State Privacy Laws Coming. Are You Ready?

Introduction

After the General Data Protection Regulation (GDPR) went into full effect in May 2019, many states in the U.S., seeing the Federal Government lagging in this area, have taken up the fight and either enacted or are in the process of creating regulations covering privacy, data security, cybersecurity, and data breach notification.

Larger corporations have robust legal departments advising them on changing regulations and compliance. Most Small-to-Medium Size Businesses (SMBs) do not.

Think about this scenario: One of your employees notifies you that they lost their laptop over the weekend. Aside from the cost and inconvenience of buying a new laptop, could you be on the hook for higher costs, and should you notify all your clients? Maybe, depending on where you live, the type of data stored, and whether the hard drive was encrypted.

A recent CSO Online post detailed 11 states that either enacted privacy regulations or will shortly.  The point is, GDPR let the genie out of the bottle, and many more states will follow suit. Are you ready?

Data of all kinds have grown exponentially

Companies are storing more and more data, and most states are starting to aggressively enforce data breach and security laws, setting out the responsibilities for businesses capturing and storing personal data.

What do most states consider confidential or sensitive data? Medical and financial records such as credit card numbers, credit scores, and bank account numbers, but also addresses and phone numbers, social security numbers, birthdays, and in some cases purchase history—information that almost every single company normally keeps on their clients.

Many companies aren’t even sure exactly what kinds of data they’re capturing and storing!

With millions of cyber-criminals working around-the-clock to hack systems, and with employees accessing more and more confidential data daily, there is no known way to absolutely, positively guarantee you won’t have a data breach. However, your efforts to put in place good, solid best practices in security will go a long way to help you comply with current law and hopefully avoid hefty fines.

Start with the basics

  • Manage access to information. Who can access the confidential information you store in your business? Is this information easily accessible by everyone in your company? What is your policy about taking data out of the office on mobile devices?
  • Get serious about IT security and passwords. The more sensitive the data, the higher the level of security you need to keep on it. Are your passwords easy to crack? Is the data encrypted? Are they secured behind a strong firewall? If not, why not?
  • Train your employees. One of the biggest causes of data breaches are employees who accidentally download viruses and malware, allowing hackers to gain entry and steal your data. Do you have a data security policy? A password policy? Do you have training programs to help employees understand how to protect themselves and your company when using e-mail and the Internet?
  • Make sure you can restore data quickly. The GDPR’s Article 32 1 (c) titled “Security of processing” covers expectations relating to data security.  It states, in part, that responsible entities must have: “the ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident.”  Some State regs have similar provisions.

    A managed Hybrid-cloud Business Continuity solution can reduce downtime to just minutes and hours versus days and weeks using data only backup systems. Get expert advice.
  • Physical security. Thieves can break into offices and steal servers, laptops, and other digital devices,  and paper documents. Are hard drives on all mobile devices encrypted? Are physical documents locked every night, and those containing personal data shredded when no longer needed? Are servers located in a locked room with restricted access?

Operating in multiple states is tricky

You are subject to the data privacy laws of the states in which you do business. Review the regulations of each state and create a data security plan that encompasses them all. A daunting task!

My suggestion is to use the GDPR as a basis of your security plan. It is the most comprehensive and wide-reaching of all privacy regulations worldwide, so far. If you use it as your model, you’ll know what kind of data you have, where it is installed, what protections you presently have, and a plan to come into full compliance.

Conclusion

EVERY business is responsible for data security. Not addressing this important issue has consequences that go beyond the legal aspect; it can seriously harm your reputation with clients. So be smart about this. Read the GDPR and the privacy regulations of the states you operate in, and talk to an attorney that is knowledgeable about privacy laws.

Take action now; don’t put this important issue on the back burner.

 XSolutions is an Elite Partner of Datto, the world leader in Hybrid-Cloud Business Continuity solutions whose systems protect 460+ Petabytes of data with over 1400+ employees and 9 offices around the globe. Call (845) 362-9675 and let us introduce you to the ultimate defense against data loss—whatever the cause. Backup & Disaster Recovery | Business Continuity | Data Risk Assessment