CYBER SECURITY | 7 MIN READ
Since the rise of the Internet in the 1990's, government officials worldwide have been scrambling to keep up with the fast-paced nature of technological developments. Just twenty years ago, self-driving cars were an un-realistic fantasy, and cyber security law was focused around the major technological focus of the 90's: computers and the Internet. As we begin another decade, many have been questioning what form cyber security laws will take moving forward. Keep reading to see what current cyber security law looks like in regard to data privacy, what it may look like in the future, and how your business can stay compliant.
Not enough time? Jump to:
The Future of Cyber Security Law
Current Law
On both a federal and state level, cyber security law is quickly dictating how companies can process, store, and share a consumer's personal data. Keep reading to see what some of the current legislation looks like.
Payment Card Industry Data Security Standard
(PCI DSS)
Major credit card providers created PCI DSS as a way to reduce credit card fraud. If you are a company who processes data from major credit card holders, you must follow this standard and continue to stay up-to-date with regulations.
The image below, taken from the PCI DSS official website, summarizes some of the main requirements.
Since the specifics of these regulations varies based on factors such as the type of business you own, you can visit this link to see what regulations you should follow based on the type of business you own.
Though the PCI DSS isn’t technically a legal ruling passed by a court system, it still has ramifications if it’s not followed.
Penalties for non-compliance can include monthly penalties of $5,000-100,000 from your payment processors and credit card companies or in extreme cases, federal audits from the FTC. In the event of a data breach, businesses can be charged $50-90 per cardholder whose information has been endangered.
European Union General Data Protection Regulation (GDPR)
According to the EU’s GDPR website, this regulation applies to “all companies processing the personal data of data subjects residing in the European Union, regardless of the company’s location”.
There are internal record keeping requirements, especially for companies who process a lot of consumer data.
Additionally, businesses must make the terms of consent for accessing a consumer’s data short and simple, removing long blocks of text full of legal jargon. In the event of a data breach, the affected company must notify the victim within 72 hours.
Companies must be transparent about freely being able to provide consumers with access to the data that companies are keeping on them, and if the consumer wishes, the company must erase all data on the consumer from their database and stop third party companies from processing his/her data
Finally, data protection measures must be included from the onset of the design of a company instead of as an afterthought.
According to the EU’s GDPR website, non-compliant businesses could face “fines up to 4% of annual global turnover or €20 Million (whichever is greater)". However, this is the maximum fine that can be imposed for the most serious infringements.
Health Insurance Portability and Accountability Act (HIPAA)
HIPAA, also known as the Health Insurance Portability and Accountability Act, was passed by Congress in 1996. One of the main tenants of this act is to protect the privacy of healthcare patients' files and personal information.
According to the Department of Health Care Services, HIPAA requires that "health care providers and organizations, as well as their business associates, develop and follow procedures that ensure the confidentiality and security of protected health information (PHI) when it is transferred, received, handled, or shared."
HIPAA applies to all forms of PHI, including written, oral, and electronic. Additionally, when sharing PHI, only the minimum information necessary to conduct business should be used or shared.
If your business is in the healthcare industry, you are probably already following HIPAA. However, with cyber threats always changing, your business needs to evolve your cyber security measures to ensure that information is still securely transferred.
Businesses need to stay ahead of cyber threats and protect their PHI because those who do not comply with HIPAA can face penalties ranging from fines to jail time.
Children’s Online Privacy Protection Act (COPPA)
The Children’s Online Privacy Protection Act (COPPA), passed in 1998, was the first US privacy law regarding the Internet. It deals with how websites, apps, and other online operators collect data and personal information from kids under the age of 13.
From a psychological standpoint, children under 13 are not mentally developed enough to understand their rights regarding privacy online. COPPA's main objective is to fight against this issue by involving parents in the decision about whether to release children's personal information.
COPPA has detailed requirements for companies to follow, but some key ones are that tech companies making apps, websites, and online tools for kids under 13 must provide a notice and get parental consent before collecting information from children, have a "clear and comprehensive" privacy policy, and keep information they collect from minors confidential and secure.
Companies must also comply with the Federal Trade Commission (FTC) when collecting information from minors, especially in regard to the advertising on these tech platforms.
While COPPA has been amended over the years, its language mainly speaks to websites that have content tailored for children under the age of 13. Those in violation of COPPA risk penalties such as hefty fines.
In addition to federal mandates, states are also making rulings about data protection in regard to consumer privacy. States from New York to California are instituting regulations to protect their citizens' privacy, which means that businesses must not only comply with federal laws but with state laws as well.
RELATED: Can Businesses Be Sued for Data Breaches?
The Future of Cyber Security Law
Many laws and regulations regarding cyber security are currently being passed on a local and national level, which raises questions of what trends we can expect to see in the future.
Increase in Emerging Technology Laws
In the 1950's, the idea of an inter-connected world was limited to telephones. Then the 1990's came and the Internet proved that humanity's technological capabilities far surpassed anything we could've ever imagined.
