The Canonization of Cybersecurity Law
More and more businesses are beginning to rely on a combination of software as a service (SaaS) and their own work systems for electronic storage and manipulation of information. Often, that information is sensitive in nature and contains the personal details of financial transactions and customers. That, in turn, presents risk management issues in the form of cybersecurity concerns for those businesses. Many states, Minnesota included, have laid plans to formalize their cybersecurity best practice recommendations into actual laws.
There are three primary types of sensitive information which need to be taken into account:
· Personally Identifiable Information (PII)
PII includes individual first and last name, or first initial and last name, along with any one or more of identifiable data elements relating to them. Examples include social security numbers, birthdays, passport or student identification numbers, birthdays, maiden names, or any of a slew of other pieces of information. The qualifier is that the pieces of information and data elements can be tied to the last name and (at the very least) first initial of the individual.
· Payment Card Information (PCI)
PCI includes, at a minimum, the cardholder’s name, primary account number, expiration date, service code, and/or PIN number. Basically, anything that could be utilized to make an electronic transaction with the card.
· Protected Health Information (PHI)
PHI includes information created, received, or maintained by a company which is related to an individual’s health care or payment for health care which directly (or indirectly) identifies the individual in some way.
Companies should already have a cybersecurity plan in place to help manage the risks that they face or, at the very least, have audits to find out where their weaknesses are. For that, a comprehensive written information security program (WISP) is a great first step. Jay Nesbit of Nesbit Agencies, Inc. had the goal in mind of developing and implementing WISPs to help “create effective administrative, technical, and physical safeguards for the protection of PII, PHI, and PCI.” Nesbit’s own WISP addresses the many cyber threats that it could face, including physical, internal, and external.
There are five steps which need to be implemented in the creation of a WISP:
(1) identify reasonably and foreseeable internal and external risks to the security, confidentiality, and/or integrity of any electronic, paper, or other records containing PII, PHI, and PCI;
(2) assess the likelihood and potential damage of these threats, taking into consideration the sensitivity of the PII, PHI, and PCI;
(3) evaluate the sufficiency of existing policies, procedures, information systems, and other safeguards in place to control risks;
(4) design and implement a WISP and put safeguards in place to minimize those risks, consistent with the requirements of the regulations; and
(5) implement regular monitoring of the effectiveness of those safeguards.
With a plan in place, all that is left to do is implement and monitor the safeguards that have been put in place. A data security professional or coordinator is an essential employee who takes leadership over the WISP, including initial implementation, employee training, testing of the WISP safeguards, evaluation of service providers, reviewing the scope of the security measures, and conducting training sessions.
There are two types of threats that need to be taken into account:
Internal threats are ultimately the means through which the company limits access to sensitive information to people within the premises and within the company. That includes clients, customers, suppliers, vendors, and employees. If they do not require access to the information, they should not have access to it. This also extends to the protection of the grounds themselves from physical assets.
Additionally, terminated employees must return all records (in any form) and information stored on other media such as laptops or electronic storage.
Another aspect of this is access protocol for the building itself, areas within the building, and electronic devices of all types.
In some ways, external threats are easier to combat than internal ones. Installation of a firewall, security patches, and keeping software up to date is usually enough. Additionally, the use of anti-virus and anti-malware software should be utilized.
Employees need to be trained to avoid phishing schemes and other types of social engineering attacks. Confidential information or documents should not be emailed or sent out without encryption either.
These are all good jumping off points for dealing with threats, but they are by no means exhaustive. The reality is the work is ever changing and is not going to stop when the WISP has been developed. The price for not putting a plan in place, though, is astronomically higher than the cost to implement one. Each individual data point can potentially be a liability, and with regulators knocking at the door and lawmakers chomping at the bit to implement new safeguards, now is the time to get it taken care of.
For more information or to begin aligning your cybersecurity with best practices and potential future regulations, contact Chad Nesbit at firstname.lastname@example.org or 952-746-4327.