Cyber attacks and data breaches can be financially devastating to businesses. When data breaches go public, the businesses involved often lose clients or customers and have to spend a lot of time and money recovering from the attack, repairing the damages done to themselves and their clients and restoring the trust of the general public. If that wasn’t enough to contend with, companies involved in a cybersecurity breach are often subject to fines, fees, penalties, and other consequences from certain bodies of regulation.
In order to better understand the full range of risks in the cybersecurity landscape, it’s necessary to be familiar with the laws and penalties that apply to your clients so that you can offer the cyber liability insurance options that best fit their needs. Below are some of the most important and current cybersecurity regulations.
Federal Laws Regulating Cybersecurity
The federal government has a number of cybersecurity laws that apply to almost every business that deals with the transfer or storage of personal data. Below are some of the most important laws to be aware of.
- The Federal Exchange Data Breach Notification Act of 2015 requires organizations that participate in a health insurance exchange to report any breach to the affected individuals within 60 days of that breach occurring. Violators may face fines and even jail time.
- The Cybersecurity Information Sharing Act (CISA) of 2015 allows the government and tech companies to share data in order to identify and respond to threats sooner. This law is less about protecting data and more about proper response to cyber threats, but is still important to keep note of.
- The Federal Information Security Management Act (FISMA), of 2002 applies primarily to organizations that deal with government information, including contractors and suppliers who work with the government. It establishes standards for when and how this information is collected, how it can be stored and which parties can have access to it. Since this law applies primarily to federal agencies the penalties are not necessarily monetary based, but can include formal censure from Congress and reduction in public funding, depending on the agency.
- The Gramm-Leach-Bliley Act (GLBA) of 1999 is similar to the law above, but applies mainly to organizations that deal with personal and private financial information. It mandates standards for collection, storage and access to said information. Fines for organizations are up to $100,000 for each violation, plus the officers and directors of the organization can be fined up to $10,000 personally and face up to 5 years in prison for serious violations.
- The Health Insurance Portability and Accountability Act (HIPAA) of 1996 is similar to the two laws above; this applies to nearly any organization that transfers or stores medical information. The law establishes standards for how medical information is to be stored, accessed, and shared and implements strong penalties and fines for organizations that fail to keep this information secure. The resulting fines range from $50-$50,000 per expose medical record. Fines are capped at $1.5 million per year, but organizations may receive this maximum fine for multiple years can even be subject to prison time, with sentences ranging from 1-10 years.
International and Industry-Specific Regulations
In addition to federal regulations, some organizations (such as those in California and New York) may also have to contend with state regulations. Further, there are international laws and industry-specific regulations that organizations have to adhere to as well.
The General Data Protection Regulation (GDPR) was implemented to protect the personal information of all citizens in the European Union, and since many US businesses work with European customers, they must also comply with GDPR. Violations can potentially reach into the tens of millions of dollars.
Any organization that accepts payments via credit cards or debit cards is also subject to the Payment Card Industry Data Security Standards (PCI DDS) which outline 12 requirements related to securing payment card information. Being in breach of PCI DDS can lead to minimum fines of $5,000 per month and maximum fines of $100,000 per month.
The cybersecurity landscape is packed with regulations and violations, due to the frequency and gravity of cyber attacks on organizations all across the world. Every single organization carries a risk of a cyber attack or breach. Rather than focusing on “if” a business will be on the receiving end of a cyber attack, the focus should be on when. In addition to a strong cybersecurity plan, organizations need cyber liability insurance to help provide them with information and expertise following a breach, assist with legal costs related to an incident and minimize the disruption.
About Highland Risk Services
At Highland Risk, we use our expertise and experience to provide insurance information and programs to those who serve long-term care and senior living facilities. Since 2007, we’ve been offering insurance and risk management plans designed to help our agents give their clients the ability to achieve continued growth while simultaneously protecting against loss, containing costs and increasing profitability. With offices to serve you in Chicago, Illinois and Phoenix, Arizona, we do everything we can to make your experience with us as professional and transparent as possible. To learn more, contact us at (877) 890-9301.