As Published in MD News Cleveland/Akron/Canton January February 2018
In the first article of our cybersecurity series in the November/December 2017 edition of MD News, we explored the definition of cybersecurity and how it differs from, yet relates to, privacy. In this article, we will introduce how cybersecurity is regulated in the United States. If you conduct business outside the United States, you should be aware that many countries have differing and in some cases more strict laws and regulations.
How is Cybersecurity Regulated? In the United States, cybersecurity has mostly been regulated at the state level through data breach notification statutes. These laws require companies that suffer a data breach to notify those customers or patients with a certain level of detail of what information was or may have been compromised and provide remedies to customers or patients to prevent further harm. In the healthcare context, HIPAA contains very specific breach notification regulations if the breach involves protected health information.
Identity Theft Monitoring - Some states also require notification to the state’s attorney general office where the customers or patients are located while many states require the company to provide identity theft monitoring at no charge to customers or patients. There are identity theft monitoring companies who specialize in providing this service, that monitor potentially suspicious activity, such as new accounts on the customer’s or patient’s credit file as well as credit inquiries on the credit file.
More Regulations on the Horizon - There are a growing number of states that are investigating additional regulations to require companies to maintain certain cybersecurity protection. For example, New York recently implemented a cybersecurity regulation focused on organizations that provide financial services. As a reminder, if you conduct business internationally, there are a myriad of privacy and data protection laws that may apply to your business. You do not have to physically be located in another country to be subject to that country’s laws. Therefore, consultation with legal representation versed in this area is critical.
In the next article, we will explore common cybersecurity risks.
[Up Next, Cybersecurity Risks]
NOTE: This general summary of the law should not be used to solve individual problems since slight changes in the fact situation may require a material variance in the applicable legal advice.