We talk a lot about data security. We do it partly because it’s a top compliance priority for companies. But we also want to make sure we inform professionals like you about legal updates and trends, because that’s what we do and we should all be a little literate in the essential things in life. Data security is one of those essentials.
What is Data Security?
Data security, also known as cybersecurity, means “measures taken to protect a computer or computer system (as on the Internet) against unauthorized access or attack.” Password protecting our laptops and work phones are examples of data security. People and businesses do this on a larger scale to protect sensitive personal and business information from being leaked.
What’s the Difference Between a Cyberattack and Data Breach?
A cyberattack is intentional, unauthorized access. “Sophisticated cyber actors and nation-states exploit vulnerabilities to steal information and money and are developing capabilities to disrupt, destroy, or threaten the delivery of essential services,” according to the Department of Homeland Security. It sounds scary because it is. The ‘Internet of Things’ cyberattack shut down parts of the internet (imagine if all the highways in California shut down at the same time) while technology company Yahoo had 500 million accounts stolen. Both were intentional.
In contrast, a data breach is unauthorized access of protected data, regardless of someone’s intent. For example, an employee who uses an unsecured home computer to access confidential company information, a form of shadow IT, can cause a data breach. Some call this insider negligence, which the Ponemon Institute found was the leading cause of data loss and theft in 2015. Phishing scams, spoof emails that trick people in granting system access to strangers, “has continued to trend upward” according to the Verizon 2016 Data Breach Investigations Report.
The important thing to understand is that an honest mistake can be just as serious as a cyberattack because both leak sensitive data to people who shouldn’t have it.
Which Laws Govern Data Security?
A lot of laws govern data security, and the laws that apply to you depend on where your company is located, its industry, and what kind of data it handles.
Almost all states and most industries have their own data security laws. For example, if you’re a financial institution in New York, you must abide by the federal Gramm-Leach-Bliley Act and soon abide by the state’s cybersecurity regulation. Internationally, the EU Privacy Shield and the General Data Protection Regulation (GDPR), loom large for global businesses in their aims to protect EU citizen data.
All companies have to ensure they’re being honest about how well they protect data –the Federal Trade Commission has busted businesses for “unfair practices” under federal law after failing to protect data. Given this confusing patchwork, it’s best to focus on best practices that you can employ.
What’s My Responsibility?
To be vigilant. Our actions are no longer singular; they impact our employers, customers, and each other. Being vigilant means educating ourselves, such as understanding the latest cybersecurity risks and actually reading our employer’s cybersecurity policy. It also means doing our part to protect someone else’s private information. For more information, you can read our white paper on what makes effective data security training.
LawRoom (powered by EverFi) delivers online compliance courses to help your business meet compliance requirements both dynamically and scalably. In addition to our award-winning online courses, LawRoom delivers a robust, cloud-based learning management system to help you easily deploy and track our growing library of ethics, anti-harassment, data security and employee conduct courses.