Establishing cybersecurity standards should be a priority for every business, and truly, every individual as well. You would never leave the front door to your home or office unlocked all night. Why leave your online information and intellectual property just as vulnerable?
Depending on what industry you are in, you may be legally obligated to operate within a specific set of cybersecurity standards. For instance, any business that handles credit card information has to comply with the Payment Card Industry Data Security Standard (PCI-DSS) to ensure that customers’ financial information is safe from loss or theft. While this particular standard has fairly basic requirements, other standards can be far more complex and difficult to navigate for small and medium-sized business owners.
Generally speaking, the more sensitive information your company handles, the more cybersecurity standards you will be required to follow. This is especially true of healthcare facilities, law offices, and financial institutions. While this article is not legal advice and should not be construed as such, it will give you an incomplete overview of some of the most prominent cybersecurity compliance frameworks and regulations pertinent to these industries.
Cybersecurity for Healthcare Providers: HIPAA
The biggest set of cybersecurity regulations for medical facilities comes with the privacy standards set by the Health Insurance Portability and Accountability Act (HIPAA). Steps that healthcare facilities must take in order to be HIPAA compliant include a HIPAA Risk Assessment, policies and procedures documents, a management plan, a data breach communication plan, network security, the ability to backup and recover data, and HIPAA training for business associates. That is right; compliance applies to not just your organization, but your business associates as well.
Many states have their own data security laws and regulations for the healthcare industry. Additionally, public and private facilities may be held to different standards as well. It is important to stay up to date on cybersecurity compliance requirements because you are not just facing legal repercussions; when a security breach occurs, you lose the trust of your patients and risk doing lasting harm to your reputation. In fact, 72 percent of medical offices shut down or file bankruptcy within two years of a breach.
Law Firms and Cybersecurity Expectations: ABA
Just like healthcare facilities, law offices process a lot more data than just their client’s payment information. Some, especially those dealing with insurance companies, may also need to be HIPAA compliant. Regardless of who lawyers work with, their data is worth a lot to hackers, and in a 2019 survey by the American Bar Association (ABA), 26 percent of lawyers reported that their firms had experienced some sort of security breach. An additional 19 percent could not even verify whether or not they had actually experienced a security breach, showing a lack of even basic breach detection protocols.
A number of ABA Model Rules and Formal Opinions dictate the degree of Cybersecurity expected at a practicing law firm. The very first Model Rule establishes the “duty of competency” among lawyers, which includes maintaining up-to-date knowledge of “changes in the law and its practice, including the benefits and risks associated with relevant technology.”
More specifically, Formal Opinion 477 states that, “[A] lawyer may be required to take special security precautions to protect against the inadvertent or unauthorized disclosure of client information when required by an agreement with the client or by law, or when the nature of the information requires a higher degree of security.”
There are also standards for being aware of and reporting breaches at law offices. Opinion 483 states, “[W]hen a data breach occurs involving, or having a substantial likelihood of involving, material client information, lawyers have a duty to notify clients of the breach and to take other reasonable steps consistent with their obligations under these Model Rules.” While these rules may not seem very strict or explicit, it is in the best interest of the law firm and the client to provide reasonable cybersecurity protections and to monitor and promptly respond to breaches.
Financial Sector Cybersecurity: NIST and FINRA
The financial sector is subject to a sweeping number of state-specific cybersecurity regulations in addition to those determined by the Financial Industry Regulatory Authority (FINRA). Instead of delving into each of these one-by-one, we will cover the National Institute of Standards and Technology (NIST) Cybersecurity Framework, widely considered the gold standard of cybersecurity in the US and abroad. In fact, this framework is used by some of the largest financial institutions in the world, including JP Morgan Chase and the Bank of England.
NIST is also a good foundation in this case because FINRA bases their own cybersecurity compliance checklist off of the NIST framework. NIST breaks down into five key categories of Cybersecurity protocols: identify, protect, detect, respond, and recover. This framework is so effective because it requires two complementary strategies: proactive threat prevention and detection alongside a plan for when that prevention does fail.
Any Company that Handles Consumer Data Should Comply with Basic Cybersecurity Standards
If you are handling any sensitive customer information, or even if you just want to keep your own information private, there are basic steps you can take to be more cyber secure. Detection and prevention are vital to running a smooth business, but being ready for a breach when it happens is important too. If you are not sure if your company is in compliance with legal standards, look for a managed IT provider that offers a full suite of cybersecurity products to stay in compliance with cybersecurity regulations. Working with such a provider makes it simple to stay in compliance with regulations without wasting time that could be spent running your business. It also gives you the peace of mind that you are at the top of your industry when it comes to protecting your clients’ security.
Kate Lewis
Marketing & Sales Coordinator
Digital Agent
