Staying on top of the legal cybersecurity landscape can be challenging. As the number of State, Federal, regional, and international laws that supersede the digital world continues to increase, how can your organization know which rules to focus on?
You should never underestimate the power and impact of privacy and data regulations. Companies that have failed to meet standards have been fined with millionaire fines, suffered brand reputation damage, and faced class action legal suits. Let’s dive into the three points you should cover to avoid risks before discussing international and US federal and state laws.
Unraveling the legal landscape of your operations
The first point you should focus is on where — which countries and states — your company operates and where your customers are based. Additionally, if your company is expanding into new markets and regions, your standards will also need to expand!
Secondly, you should pay close attention to the contracts you sign with your customers. Customers will typically call out the minimum standards your organization must meet to protect their data. As a McKinsey survey reveals, consumer-trust levels regarding their data are very low and vary depending on the industry. Consumers will not hesitate in taking action against your company if their data is mismanaged or breached.
Finally, it’s critical to consult a privacy law firm when evaluating the laws that will affect your company. The firm must be familiar with your business type. When looking for a privacy firm, ensure it is experienced in managing and serving businesses similar to yours.
International Law and U.S. Federal Law
The most important international law is the General Data Protection Regulation (GDPR). The GDPR brings a 21st Century human rights approach to data and cybersecurity.
GDPR is the first law of its kind to truly take a crack at protecting an individual’s identity and recognizing that our data privacy is something important that should be guarded. While the law isn’t perfect, it gives EU citizens a chance to fight back against organizations that are blatantly taking advantage of their data.
GDPR-info explains that the most serious GDPR violations can face fines of up to 20 million euros or up to 4 % of a company´s total global turnover of the preceding fiscal year.
Unlike the European Union, the US has no single federal law regulating cybersecurity and privacy. However, several federal laws may apply depending on the type of organization and industry in which your company operates.
The Consumer Privacy Protection Act of 2017 is designed to ensure the privacy and security of sensitive personal information. It applies to any organization that manages data of 10,000 or more U.S. citizens during any 12 months. It was enacted to prevent and mitigate identity theft, provide notice of security breaches, and enhance law enforcement assistance.
On the other hand, the Homeland Security Act, signed into law by George W. Bush in 2002, was enacted to post the 9/11 attacks. Its primary goal is to reduce the vulnerability of the U.S. to terrorism and relates to national security data.
Other federal laws are sector-specific. For example, if you work in the U.S. in the financial industry, you must comply with the Gramm-Leach-Bliley Act. The law controls how financial institutions deal with the private information of individuals.
Under the Cyber Security Information Sharing Act, your tech company has to share data with the government to help identify threats sooner. If your company works in cybersecurity, this law is fundamental, especially today, as nation-state cyberattacks are on the rise. Other federal laws are even more niche in their application, such as the laws that only apply to U.S. Department of Defense (DoD) contractors or the Children’s Online Privacy Protection Act (COPPA) which regulates websites and online services that target children under the age of 13. Finally, the HIPPA Act only applies to healthcare, setting standard protection measures for personal information stored by the healthcare industry.
State-level cybersecurity laws
At this point, almost every state has data privacy laws. While most of them are lackluster, you should still pay attention to them due to the risk of a lawsuit in the event of a data breach.
Typically, the strategy is to use a more robust standard, such as GDPR, as your baseline so that you can have comfort knowing you are applying more stringent standards to your data privacy than is required by these state-level laws.
According to Ludwig APC, California has always led the way in state privacy laws. In 2004 the state enacted a law that required companies to implement and maintain reasonable security to protect personal information from unauthorized access and use. Over 23 states have since enacted similar cybersecurity regulations, known collectively as “Reasonable Security Laws.”
Another well-known California state law is the California Consumer Privacy Act (CCPA) of 2018. The law does not have requirements for businesses, but, it creates the right of action for individuals impacted by a data breach. As mentioned before, customers and users will engage in legal action even when their data was impacted by a cybersecurity incident.
Western Alliance Bank explains there has been an explosive growth of data-privacy class action suits and these will continue to rise as cybercrime proliferates. To respond to growing data legal cases, companies can turn to state laws known as “Safe Harbor Laws”. These are legal resources companies can use when being sued by individuals or by a class action.
The legal world has rapidly evolved to meet the demands of the advancements of the technological era. Organizations that meet legal standards open doors to new business opportunities, avoid fines and legal suites, build reputation and performance and provide enhanced security.