Changing US Data Security - Time For Smart Actions
The New Year brought in a number of new regulations pertaining to protecting personal data. Organizations that share personal data with others are required to implement safeguards under both state and federal privacy laws. How these changes are handled by organizations will impact their ability to transact business and achieve sustained growth.
The Cybersecurity Act of 2015 permits organizations to share information with others for cybersecurity purposes. This information would consist of a Cyber Threat Indicator, which describes the cybersecurity threat, as well as the defensive measure taken, which would describe the action or technique taken to detect or prevent the cybersecurity threat. However, the Act is careful in that it stipulates that this information can only be shared after first ensuring that any Personally Identifiable Information is protected. This would guarantee that individuals are not harmed via the sharing of this information.
In California, Civil Code Section 1798.5(c) requires that a business which discloses personal information about a California resident shall require that any third parties, granted access to the information, implement and maintain security procedures to protect the personal information from unauthorized access. Under its Education Code, California requires that local agencies that hire contractors must ensure that the contractor is not sharing or using student information for any other purposes. This includes outsourced or cloud-based services.
Oregon has expanded its data breach law requiring that the Oregon attorney general be notified of breaches of 25 people or more. It also expands the definition of “personal information” to include additional data such as health insurance plan numbers and medical information.
Almost every state has data privacy laws. These are on top of federal laws and multi-national regulations that seek to protect individual information. Organizations are constrained by budgets as well as knowledgeable personnel required to react to the constant state of flux of the changing security landscape. This is necessitating that organizations develop frameworks and infrastructures to automate security policies and procedures as well as the controlled distribution of data. Handling each of these as one offs is inviting trouble and is a recipe for disaster.