Maryland’s data-breach notification laws are getting tougher. Is your organization fully prepared in the event of a cyber security incident?
States around the country continue to respond to the ongoing threat of data breaches—And Maryland is the latest to tighten their data-breach law.
Other states such as California and New York also implemented new regulations. All these standards expand the definition of “personal information” and protect more individuals who’ve been targeted by cyber criminals.
Changes to these notification standards can have a substantial impact on your business if you have a data breach, no matter the cause.
Cybercriminals Have You in Their Sites.
While larger organizations may have entire teams dedicated to information security, it can be difficult for smaller businesses to devote time to learning about, and implementing the many changes that come at lightning speed.
Left on your own, businesses like yours are a prime target for cyber criminals. They know that you lack the time and internal resources to focus on cyber security processes.
This doesn’t mean that large, tech-savvy companies are immune—They’re not. However, they are more likely to have the resources and infrastructure in place to make them a challenge to all but the most sophisticated hackers. So, the criminals will go after the “low-hanging fruit”—Smaller businesses like yours.
The Impact of a Data Breach Can Be Severe.
So, what happens when the unthinkable occurs, and your data gets breached? The true impact and cost of a data breach can be difficult to measure in advance or to plan for.
Much of the cost incurred could be from notifying individuals who were affected. Additionally, it’s nearly impossible to determine how many customers will decide to take their business elsewhere because it’s too risky to do business with you.
Significant costs for public relations and rebuilding trust with your customer base and suppliers, along with the cost of disruption to operations while attempting to get your systems back online can have a serious and long-term impact on your organization.
When you take the full cost of a cyber attack into consideration, with legal fees, credit monitoring, and data destruction, you can see why it’s important to plan ahead for disaster recovery and to arrange for professional managed services to lessen the negative impact of a cyber incident.
The Maryland Personal Information Protection Act
Maryland’s update takes effect January 1, 2018—And if you do business in the state, it’s critical to gain a full understanding of the new law. The updated time frame allows only 45 days to provide notice of a breach—a relatively quick turnaround when you’re reeling from a cyber attack and trying to deal with it.
Additionally, the law expands the classes of personally identifiable data that constitute a breach. The new list for notifications includes the first name or first initial and last name, combined with any of the following:
- Social Security number
- Driver’s license number
- Debit or credit card number
- Security access code or password
- State ID card, taxpayer ID and passport numbers
- Health care information covered by HIPAA, including health insurance policy info or certificates
- Combination of email address and password reset question
- Any biometric data that could be used for user authentication
There are some qualifications to the new law. For instance, if a data breach only affects personal information that’s used to access an email address, notifications may be presented electronically.
However, this method of notification is only valid if you can verify that the user is online at the time, that they are currently logged in from a trusted device, and that they’re currently connected to the email account.
These restrictions may make it difficult for smaller organizations that may not have the complexity of systems required to make notifications under this methodology.
In many states, notification laws state that customers whose data has been affected must be notified “as soon as possible.” Maryland has decided to take it one step further, and require notification “as soon as possible, but not later than 45 days” after a breach has been discovered. This is a very short window and places a heavy burden on organizations of all sizes.
Reasonable Security Practices
There’s much debate around what could and should be defined as “reasonable security practices.” However, many states include this language in their data breach laws. Some suggested requirements include:
- Maintaining a written InfoSec policy,
- Conducting ongoing risk assessments,
- Appointing a party to have primary responsibility for data security, and
- Ongoing implementation of safeguards based on changes identified during periodic evaluations.
While these specifics have not yet been enacted into law, ongoing conversations are happening throughout the legislature regarding how to more fully define “reasonable security practices.”
Data breach security laws will continue to grow and morph to meet the ever-changing needs of organizations and their customers. Ensure that you stay up-to-date with the latest cybersecurity information. And for peace of mind that your clients’ data is a safe as possible, you should work with a qualified provider of IT security services like Intelice Solutions.