Cybersecurity — especially data privacy — is one of the biggest problems facing businesses today. These security problems are compounded because every segment of every industry is affected differently, and each is subject to the risk factors peculiar to that segment. Grouping similar data together based on chosen parameters allows businesses to assess the privacy needs of each data segment they are holding. For example, the protections for public data don’t have to be as stringent as the protections for private data.
Protecting the privacy of the data with which they are entrusted is a universal business goal. The best way to get started is to answer the following questions:
- What types of data does your business have (e.g., credit card information, health information, criminal history, biometrics)?
- Which departments have access to that data?
- Who are your data service providers and what are their credentials?
- Which personnel can access the data?
- What steps has your company taken to protect the data (e.g., encryption, back-up, internal controls)?
Federal and International Regulations
The United States has no federal law protecting data privacy. A number of states, however, are responding: at least 31 states have already established laws regulating the secure destruction or disposal of personal information. At least 12 states — Arkansas, California, Connecticut, Florida, Indiana, Maryland, Massachusetts, Nevada, Oregon, Rhode Island, Texas and Utah — have imposed broader data security requirements. Other states, including New York, are considering legislation.
California is a pioneer on the data privacy front. The California Consumer Privacy Act of 2018, which goes into effect on January 1, 2020, is similar to the General Data Protection Regulation (GDPR). Companies that do business in California will be affected by this legislation.
At least some of the activity at the state level is in response to the European Union’s enactment of the GDPR. Any company doing business in a nation that has adopted the GDPR must comply with its consumer protections regarding data privacy. The GDPR covers many types of data, including the following:
- Personally identifiable data (e.g., names, addresses, date of births, Social Security numbers)
- Web-based data (e.g., user location, IP address, cookies, and RFID tags)
- Health (HIPAA) and genetic data
- Biometric data
- Racial or ethnic data
The bottom line is that U.S. businesses operating in multiple jurisdictions must consider these categories, as well as any other categories pertinent to their industry, as they segment the data they are holding. Understanding the data they hold is essential to instituting the right level of privacy safeguards.
Three Steps to Securing Your Data
Understanding your data is the first step to securing data. The second step requires knowing the relevant laws and regulations your business must comply with.
The third step is to stay alert for any indications of a breach. The sad truth is that many data breaches go on for quite a while before they are discovered. The time lapse between hack and discovery allows hackers to continue accessing vulnerable data. That makes constant monitoring an important aspect of any data security program. Watching for the signs of a breach — such as an unanticipated spike in bandwidth usage — can indicate a problem.
By following these three steps, businesses can be sure they are doing their best to protect the data they and their data service providers hold.
If you have questions, contact an MCB Advisor at 703-218-3600 or click here. To review our business planning articles, click here. To review our tax news articles, click here. To learn more about MCB’s tax practice and our tax experts, click here.