In the United States, there are currently no federal laws standardizing how IT businesses should handle private information and data breaches. This lack of overarching regulations complicates things for IT businesses, because rather than having to know one law, businesses have to be aware of numerous state and international laws, especially in today’s borderless digital world, where it’s perfectly ordinary to have clients around the country and across the globe.
In particular, there are three cyber laws computer consultants need to know to protect themselves and ensure they’re best able to serve their domestic and international clients:
- Data Protection Act of 1988. This is a law governing data security in the European Union. You may be wondering what a European law has to do with your business. Here’s what: provisions in the act allow for U.S. businesses to store EU customer data as long as they follow certain rules. These are called the "Safe Harbor Principles" (and are sometimes referred to by the legal name "Principle 8"). If your IT business consults for European companies or has access to European customer data, you may have to follow these safe harbor principles. To learn more about the data security protocols you and your clients need to know to do business in Europe, read the Department of Commerce's safe harbor guidelines.
- State data breach notification laws. These laws regulate how you are required to respond to a data breach. Unfortunately, each state sets its own data protection laws, so sorting through the regulations is a time-consuming affair. This is especially true for businesses with customers in different states: you may have to follow different regulations for each of your clients. Before your head starts spinning at all the information you have to keep straight, here are the basics of what you need to know. A data breach is usually defined as when an unauthorized person accesses private information like the name, address, date of birth, SSN, and financial information of a customer. States usually require you to report any breaches of private data to affected customers. In their data breach laws, states may specify how you contact affected customers (via mail, email, telephone, etc.) and may require you to report the breach to the attorney general or a customer advocacy agency. Failure to comply (or taking too long to do so) may result in fines and / or lawsuits.
- HIPAA and HITECH laws for medical data. Computer programmers and IT consultants who work with medical data have an extra set of laws to comply with. HIPAA (the Health Insurance Portability and Accountability Act) established standards for how businesses must handle electronic health records. This law was later amended with HITECH (the Health Information Technology for Economic and Clinical Health Act), which added more regulations. HIPAA and HITECH require businesses to perform security reviews, name a head security officer, and follow strict data protection and encryption guidelines. Failure to follow these rules can lead to fines in excess of $2 million. For more details about these medical data protection laws, check out our blog post "HITECH: The Strictest Data Protection Law."
With all the legal red tape programmers and IT professionals have to deal with, you'll want to make sure you're protected from a lawsuit in the event that you forget to cross one of your ts or dot an i. In fact, many of the contracts you sign may require you to carry such protection in the form of Errors & Omissions Insurance, which can pay for lawsuits over many professional mistakes.