There are many potential legal issues of cybersecurity. Whether you are part of a company trying to protect itself or a dedicated cybersecurity company, understanding the current law around cybersecurity is important to keep you on the right side of the law.
In June 2018, the California legislature enacted the California Consumer Privacy Act (CCPA). The CCPA makes company’s give consumers the right to request or delete personal information held by the company and identify any 3rd parties to which the information was disclosed or sold. The consumer also needs to have the ability to opt-out of the sale of personal information. A consumer of the company covers employees as well, so companies need to change the handling of internal data as well. The CCPA applies to most mid-sized or larger companies and all companies operating primarily in California.
For biometrics, which is a way to allow access dependent on body measurements, there has been a large increase in the number of legal cases taken against companies collecting face scans, fingerprints, or other identifiers. In Illinois, there is Illinois’ Biometric Information Privacy Act (BIPA) that prohibits companies from obtaining or using biometric identifiers unless the person signs a written release. There is a major issue for companies that do not want to be liable if they are using biometrics tools to validate time entries for employees. Other states such as Washington and Texas have recently enacted similar laws and more states are enacting their own legislation.
HIPAA, the Health Insurance Portability and Accountability Act, requires that companies have strong protection for electronic personal health information. Software companies and any other type of company that is dealing with healthcare data have to be extremely careful to keep healthcare information safe. HIPAA has extremely large fines for any breach. Even health care practices have to be careful to not violate HIPAA as physicians have been forced to pay for mishandling electronic personal health information.
Even if you are a US business, if any of your customers or vendors operate in Europe, you should be aware of the General Data Protection Regulation (GPDR). GPDR is a new framework for data protection laws. GPDR details fines for companies that handle customer’s data improperly. There are also details in GPDR about how companies need to obtain the consent of the individuals that they collect information about. There are also regulations about the company’s data protection policies, data storage, and data processing. GPDR also requires large companies to employ a data protection officer. Positive opt-in is also a requirement of GPDR and is why there are many more websites and software programs now requiring positive opt-in before use.
For a company that focuses on cybersecurity, making sure you follow legal procedures is important. If you are going to be penetration testing a different company’s network or computers, you need to obtain permissions and signatures of those in charge of the company. Obtaining the permission of just the IT department is not good enough and could have serious legal consequences. Different states in the United States have different laws regarding penetration testing, so understanding the rules of your state and the laws of the state of the target are important.
If you are operating in a cloud environment, you need to obtain the permission of the cloud service and not just the target company. You should also make sure that your computer and tools are free of malware as you could be responsible for infecting a target’s system or losing their proprietary data. Also, make sure your scope of work is clear to make sure you do not have legal issues.
The legal issues of cybersecurity are complex and varied. Before undertaking any new project, you should make sure that your company understands and complies with the necessary regulation. The legal issues mentioned in this article are some of the largest that you will face today.