Cybersecurity legal requirements keep changing at the state, federal, and international level. Most of the changes are just trying to keep up with the constantly changing landscape of threats in cyberspace. Today we call in an expert, Mitzi Hill, to talk to us about those cybersecurity and the law. How those changes may impact your business and your privacy and security program is certainly something we don’t want to lose track of in the mix.
Cybersecurity and the law – Ep 147
We are excited to bring in someone who knows a lot about how things can go wrong for all kinds of businesses when it comes to cybersecurity concerns. Welcome to Mitzi Hill, a partner in the Taylor English Duma law firm.
It is no longer just about healthcare data concerns when we work with companies on privacy and security. All companies have information that is valuable to them and their clients/customers/patients. There are many things we could talk about but we definitely want to hit on as many as we can squeeze in today. (There is a long list here but I tried to put them in a logic order.)
- There is a wide range of proposals and changes in state cybersecurity and breach notification laws going on right now.
- What can we do to keep up with them, especially when you do business in multiple states?
- We are aware of some like NC and GA, what others do you think we should really keep an eye on out there that make you excited or terrified?
- NC state notification law proposed would be very stringent
- GA law on accessing computers can put cybersecurity firms out of business
- The FTC and SEC are also weighing in on cybersecurity requirements.
- Is this something that we will also need to track along with state laws and HIPAA?
- GDPR in the US of A. Healthcare probably doesn’t have a lot to worry about but our Business Associate clients may need to be aware.
- Can you touch on what GDPR and what it requires quickly?
- Speaking of overseas laws… We often get into a conversation about how laws like HIPAA may, or may not, apply when you have business associates outside the US. This comes up a lot with transcription services in particular.
- What are your thoughts on how well a company will fare if they have issues with offshore services involved in privacy and security breaches?
- That brings us to due diligence of business partners. We get a lot of pushback when we start asking questions about their privacy and security programs.
- How much vetting do you recommend companies do for their high-risk business partners in the supply chain?
- Is this sort of vetting going to be commonplace soon based on what you see happening?
- As these laws continue to evolve do you see any discussions around business and personal liabilities in these cases?
- The compliance officer who took a plea for allowing bad financial practices at Moneygram
- We have many privacy and security officers concerned that this could fall back on them at some point. HIPAA doesn’t specifically include that as long as it isn’t malicious, of course. Are other laws going to change that in some way?
- We encourage all businesses to engage an attorney the minute they realize they have a serious privacy or security incident to get the investigation and decisions under privilege as soon as possible.
- What do you recommend along those lines for businesses?
Links with more information from Mitzi Hill.
We were thrilled to have Mitzi join us for this discussion. The information we covered just scratched the surface of some of the legal issues companies face every day concerning cybersecurity protections. As we continue along the path of new legal requirements keeping an eye on all of this is imperative for all of use to keep up with what is required.