If you run a small or medium-sized business, it may seem like the laws are always shifting. Practically every year, it feels like a new, more complicated law appears that demands more cybersecurity protections around your customer’s data. But here’s a largely unappreciated fact: protections you put in place for your customer will, in the end, protect your business.
Why? Because the same protections that keep your customer’s data safe will also keep your overall networks safer. You’ll not only shield yourself from liability from leaked data, but you’ll make it harder for hackers to access any portion of your network. And that’s a win-win, all around.
To give you an idea of what that looks like, consider these recent estimates from a report from Ponemon Institute. According to their surveys, the average cost of a single non-compliance issue for a company was between $4 million and $13 million. And that’s to say nothing of the lost opportunities a non-compliant company might have to bid on new work, or operate in certain countries. Maintaining a sharp eye to your legal obligations is more than just a good idea. It’s simply good business.
So, with that in mind, what IT business protection laws are most important? There are too many to lay out individually, but we’ll talk about the main laws protecting businesses here.
What Kind of Companies Need IT Business Protection?
Before you begin implementing compliance plans, it’s important to know which kinds of companies are most impacted by data handling laws? The answer is pretty simple. Your company needs IT business protection if it handles:
- purchase data, such as customer credit card numbers and pins
- health information, such as patient health records, or even information about them having a particular medical condition
- banking or direct deposit information for customers, vendors, or employees
- personal identity data of any kind, such as personal emails, physical addresses, social security numbers, or driver’s license data
This, as you might imagine, covers a great deal of companies, regardless of your size. When it comes to laws protecting businesses, small businesses aren’t exempted. And your exposure could be greater than you think. For instance, let’s say you have an online store that sold a handmade necklace to a customer in Spain. Your online operation will have to be compliant with data handling laws for Europe.
Or, perhaps your medical office handles all your patient’s records electronically through a patient portal, and frequently emails patients about their conditions, too. Both the portal and the email platform you use must offer HIPAA-compliant data protections. If a data breach leaks your customer’s payment information or personal information on the internet, you will open your business up to lawsuits and compliance issues. Staying up to date on your compliance is a key way you can get true business protection.
Six Data Compliance Laws Protecting Your Business
Yes, compliance efforts really do offer a substantial amount of IT business protection. Good data hygiene is good cybersecurity—and that’s just amount the most important way there is to protect your business. Europe really started the ball rolling with new consumer data protections. But the US has responded with regulations of its own, much of it varying state by state.
To stay safe, we usually taking the most rigorous guidelines available in these IT business protection laws, and conforming to those. Do this, and you’ll never be playing catch up. There are many compliance laws protecting business, but these are seven of the most important:
1. GDPR: The European Union’s General Data Protection Regulation (GDPR)
implemented for the EU in 20187, the GDPR puts consent for the sharing of data in your customer’s hands. Consumers must give their explicit permission to store and use their data, with strict rules about opt ins. It also asks companies to have enterprise-wide data mapping and inventory. You’ll be required to regularly assess the compliance of your programs and carefully record all your data processing activities. If you’re selling to customers in Europe in any way, you’ll be required to comply with GDPR.
2. The Gramm Leach-Bliley Act
If you’re in the business of offering financial products or services of any kind, such as loans, financial advice or insurance or banking services, your business is bound by this data handling law. You’ll needs to protect your business by publicly posting your data sharing practices, and safeguarding sensitive data by maintaining a high cybersecurity standard.
3. Fair Credit Reporting Act
The Fair Credit Reporting Act is designed to regulate how credit reporting data is shared, and made available to customers. It covers who is allowed to see a credit report, what the credit bureaus can collect, and how information is obtained. For more information on what IT business protection looks like around this law, visit the FTC website.
The Healthcare Insurance Portability and Accountability Act (HIPAA) is a law most healthcare providers are familiar with by now. It has very strict requirements which allow patients to specify exactly how their healthcare information is shared between doctors, hospitals, pharmacies, insurers, and other similar businesses, as well as family members/caregivers. There are struct rules for the transmission, sharing or handling of patient data, and this includes any third party vendors you share data with.
If you are running a healthcare facility of any kind, you’ll have to be very careful about what information is divulged through emails and phone calls.You’ll have to carefully manage passwords and protections on patient portals, as well. This law creates important protections that shield patients from embarrassment or discrimination over their health status. It’s rigorously enforced, but, when followed are definitely one of the primary laws protecting your business from liability. For more on how to comply, visit our latest blog on the topic.
If you’re running a website or app that might be collecting information from children under the the age of 13, you’ll have to conform to the Children’s Online Privacy Protection Act (COPPA). You’ll need to have significant IT business protection in place, because keeping information for children is not nearly as simple as putting up an “opt-in” privacy notice and calling it a day. Your site or app must strive to keep as little information about the children as possible, not goad them into continuously submitting more personal information, and submit a request to a legal parent or guardian when the kids sign up for your services. Check out this recent guidance from the FTC on the matter.
6. State Privacy Laws
The laws vary widely in what they cover. Most require companies to allow their customers to opt out of your data tracking in different ways, either entirely, or by carving out certain opt-outs for certain practices. More state legislators are moving privacy laws through committees right now, so expect more new laws on the horizon. The best way to protect your business from state-based privacy violations is to have the highest cybersecurity profile possible, and offer those who use your services the ability to opt out of as many data tracking functions as possible, if they choose.
IT Data Compliance Regulations: How to Protect Your Business
By now, you can see, the ways to achieve true business protection lies in strictly adhering to data privacy law. Depending on the business you’re in, the burden of compliance can be complicated. Each business will have a different compliance load. Be sure to confer with a qualified managed IT services provider, consult with a lawyer conversant in IT law, or hire an IT compliance officer to address what your specific organization needs to do.
There are, however, some general good practices that will go a long way to help you achieve true IT business protection. Specifically, we recommend that most companies:
- Keep only the data that is absolutely necessary for a good user experience, or for general administration for your employees.
- Limit access to customer/employee data to only those critical staff who need to access it
- Get multi-factor password authentication for your employees and vendors accessing your databases
- If you have customers signing onto portals, encourage good password hygiene with long, difficult to guess passwords, and use zero trust systems whenever possible
- Publish clear data privacy policies with the ability to opt out of it all, or certain functions.
- Install strong firewalls
- Encrypt your data in transit using virtual private networks and other tools
- Practice good physical security, encouraging employees to close their laptops, discouraging the printing of documents containing sensitive information, and more
- Conduct regular security training with your staff to keep your exposure to data leaks
Would you like to pursue IT business protection, by improving your data compliance? Our security and compliance experts can help protect your business for the future. Contact Integris today for a free consultation.