As an IT professional, developer, or consultant, you've probably heard rumblings about a bill called The Data Privacy Act. The bill will increase data security standards and strengthen punishments for those who cause data breaches and companies that are too slow to respond to a breach.
It is just a matter of time until some version of the Data Privacy Act passes. Senator Patrick Leahy (D – Vt.) originally wrote the bill in 2005, and has introduced it in every Congress since then.
After the holiday data breach at Target, the bill has been revamped and is quickly gaining momentum in the legislature. (Read “Anatomy of a Data Breach: Lessons from Target’s Security Breach” for more on that incident.) But what will this bill mean for small businesses and IT freelancers? Read on for an overview.
Unpacking the Data Privacy Act: What Small-Business Owners Need to Know
In order to understand the biggest changes the Data Privacy Act would bring to small-business owners (if it became law), let's look at the current data breach laws it would replace.
As it stands, there isn't one overriding data breach law. Each state actually has its own laws and some industries (e.g., medical ones) have set their own higher data security standards.
Current cyber liability laws can be problematic for businesses. If you run an ecommerce business and have clients in multiple states, which state laws do you follow? You probably have to follow different regulations for different customers. Talk about a headache.
One of the most important features of the bill is that it would eliminate the confusing patchwork of bills currently on the books, thus simplifying data security regulations. Even if those regulations become stricter, business owners would have a better idea of how to prevent a breach and how to respond when one happens.
3 Key Features of the Data Privacy Act
The Data Privacy Act aims to strengthen cyber security by increasing security requirements and doling out more serious punishments to perpetrators. There are three ways it aims to do so:
- Increase punishments for businesses that cover up or fail to disclose a data breach (people who willfully cover up a data breach would spend up to five years in jail).
- Mandate that all businesses have a data security plan.
- Strengthen laws that punish hackers by increasing the penalties for attempted computer hacking.
The first feature is a mixed bag for IT companies. Many of the current laws are vague about how quickly you need to disclose a data breach. Some states say you need to do so in 45 days, others simply say "as soon as reasonably possible." And the vagueness doesn't end there. Current laws also give unclear definitions about what counts as a data breach. In some states, if encrypted data is leaked, that doesn't count as a breach.
While the proposed laws don't clarify those ambiguities, they increase the penalties for not disclosing a breach or taking too long to do so. In that sense, the law clarifies your response: the increased penalties mean you'll need to err on the side of caution, disclosing data breaches sooner.
The second and third features are both good for IT professionals. Higher security standards and stronger punishments for criminals should translate to fewer data breaches. To understand why that's important, look back at the Adobe data breach that affected millions of its users.
After Adobe was hacked, a strange thing happened. User accounts on other websites were also compromised. That's because data breaches are not self-contained. Users reuse logins and passwords. A breach at one company can lead to many more breaches. Increasing security standards should not only prevent breaches, but also decrease "spillover" attacks.
Potential Good News for IT Consultants: New Law Could Mean New Clients
As we saw above, one provision of the law requires that companies develop and implement data privacy and security protocols. In some ways, this is great news for IT consultants.
If the law passes, all sorts of businesses could need help developing policies and practices to protect their data. That translates to more work for you.
The new law sends a signal to businesses of all sizes that they need to get serious about data protection. If you don't already offer security consulting, consider expanding your services.
Why now? The Scary Truth about Data Breaches
Why is all this happening now? In 2005, when Leahy first authored the Data Privacy Act, there wasn't much public discussion of data breaches. A lot has changed in nine years.
It isn't just the high profile data breaches at Target and Neiman Marcus. With more and more breaches happening every year and more and more data stored online, businesses and individuals are more susceptible to breaches than ever.
From a risk management perspective, you need to develop a comprehensive strategy for limiting your cyber liability. Consider the following courses of action.
- Develop a data breach response plan. You need one regardless of whether the law passes. Response plans have been shown to reduce not just the likelihood of a breach, but also the cost. To learn more about preventing data breaches and limiting their damage, read the post "What's Your Data Breach Notification Plan?"
- Get insurance coverage for client data breaches. Freelancers, consultants, and project managers can all be sued when their clients suffer a data breach. E&O Insurance covers these third-party / client cyber liability lawsuits.
- Know whether or not you have first-party cyber risk. While most small IT companies don't have significant first-party cyber liability exposure, make sure you don't. First-party cyber liability is the risk of a data breach happening on your own computers (not your clients'). Some IT companies (like data miners or ecommerce specialists) might keep a lot of private data on their networks. If you do, make sure to cover this risk with Cyber Liability Insurance (also called Data Breach or Cyber Risk Insurance).
The Takeaway: The Good and Bad of a New Data Breach Law
The Data Privacy Act does some good things for small IT businesses and some not-so-good things.
The good: By raising cyber security standards across the board, the law could slow the increasing rate of data breaches. Furthermore, these new standards will mean more potential work for IT consultants.
The bad: The law would punish slow responses to data breaches. As an IT consultant, you’d be held to a higher standard than you were before. Protecting your business from lawsuits and having a data breach response plan would be more important than ever.
To learn more about strengthening your business with E&O Insurance or Cyber Liability Coverage, check out these free insurance cost estimates that break down insurance coverage and cost for small IT business.