Cybersecurity is a relatively new and evolving field of technology, law, and regulation. The uncertainty and evolutionary state of the industry pose unique challenges to business leaders. In addition to deploying effective technical security strategies, companies prior to a data loss incident must also be prepared to mitigate the direct damages from criminal, civil, and regulatory liabilities that can flow from such an event.
Today 47 states, the District of Columbia, Guam, Puerto Rico and the Virgin Islands have enacted their own laws pertaining an organization’s requirement of an entity that has experienced a data breach to notify their customers and other parties about the breach and take other steps to remediate injuries caused by the breach. Each of these State laws defines the company’s obligations, what constitutes personal information, notice methods, and exemptions differently.
It is unrealistic to expect an SMB business to know all the myriad of data privacy and data breach laws. However, business leaders need to know in advance who to call if they believe a breach has occurred. Experts such as information sharing communities like the SMB iSAO, cybersecurity lawyers, and cyber insurance providers can help sort through the confusing regulatory requirements. You also need to familiarize yourself with the various data protection standards for specific industries or specific business practices. For example, the PCI Security Standards Council’s Payment Card Industry Data Security Standard and the Federal data security regulations such as HIPAA that covers how your organization needs to handle protected health information.
Today the state of cybersecurity law is unfortunately piecemeal. Statutes, regulations, and common law standards describing a corporation’s cybersecurity obligations are scattered across state and federal law. This fragmentation is a challenge for businesses in understanding what their legal obligations are.
This complicated landscape creates numerous challenges for decision-makers of companies and requires that corporate leaders educate and prepare themselves both to defend against a potential breach and how to coordinate the response that comes after.