We spend a lot of time talking about and focusing on protecting ourselves from outside threats but there could be several things that your business already does that violate data privacy or cybersecurity laws today. I’m going to go show you the top three laws that you are probably not complying with and some tips on how to clean it up.
Because of the subject matter of today’s article, I need to remind you that I am not an attorney. Only an attorney can provide assurances that the information contained in this article and your interpretation of it – is applicable or appropriate to your particular situation. I have included a full disclaimer at the end of this article as well.
Not Keeping Records of Near Misses
Have you ever thought that you had a cybersecurity breach but after a closer look determined that it actually was not a breach at all? Usually, right after, you have a sigh of relief. Then, If you’re really on top of your game you learn from that near miss and make some security improvements. But after a few days, details about that incident start to fade and you move onto new business. Did you know, according to commercial law in several states, you are required to maintain a record of investigations determined not to be a breach? In Maryland, for example, you must keep the record for 3 years.
Not Complying With State Regulations
You may actually be breaking the law if you do not handle your customer’s data according to the regulations of the state they reside in. If your customers live in the EU, you may really be in some hot water, even if you don’t realize it yet.
You must comply with the data privacy and/or the consumer protection laws where your customers reside. This is in addition to the laws where you operate your business. I am specifically referring to the regulations outlining your obligation in the event of a data breach. In the US there are no commercial data privacy laws that apply to all citizens. So, each state has its own data privacy or consumer protection Law that addresses an organization’s obligation in the event of a data breach. The problem with this is that each state has it’s own interpretation on what is considered a data breach, who needs to be informed, and how long you have to notify impacted customers.
You should definitely work with your attorney to develop a strategy, because the requirements do change wildly from state to state. For example, in Maryland, you have 45 days to notify affected residents of a data breach, in Delaware you have 60 days, while in Virgina it’s simply “without unreasonable delay.” Some states also require you to provide credit monitoring for a specific duration to each impacted customer while other states don’t. It’s a mess we all have to deal with until a federal law is created.
Not Reporting Unauthorized Internal Data Exposure
Have you accidentally sent or unexpectedly received an email containing personal information about customers to an email distro?. If there were employee’s on the distro that were not authorized to see that info, then you may have just experienced a data breach. Several state laws define a data breach as, “Unauthorized access to or unauthorized acquisition of electronic files, media, databases, or computerized data containing personal information when access to the personal information has not been secured by encryption or by any other method or technology that renders the personal information unreadable or unusable.”
By this definition, sending an email to the wrong distribution list, even if it only went to employees inside your organization, would be considered a data breach. And just like any other data breach, it needs to be investigated and reported on according to applicable laws and regulations. If it isn’t, then you’ve just broken the law.
Summary
We are more likely to put our organizations at risk simply because we aren’t aware of our legal obligations when it comes to our customers’ data. Take this opportunity to discuss these with your attorney and build a strategy to protect your organization and your customers.
Disclaimer
The information provided in this article does not, and is not intended to, constitute legal advice; instead, all information, content, and materials available in this newsletter are for general informational purposes only. Readers of this newsletter should contact their attorney to obtain advice with respect to any particular legal matter. No reader, user, or browser of this content should act or refrain from acting on the basis of information in this article without first seeking legal advice from counsel in the relevant jurisdiction. Only your individual attorney can provide assurances that the information contained herein – and your interpretation of it – is applicable or appropriate to your particular situation. All liability with respect to actions taken or not taken based on the contents of this article are hereby expressly disclaimed. The content in this article is provided “as is;” no representations are made that the content is error-free