Cybersecurity & the Law
By: Steve D. Berlin
This article was originally published by Cyber Florida for their cybersecurity blog.
Welcome to the first post of the legal-based column of the Cyber Florida cybersecurity for small businesses blog, where we will cover interesting cyber legal topics that affect small to medium-sized businesses. This segment is designed for laypeople and will not get too deep into legal jargon and analysis. Rather, it is designed to make businesspersons aware of the general cyber legal issues to help them know how to ask the right questions and take steps to protect their companies and data.
People often ask, why should I care about cyber legal issues? I’m just a small company, why would hackers care about my business? Why should I take action and what type of action do I need to take? The body of law surrounding cybersecurity explains why all businesses, regardless of size, should be concerned and what actions they should take to protect themselves, but it does not necessarily tell them how to go about it. Thus, the need for cybersecurity technical specialists and CISOs to assist.
The gateway question asked is: what law applies to a particular business? The United States follows a sectoral model of cybersecurity regulation, in that certain industries are regulated, but in general, there is no overarching general regulation. Examples of regulated industries are financial services through FINRA regulations and the Gramm-Leach-Bliley Act; the health industry through HIPAA and the HITECH Act; and Department of Defense contractors through DFARS. This column will not address them specifically, although it will address them through analogies. However, just because a business is not within a regulated industry, it does not mean that other regulations do not apply.
The Florida Data Protection Act applies to all Florida businesses and requires a modicum of protection of personal information and creates a data breach notification protocol. Nevertheless, this Act does little to create general privacy controls and to protect consumer data that does not fall within the meanings of “personal information.” It also does not create a private cause of action. This does not mean that Florida is the unregulated “Wild West,” because any Florida business may be subject to the General Data Privacy Regulation (GDPR) in the European Union if it does business with Europeans or other duties that may arise by contract or out of tort. It is, therefore, best practice to incorporate best cybersecurity policies and protocols.
As for regulation in the United States – it is coming. The California Consumer Privacy Act prescribes a series of data privacy requirements that will be the strictest in the country by far when it comes into effect in 2020. It not only asserts jurisdiction to companies doing business in California but also over those who do business with Californians. It is much easier to bring someone under the jurisdiction of a California court than it is under the European Union. Additionally, U.S. Congress is considering federal law that may preempt state law and provide a regulatory regime for everyone. In fact, the Senate Commerce Committee held a hearing on the topic on February 27. This column aims to keep the readers abreast of exactly these types of issues and updates on proposed legislation.