By Benjamin Orsatti, Esq., Associate General Counsel & Senior HR Consultant, East Coast Risk Management
“Cybersecurity” is a bit like plumbing: most everybody thinks it’s a great idea, but we don’t really give it much thought beyond that until something goes horribly wrong, like a data breach. It’s easy to be lulled into a false sense of security, especially if you’re not a corporate giant like Yahoo, Equifax, Target, or Uber. “Why would a hacker want to steal data from little-old-me?” Oh, really? So, you’ve never been tempted to peek into your friend’s medicine cabinet while using their bathroom? In fact, a 2015 study determined that 43% of intentional data breaches (“cyberattacks”) have had small businesses as their targets. (Evan Kline, How to Navigate Cybersecurity in 2018 Directions to Guide Your Efforts, Pa. Law., March/April 2018, at 30). And it wouldn’t be surprising to find that proportion to have increased since then, as larger companies have been retaining sophisticated technology firms to protect their customers’ and employees’ data.
What to do, as a small or mid-sized company, depends first on where your business operates. If you do business in a jurisdiction that has its own data protection laws, you might not have a choice as to whether or not you’re going to implement a cybersecurity program – you have to! The European General Data Protection Regulation (“GDPR”) can be frightening – penalties for non-compliance can reach up to 4% of a company’s global revenue, or $22.5 million dollars (whichever is greater). This is why you want to cap your GPDR liability.
If you anticipate doing a substantial amount of business in Europe, you may want to consider “self-certifying” under the EU-U.S. and Swiss-U.S. Privacy Shield Frameworks. Because this process involves an audit from the certifying agency, you’ll definitely want to secure both legal and technical help in advance to prepare for this audit. The International Association of Privacy Professionals (IAPP), for example, was one of the first organizations to offer both training and certification. Other training resources and certifications are also available, depending on a business’s specific needs.
Once completed, however, certified organizations are presumed to have “adequate” privacy protections for purposes of the GDPR, and EU Member State requirements for prior approval of data transfers are either waived or approval will be automatically granted.
If you don’t expect to be in possession of protected European data on any more than an occasional basis, you’ll still want to be prepared when your European client or customer presents you with a GDPR-compliant Data Protection Agreement (“DPA”) to sign. In that case, you’ll at least want to have the following “minimum” protections in place:
- Pseudonymization; which refers to a data management and de-identification procedure
- Ensuring the ongoing confidentiality, integrity, availability, and resilience of systems and services processing personal data;
- Ability to restore the availability and access to data in a timely manner in the event of a physical or technical incident; and
- Processes for regularly testing, assessing and evaluating the effectiveness of technical and organizational measures for ensuring the security of the processing.
26.04, Compliance Checklist for U.S. Businesses, 3 E-Commerce and Internet Law (2019 update).
So far, so good. But this is America. We don’t bother with all that, right? New York and California have already passed their own data protection laws, so it may only be a matter of time before the trend spreads inland (I’m looking at you, Kansas!).
California (state motto: “Keeping lawyers gainfully employed since 1850”) passed what may be the most stringent data privacy law in the country in June 2018 (effective January 1, 2020): the California Consumer Privacy Act, Cal. Civ. Code § 1798.185(a). This law is crafted in terms of “rights”. Specifically, consumers will have the “right” to:
- Request that a business disclose the categories and specific items of personal information that it collects about them, the sources of information collected, the business purpose for said collection, and categories of third parties with whom the information is shared;
- Request that a business delete any personal information related to the customer;
- Demand that a business not discriminate against them if they choose to demand that the business not pass along their information to third parties; and
- Notification of their rights through issuance of privacy policies.
To prepare for potential data breaches, there are steps that a small-to-mid-sized business can take without having to create an IT department from scratch. The most fundamental of these steps is what is known as “data mapping”. You’ll want to document where data flows throughout an organization from the moment it is collected to where it is stored to the third parties with whom it is ultimately shared. In doing this, you’ll be creating an “inventory” of what data is held where. If a customer or employee demands that data be provided or destroyed, or both, you’ll then be able to find it and ensure that it stays put!
If you’re keeping your data security “in-house”, the employee or employees appointed to this task should be able to, at minimum, ensure that:
- Your server is patched with the latest security updates;
- Your network is running an advanced firewall;
- Someone is reviewing server logs to detect suspicious behavior;
- Regular backups are made; and
- The appointed employees receive regular security training.
Finally, you may be operating a business where your employees are given technology to take home with them. Fraught with peril, this is! Employees should be trained – at work and at home – on basic principles of “password hygiene” – nobody should be taking home a laptop, the password to which is “[employee or employer name]123”. If you’ve not opted for “two-factor authentication”, any device used by any employee that might contain company, customer, or employee information should be accessible only by means of a “strong” password, and must have the capability to be “wiped” of all data remotely immediately upon discovery that the device has been lost or stolen.
In short, everybody in your organization – from the CEO to the temporary seasonal help – should be trained on the best practices for protecting sensitive information. The practices should be documented in policies that are distributed and explained to all. Deviation from these policies should be subject to discipline in just the same manner as any other policy violation, as the risk of harm to the company is just as great.
That’s not so hard, is it?
If you are an employer with questions about this or any issue relating to safety, human resources or workers’ compensation, contact East Coast Risk Management by calling 724-864-8745 or emailing us at firstname.lastname@example.org.
Disclaimer: The information provided on this web site is for informational purposes only and not for the purpose of providing legal advice. Use of and access to this Web site do not create an attorney-client relationship between East Coast Risk Management or our employment law attorney and the user or browser.