New privacy regulations are making cybersecurity a legal requirement. Let’s start with the good news. Many states within the United States are implementing privacy regulations to protect our individual data. As individuals, this is good for us. Finally, companies will face serious consequences in the form of substantial fines for collecting more information than they disclosed, for sharing our information without our explicit consent, or for failing to take reasonable measures to protect our information. Keep the word, “reasonable,” in mind. We’ll be coming back to it.
GDPR got the data privacy ball rolling
This started with the European Union implementing the General Data Protection Regulation (GDPR) back in May 2018. California was next, with the California Consumer Protection Act (CCPA). New York has joined the party with its (awkward acronym award winner) Stop Hacks and Improve Electronic Data Security (SHIELD) Act, which went into effect in March 2020. In this past year, Virginia and Colorado have both passed privacy laws, and there are many, many more laws to come. And federal legislation is in the works as well. You may think that in this highly partisan political environment, it’s unlikely federal legislation will pass, but this issue has significant bi-partisan support.
Let’s be reasonable
For the purposes of this article, we are only focusing on one aspect of these new laws, something they all have in common. The requirement of “reasonable” measures to protect information. So, what do “reasonable” measures look like?
Note that the word “reasonable” has a specific legal definition with a long history within the legal system (cool fact, one of the people most responsible for the “reasonableness” standard was, no joke, named “Learned Hand”). For purposes of “reasonable” cybersecurity measures, the Federal Trade Commission (FTC) provides this language:
“Employing reasonable safeguards to protect the confidentiality, integrity or availability of data given the type, amount and sensitivity of that data in relation to the size, sophistication, and capability of the organization.”
If you collect it, protect it
So, what exactly constitutes reasonable protection? While privacy laws can be somewhat general in how they define “reasonable,” a few factors are consistent. First, there are three general areas for maintaining “reasonable” security practices: administrative, technical, and physical. The New York SHIELD Act is one of the most specific, and the law defines a set of guidelines that are useful for understanding these three areas. SHIELD suggests that a “reasonable” cybersecurity program should include, at a minimum:
the designation and training of employees to coordinate cybersecurity compliance;
the use of third-party service providers capable of maintaining appropriate cybersecurity practices, with safeguards required by contract;
risk assessment of the company’s cybersecurity program, including both the network and software design and the information processing, transmission, and storage;
processes and physical safeguards to detect, prevent, and respond to attacks or system failures;
the monitoring and testing of the effectiveness of the cybersecurity program;
processes to safely, securely, and permanently dispose of data within a reasonable amount of time after it is no longer needed for business purposes; and
updates to the program periodically to address changes in the business or circumstances that would require the program to be changed.
If you fail me, tell me
These regulations have requirements for data breach notification. In plain English, if you expose my data to an unauthorized party, you have to tell me about it within a reasonable timeframe. That timeframe ranges from law to law but typically is between 72 hours at the minimum and 30 days at the maximum.
Once again, it is useful to turn to the New York SHIELD Act for how it defines what constitutes a breach. Under the law, a breach refers not only to the unauthorized acquisition of protected information, but any unauthorized access to protected information.
For example, access would apply to a situation where an employee of an organization is the victim of a phishing attack, and his or her credentials are compromised, providing a cybercriminal with access to personal information that the organization is storing. The cybercriminal does not have to obtain or copy information for it to be considered a breach by SHIELD standards.
The United States of “security”
Lacking a Federal privacy law, we should fully expect states to continue to roll outlaws. We should also fully expect that these laws will strengthen as they evolve. For example, California rolled out CCPA in 2018 and recently passed the California Privacy Rights Act (CPRA), which will take effect in 2023. The CPRA gives consumers more rights, expands what’s covered under a breach, and establishes a dedicated agency for enforcement. While some of these laws target commercial entities, the lines get blurred when nonprofits work with for-profit third-party providers. Some of the laws, such as the New York SHIELD, apply to small businesses and nonprofit organizations. For any organization working with residents of multiple states, this creates a patchwork of data privacy regulations.
What does this mean for your nonprofit organization?
Education is a key element of any cybersecurity program. In fact, providing ongoing education to your staff is a requirement of many of these laws. And the good news is that education is one of the easiest, most cost-effective, and most important things you can do to protect your organization and be compliant with today’s laws. Your staff is instrumental when it comes to protecting your organization from cyber threats—they are the front line between your organization and hackers and cybercriminals. Be reasonable, and make sure they are knowledgeable.