Cyber Laws & Best Practices: Getting Your Cyber House in Order

Sir Winston Churchill’s definition of Russia as a "a riddle, wrapped in a mystery, inside an enigma" aptly describes the state of affairs between the bevy of cyber and data security laws and business enterprises forced to contend with the onslaught of cyber thieves and hackers. The “rock” of cyber thieves on one side and “hard place” of cybersecurity rules on the other can make life difficult for businesses.

Understanding the basics
When your business must adhere to disparate and fragmented cyber rules, regulations and laws, the first task at hand is to prioritize your needs, identifying, in effect, the “low hanging cyber fruit.” First, understand the requirements common to most cyber legislation. What are the states requiring a business such as yours to do in the event of a breach of “protected information”?

All 50 states and U.S. territories have laws mandating that businesses provide notifications to those whose protected information has been breached while in the care of the business. But each state has different requirements. It is conceivable that a single data breach will require a business to comply with 50 different sets of requirements. Consequently, a business should:

  • Take inventory of the states of residence of its clientele
  • Determine what it must do to comply with those states’ requirements
  • Prepare a plan to implement in the event of a data breach

Getting down to specifics
Following are details on the data breach notice laws for the states in which most HBK client reside: Florida, Ohio, Pennsylvania and New Jersey.

Florida Information Protection Act of 2014i: Any commercial entity that acquires, maintains, stores, or uses Personally Identifiable Information (PI) must notify affected Florida residents by written mail or electronic mail within 30 days of the breach.

  • If the security breach affects more than 500,000 people, or the cost of notification exceeds $250,000, the business may use other means and methods of notifying those affected.
  • If the data breach involves more than 500 Florida residents, the business must report the breach to the Florida Department of Legal Affairs.
  • A breach affecting more than 1,000 Florida residents must be reported to credit reporting agencies.

Ohio Notification requirementsii: In Ohio, any business that experiences a harmful data breach must notify affected Ohio residents within 45 days by mail, telephone, or electronic mail.

  • Businesses can use public service announcements in the event than 500,000 Ohio residents are affected, if notification costs exceed $250,000, or the business has ten or fewer employees and notification costs exceed $10,000.
  • When more than 1,000 Ohio residents are affected by a breach, all consumer-reporting agencies must be informed.

Pennsylvania Breach of Personal Information Notification Actiii: When a Pennsylvania business experiences a harmful data breach, it must notify affected Pennsylvania residents as soon as possible by mail, telephone, or email.

  • If the security breach affects more than 175,000 people, or the cost of notification exceeds $100,000, public service announcements can be used instead.
  • When a breach affects 1,000 or more people, you must report it to all consumer-reporting agencies.

New Jersey Data Breach Identity Theft Prevention Activ: Businesses in New Jersey are required to respond to a data breach quickly. A business must first notify the Division of the State Police in the Department of Law and Public Safety, then alert the affected consumers through email or written notice.

  • If the breach affects more than 1,000 people, the business owner must notify all consumer-reporting agencies.
  • A business that willfully, knowingly, or recklessly violates the New Jersey Consumer Fraud Act, including failing to adhere to the Theft Prevention Act, may have to pay the injured party three times the damages, plus attorney fees and court costs.

While the laws are similar, the nuances require businesses to attend to the particulars of each. And the nuances turn into stark reminders of the perils of cyber-crime. Having to author a letter to clients admitting their data was stolen while they entrusted it to your care can make for a formidable backlash.

We will explore various other cyber and data security laws that impact your business in our next article.

Sources:
i. https://www.flsenate.gov/Session/Bill/2014/1524/BillText/er/PDF

ii. http://codes.ohio.gov/orc/1349.19

iii. https://www.legis.state.pa.us/CFDOCS/Legis/PN/Public/btCheck.cfm?txtType=HTM&sessYr=2005&sessInd=0&billBody=S&billTyp=B&billNbr=0712&pn=0898

iv. https://www.njleg.state.nj.us/2004/bills/pl05/226_.htm

About the Author(s)

Steven Franckhauser is a Senior Director working out of the Columbus, Ohio and Pittsburgh, Pennsylvania offices of HBK. He joined HBK in 2011 and works with both the Risk Advisory/Cybersecurity and Energy divisions of the firm.

He is an adjunct Professor of Law at the Duquesne University School of Law, where he teaches business planning and cyber security courses. Steve contributes to the Penn State Extension programs on Shale development, is an adjunct Professor at Penn State University's Beaver campus in Monaca, Penn., and has been a guest lecturer on shale energy and renewable energy at The Ohio State University Fisher School of Business and the School of Arts and Sciences. He is also a past recipient of the “Who’s Who in Energy” by the Pittsburgh Business Times.

He serves on various industry-related boards and is a frequent lecturer and speaker on the economic development and opportunities provided by shale energy, as well as on topics related to the importance and development of Cybersecurity best practices, regulations and standards as they relate to businesses and individuals.

Matthew J. Schiavone is a Senior Manager in HBK’s Quality Control department and works primarily in the Pittsburgh, Pennsylvania office. He specializes in risk advisory services, system and organization control (SOC) reporting, internal controls, IT audit, information security, and cyber security for all types of industries.

Hill, Barth & King LLC has prepared this material for informational purposes only. Any tax advice contained in this communication (including any attachments) is not intended or written to be used, and cannot be used, for the purpose of (i) avoiding penalties under the Internal Revenue Code or under any state or local tax law or (ii) promoting, marketing or recommending to another party any transaction or matter addressed herein. Please do not hesitate to contact us if you have any questions regarding the matter.

RECOMMENDED ARTICLES