Stopping a data breach is only half the problem

A lot of attention is paid in the media to the risks of a cyber attack on an organization’s data- it makes for good headlines. And this isn't just for good headlines: theft of personal and financial data is very big business. There are victims in every data breach. Clients and customers who lose their identity to thieves and see their credit demolished; businesses who lose or endure serious revenue slides due to the damage to their reputations. As a result, businesses focus a great deal of effort and resources on defending against hackers and cyber thieves. And this focus is completely justified. However, less attention is paid to the reverse side of a cyber attack. After an attack, or more specifically, after the theft of personally identifiable information, what are a business’s responsibilities? In addition to determining how the attack occurred and addressing the vulnerability, businesses may also have legal obligations imposed upon them by governmental entities. That brings us to the flip side of a data breach.

Small and large businesses, no matter what product or service they provide, are subject to some manner of regulations regarding the storage and use of digital data. These laws are known generically as “data protection laws” and may define fully, or in part, what type of data is regulated or covered, proscribe general standards for securing the data, and often require notification of victims and governmental authorities in the event of a breach. There is a growing body of regulation in the developed world, including the United States, that is working to regulate the storage and use of data collected by businesses and organizations. Every organization that collects personally identifiable data needs to become aware of the regulations to which they may be subject. In our next blog, we will discuss one of the oldest and still most formidable data regulation laws in the US: HIPAA.