In the 1990's, we never could've imagined that our world would move so far online that our entire lives could be eased with technology, from working at home and having food delivered to buying self-driving cars and having artificial intelligence mimic the human form.
As new forms of technology continue to rapidly develop, our cyber security laws should evolve to keep up. While Congress can be slow at times to pass laws regarding every new form of technology that comes out, passing blanket laws that protect consumer's privacy no matter the technological platform helps to make these transitions easier.
However, I think that Congress will pass or amend legislation that specifically deal with new types of emerging technology to ensure that there are no gaps in the law.
Virtual reality and augmented reality, though still in their infancy, are relatively new forms of technology that raise many questions about consumer privacy.
For instance, virtual reality is beginning to expand into the healthcare industry. Will amendments need to be made to HIPAA and other healthcare-related laws to ensure that consumer data is protected on these emerging platforms? What will those amendments look like?
Other technologies like Alexa and Google Home have raised concerns about consumer privacy, as the microphone settings allow these devices to collect an un-paralleled amount of data. Legislation may need to be set in motion to restrict the amount of data collected or how that data is stored and shared.
More State-Level Rulings
The California Consumer Privacy Act and New York's SHIELD Act are just a few of the many state-level rulings that have been passed in recent years. More and more states are passing laws to keep their citizens' data protected as cyber security concerns continue to move towards the forefront of many legal conversations.
On a national level, Congress has passed consumer privacy laws that protect how data is stored and shared as well as consumer rights in the event of a data breach. On an international level, laws like GDPR showcase a collaborative effort to protect consumer privacy within the EU.
However, I think that in the coming years, national and international laws won't be enough to protect consumers. I think more states will follow the regulations set forth by states like California and New York and pass legislation to protect the privacy of their own citizens.
State-level data privacy laws allow for government officials in those states to tailor laws to fit the unique needs of their state. For instance, in states like California that have technology hubs like Silicon Valley, regulations can be modified to fit the unique issues posed by these places.
I still think that the issue of consumer privacy is tricky to solve because the methods of collecting, storing, and sharing data are constantly evolving. Tackling consumer privacy needs to be a collaborative effort, which is why Congress will need to work with both state governments and international governments to come up with a unified solution.
More Child Privacy Laws
Children are venturing online at younger ages, using the Internet for everything from playing video games to going on social media. The main law regarding child privacy online, known as the Children's Online Privacy Protection Act (COPPA), is expansive, but may not always protect minors in every way that they browse the Internet and share private information.
Technology is constantly evolving, why is why our laws must continue to adapt with them. COPPA was passed in 1998, which was before technology like mobile phones, social media, and Google Homes were around.
These new forms of technology have created massive pools of user data that are stored, shared, and sold. When it comes to minors, children in particular are not psychologically developed enough to always recognize the negative ramifications of a video game, for instance, asking for access to their private information.
This creates a unique scenario where children who don't know any better could give companies un-restricted access to their data. Laws must be passed to protect children's privacy and their data whenever they are online or using a technological platform.
In the future, more amendments to COPPA can be made, but additional laws must be passed in order to stay ahead of any new developments. Any new laws that are passed should deal with the specific threats posed by a platform, whether it's virtual reality or social media.
How to Stay Compliant
Follow Industry Leaders
Taking simple steps like registering for cyber security newsletters and following thought leaders in both the legal and cyber security sectors can help you stay on top of developing trends and laws.
If you pay enough attention to the news surrounding cyber security law, you can see patterns emerge and understand how you can improve your company to stay compliant with new legislation.
Secure Your Network
If your company is the victim of a data breach, your customers may have the right to sue you in court. You could also face fines and other penalties if you're found guilty of violating data regulations like HIPAA.
Taking simple steps to secure your network can protect your company from data breaches, prevent ransomware attacks, and keep you compliant with cyber security laws.
Taking simple steps like installing the latest anti-virus and anti-malware can ensure that security gaps are patched. Additionally, educating your employees about how to securely share private consumer data can help prevent data from being leaked.
For instance, you can utilize secure file-sharing platforms so that private information is encrypted when it's sent to someone else. If your company is in the healthcare industry, you especially need to consider a platform like this if you want to avoid violating HIPAA.
Consider Managed IT Services
Staying compliant with cyber security laws and managing your network's security while keeping a business afloat can be overwhelming. A Managed Service Provider can secure your network while keeping you compliant.
A typically un-assuming place like your office printer could have security gaps that you don't know about. An MSP can look for any gaps that exist within your network by using a network scanning tool.
They can even use a dark web scan to find what company information may have been stolen and leaked to the dark web, which can potentially point to security gaps in your network.
After assessing your network for security gaps, a Managed Service Provider (MSP) can patch them by installing hardware and software, which they monitor and regularly update.
After upgrading your network's infrastructure, an MSP can work with you to plan for your network's future. Along with updating your network to ensure compliance with evolving cyber security laws, they can help your office plan for expansions, moves, and transitions to a remote environment.
Cyber security law is constantly evolving. Your business needs to stay ahead of changes to ensure compliance and avoid penalties.
RELATED: What Is a Managed Service Provider?
