Data breaches are becoming all too common to see reported in the media.
This year alone, Ticketfly, Panera, Facebook, and Adidas were among the newest victims of successful cyberattacks. Unfortunately, there are no signs of cyberattacks slowing down. In fact, it's quite the opposite.
According to the Breach Level Index, the total number of data records compromised in the first half of 2018 was over 3 billion. That figure increased by 72 percent over the same period of 2017, and the number of records breached every day, hour, minute, and second almost doubled between 2017 and 2018, according to the Index.
Although data breaches almost always make headlines when they occur at big-name brands, they can be even more devastating to small businesses. To protect both businesses and consumers alike, governments have made it a bigger focus, passing numerous cybersecurity legislation measures over recent years. Intended to help prevent unauthorized access to or theft of sensitive consumer information, such as financial and health care data, many of these measures carry mandatory compliance requirements.
Other legislation, such as the NIST Small Business Cybersecurity Act (August 2018), aims to create resources that small businesses can use voluntarily to help identify, assess, manage, and reduce their cybersecurity risks.
The Broad Reach of Cybersecurity Legislation
Existing and emerging cybersecurity legislation creates a complicated and dynamic landscape. The U.S. has 51 sets of cybersecurity laws--federal laws and individual state laws. California alone has more than 25 state privacy and data security laws. In addition, there are security-related executive orders and regulations issued by administrative agencies like the Federal Trade Commission (FTC) and Securities and Exchange Commission (SEC).
Most existing cybersecurity legislation is designed to address specific industries. For example, if you operate in the health care, health insurance or biomedical arena, you must be familiar with the Health Insurance Portability and Accountability Act (HIPAA). Companies that offer financial products or services to individuals, such as loans, investment advice, or insurance, are subject to the Gramm-Leach-Bliley Act (GLBA). Another example is the Payment Card Industry Data Security Standard (PCI-DSS), which applies to any business that accepts credit card payments, including e-commerce websites.
With the European General Data Protection Regulation (GDPR) becoming effective in May 2018, many businesses are now also subject to international regulation. Any business that handles personal information--a name, photo, email address, bank details, posts on social media, medical information, or a computer's IP address--for any European Union citizen is now subject to GDPR, regardless of where the business is located. The California Consumer Privacy Act, passed in 2018 and scheduled to take effect in 2020, follows the GDPR model closely, applying it to the data of California residents.
Where to Start
As a small business, how do you know which laws are relevant to your company? Overall, any business that collects personal data, including information gathered via its website, is subject to relevant federal, state, and international regulations.
It's important to become familiar with the laws that apply to your specific industry and make sure that your data and IT practices are compliant, including your online practices and website. If you need assistance, you can engage a security consultant to help evaluate your practices and provide recommendations.
Another option is to participate in small-business forums or attend a security seminar, where you can learn best practices from your peers.
It's important to remember that website security plays a big role in protecting regulated data, as websites are often a primary channel for data collection. If you're not sure that your site is as secure as it should be, ask the following questions:
- Does my site have an SSL certificate?
- Is my website administrative panel protected with multi-factor authentication to help prevent bot attacks?
- Is my site running the most current version of software, including all plug-ins?
- Does my hosting infrastructure have hardware/software firewalls at the server and application level?
Depending on the nature of your business, it's important to understand how your online business practices can be impacted by cybersecurity legislation and ensure you are compliant with any relevant regulations. Here are four easy steps you can follow:
- Minimize the amount of data you collect from customers, gathering only what is absolutely necessary
- Inform users about the data you collect and how it is used
- Clean up customer databases and delete the data you don't need
- Ensure that your website, infrastructure, and data assets are secured to the highest degree possible
Cybersecurity Legislation Roundup
Understanding cybersecurity legislation doesn't have to be overwhelming or intimidating, nor does it have to take up large amounts of time. You can visit the National Cybersecurity and Communications Integration Center (NCCIC) and quickly find information about current security activity, recently identified vulnerabilities, and access to advice and best practices. The U.S. Small Business Administration cybersecurity site also offers valuable tools and education.
Cybersecurity legislation applies to almost every business. With these steps, you can better evaluate your company's security posture relative to applicable law and align defenses accordingly.