Virtually every company owns, licenses or maintains personal information and other sensitive data. Until recently, companies were not legally required to implement cybersecurity policies, procedures or controls specifically designed to protect personal and other sensitive information. Some companies might even have decided not to comply because of perceived high implementation costs and complex operational changes. However, recent expansions in a number of laws have changed this dynamic. Across the U.S., state regulations are being promulgated that require companies to implement and maintain a reasonable level of cybersecurity controls. Some of these laws provide for significant penalties in cases of non-compliance. As companies begin to take steps toward compliance with these regulations, one significant source of assistance is the cyber insurance market.
New Privacy and Cybersecurity Regulations
As of the writing of this article, at least 25 state laws impose obligations on their corporate citizens to have reasonable data and information security practices to protect sensitive data from unauthorized disclosure. Some laws go even further and prescribe specific standards that corporate citizens must follow to protect the privacy rights of those states’ residents.
Two of the most stringent regulations currently in effect are in New York and Massachusetts, while a third, which may very well be the most stringent regulation, becomes effective in California on Jan. 1, 2020.
New York state’s recently passed, “Stop Hacks and Improve Electronic Data Security Act,” or SHIELD Act, applies to businesses that maintain private information of New York residents, regardless of whether such entities actually conduct business within New York. SHIELD requires covered entities to implement “reasonable safeguards,” taking into account administrative, technical and physical safeguards such as training, risk assessments, regular testing of key controls and procedures and the disposal of private information within a reasonable time after it is no longer needed. Similar requirements exist in Massachusetts, Ohio, Oregon and Vermont.
See also: Hidden Dangers for Cybersecurity
SHIELD also allows for possible fines for violations of the notification requirements up to $250,000. Notably, the imposition of the “reasonable safeguards” requirements brings the new law closer to New York’s 2017 Department of Financial Services’ Cybersecurity Regulation, which prescribes holistic security measures applicable to a broad swath of financial services companies operating under New York’s banking, insurance and financial services laws.
In addition, many of New York’s small and medium-sized businesses in industries unaccustomed to the regulations applicable to the financial sector will now be required to address their security measures and implement controls, including risk assessments, to protect sensitive information and systems from unauthorized use or access.
Massachusetts’ current regulation, 201 CMR 17.00, et seq., establishes minimum standards to be met in connection with the safeguarding of personal information contained in both paper and electronic records. The regulations apply to all persons who own or license personal information about a resident. 201 CMR 17.03 and 17.04 impose obligations on covered entities to implement prescribed safeguards, including (this is a small sample from the list set forth in the statute):
- A comprehensive, written information security program that contains administrative, technical and physical safeguards.
- Designation of one or more employees to maintain the information security program.
- Identification and assessment of reasonably foreseeable internal and external risks, and evaluation of the effectiveness of current safeguards for limiting such risks.
- Continuing employee education and training.
- Measures to oversee third-party service providers, including requiring such vendors by contract to implement and maintain appropriate security measures for personal information.
- Password management and controls.
- Identifying cybersecurity posture is a critical beginning. Services include detailed analyses from a network of free or reduced-cost cybersecurity experts, reports that provide a snapshot of policyholder security posture and numerous recommendations for improvement.
- Working in collaboration with their broker, CNA Risk Control, and Cyber Underwriting, policyholders execute the cybersecurity experts’ recommendations to mitigate their cyber risks and improve their cybersecurity posture.
- CNA CyberPrep continues to benefit policyholders. In the event of a cyber breach, CNA’s panel of experienced incident response vendors provide guidance and strategies to help expedite recovery and minimize loss.