Cybersecurity breaches have many consequences. Businesses may lose customers and revenue; tarnish their reputation and brand, or face lawsuits and litigation. Another concern is that various rules and regulations require companies to maintain baseline levels of cybersecurity. If and when a breach occurs because those levels are not met, companies are subject to significant fines, fees, penalties, and punitive consequences. In order to fully understand the risks that cybersecurity presents, it's imperative to understand the laws and penalties that apply.
What cybersecurity laws regulate US companies?
The specific laws that apply to your business depend on the type of business and the type of data you work with. There are, however, sweeping federal cybersecurity laws that apply to many businesses whether in whole or in part:
Health Insurance Portability and Accountability Act (HIPAA) of 1996This law applies to almost every organization that deals with medical information. The law establishes standards for how medical information is to be stored, accessed, and shared.
Gramm-Leach-Bliley Act (GLBA) of 1999Organizations that deal with personal and private financial information are likely subject this law. The law mandates standards for when and how information is collected, how that information is stored, and what parties have access to it.
Homeland Security Act, which included the Federal Information Security Management Act (FISMA), of 2002This law is similar to the previous two and applies primarily to organizations that deal with government information. By and large, this applies to government agencies, but contractors and suppliers who work with the government may also be subject.
Cybersecurity Information Sharing Act (CISA) of 2015The purpose of this law is less about protecting data and more about collaboratively responding to threats. The law allows the government and tech companies to share data in order to identify and respond to threats sooner.
Federal Exchange Data Breach Notification Act of 2015Organizations that participate in a health insurance exchange are required to report any breach to affected individuals within 60 days of the breach occurring.
Are there state laws mandating cybersecurity?
In some states, there are. In California, for instance, companies that store data related to California citizens are required to provide notification in the event of a breach. Organizations are not required to maintain any specific types of cybersecurity protections, but they are held responsible if those protections prove inadequate. New York is another state with specific regulations, but they apply only to businesses in the financial services sector. These businesses must submit an annual certificate demonstrating they meet minimum levels of cybersecurity. A small number of states have their own laws in place, but businesses should not assume they are fully compliant until investigating laws at the state and local level.
What are the penalties for breaking cybersecurity laws?
The exact nature of the penalty is often relative to the nature of the attack and the amount of data that was exposed. There are also penalties beyond fines and fees – public shaming for example – that will negatively impact some organizations more than others. Even in the best cases, however, violating cybersecurity laws is an expensive and disruptive process:
HIPAAThe fine is calculated based on the number of medical records exposed, with fines ranging from $50-$50,000 per record. Fines are capped at $1.5 million per year, but organizations may receive the maximum fine for multiple years. Violators may even face prison time ranging from 1-10 years.
GLBAOrganizations are fined up to $100,000 for each violation of this law, and the officers and directors of the organization may be fined up to $10,000 personally. Individual may also face up to 5 years in prison.
FISMASince this law applies primarily to federal agencies the penalties range from formal censure from Congress to reductions in public funding.
What other regulations should US companies be aware of?
In addition to laws that exist at the federal, state, and local level companies may also be subject to international laws and industry-specific standards. Since these laws are not necessarily top-of-mind it is especially easy for businesses to overlook and accidentally fall into non-compliance:
General Data Protection Regulation (GDPR)This sweeping set of regulations is designed to protect the personal information of all citizens in the European Union. Since many US businesses work with European firms and customers, these businesses must comply with GDPR. Unlike most other cybersecurity laws, this one mandates the use of encryption. GDPR is also especially punitive, with fines potentially totaling tens of millions of dollars.
Payment Card Industry Data Security Standards (PCI DDS)Any organization that accepts payment card – credit cards, debit cars etc. – is subject to this law developed by the payment card industry. Organizations must meet 12 requirements related to securing payment card information. Being in breach of PCI DDS exposes organizations to minimum fines of $5,000 per month and maximum fines of $100,000 per month.
Are cybersecurity laws cause for concern?
At this point, you may be wondering how aggressively these laws are enforced and how likely it is for offenders to be penalized. HIPAA is a good law to focus on because it applies to a wide range of companies and the government is highly invested in enforcement. According to data from the HHS, 171,161 HIPAA complaints have been logged since 2003. Up to 98 percent of those cases have been resolved, including 53 cases involving civil penalties totaling $75,229,182.00. So while lawmakers do not always pursue financial penalties, they do not hesitate to place heavy penalties on the worst offenders.
Exam ining a specific case is more illustrative of the risk individual organizations face. In 2013 an employee of Advocate Health Care (AHC) left a company laptop in an unlocked car. The laptop was stolen, along with the massive amounts of personal medical information and access controls contained within. In total almost 4 million medical records were exposed, each representing a breach of HIPAA regulations. After the fines were calculated AHC was forced to pay $5.5 million. A common accident led to one of the largest fines ever levied because of a security breach.
How Do Companies Stay Compliant?
The first step is to understand the specific cybersecurity laws that apply to your company. The second step is to understand exactly what levels of security and protection those laws require and how they define being in breach of the law. As such, there is no one-size-fits-all strategy for becoming 100 percent compliant. However, there are best practices all companies can follow to prevent the kinds of incidents that lead to fines and fees:
Inventory IT hardware and softwareUnderstanding the full extent of your IT infrastructure ensures that vulnerabilities and risks are not hidden from view.
Perform a gap analysisIdentifying how much distance exists between real levels of protection vs. necessary levels of protection reveals what and where needs the most work.
Perform a risk assessmentThis involves understanding the most common and consequential types of threats, then evaluating how well your current security controls protect against them.
Devise and document a security planCybersecurity requires more than just technology. A security plan outlines policies, protocols, and priorities for every conceivable type of attack. If and when an incident occurs, the plan should identify exactly what actions various departments and individuals should take.
Implement new security controlsFew organizations are compliant at the start. Operating within the boundaries of the law often necessitates upgrades technical and logistical upgrades to cybersecurity.
Audit the security controlsTesting and evaluating how well various protections are performing allows organizations to make upgrades before and attacks exposes the weakness.
Respond to the auditKnowing where weaknesses lie is useless unless organizations are willing to invest the time and resources necessary to improve cybersecurity.
What role does cyber insurance play?
Cyber insurance is designed to do a number of things – it provides organizations with information and expertise following a breach; It helps to recover revenue and pay for legal costs related to an incident; It helps businesses minimize the disruption of disabled IT. Plus, some cyber insurance policies cover the cost of fines and penalties levied by public/private organizations or the cost of investigations related to those fine and penalties.
It is essential to understand that not all cyber insurance policies provide this kind of coverage. There are also policies that limit what is included in the coverage, how much is paid out, and when the coverage kicks in. Cyber insurance is an important and valuable safeguard, but it should not be assumed that all penalties would be paid for.
Cyber insurance is valuable for all organizations regardless of their size, industry, or regulatory obligation. Every business is at risk of an intentional attack or an accidental breach. There are also no businesses that have 100 percent reliable cybersecurity. As a result, all businesses should expect to be breached. When all other protections fail, cyber insurance provides stability, security, and peace of mind.