password is used to login to the distributor’s portal. The company has been in business for ten years and has had to buy more computer storage for all of the customer information. The salon has never purged information.
For the salon, it is business as usual until one day, the computers are down. The salon can’t process credit card and it the computers seem to have a glitch. The salon will eventually realize that its systems have been breached. Credit card and customer information have been stolen, and the salon’s portal to the distributor is compromised. As a result, the international distributor is also breached.
Laws involving cybersecurity, data, and privacy directly and indirectly can have a devastating impact on SMBs. It is more important now than ever that SMBs implement an adequate cybersecurity program. There are many online guides to help you get started. There are also cybersecurity consultants, experts, and attorneys who can help you understand how to protect your data, comply with laws, and ultimately minimize your liability. Cybersecurity is an investment in the future of your business. For SMBs, it is survival at the securest.
A blog about cyber law including cyber liability, cybersecurity, data privacy, and cyber insurance.
I encourage you to comment and share opinions, ideas, and suggestions, However, please be courteous and use respectful language when commenting. I will try to post all comments to encourage a discussion, but I reserve the right to discard comments I find distasteful or inappropriate.
This blog is not legal advice and does not create an attorney-client relationship. DO NOT share confidential information in the comments of this blog. I will not provide legal advice based on your comments. If you need legal guidance, please consult an attorney and keep in mind that your issue may have an approaching deadline.
Powered by Squarespace.
