Cyber Laws & Best Practices: Getting Your Cyber House in Order

Date September 4, 2019
Article Authors
HBK CPAs & Consultants

Sir Winston Churchill’s definition of Russia as a “a riddle, wrapped in a mystery, inside an enigma” aptly describes the state of affairs between the bevy of cyber and data security laws and business enterprises forced to contend with the onslaught of cyber thieves and hackers. The “rock” of cyber thieves on one side and “hard place” of cybersecurity rules on the other can make life difficult for businesses.

Understanding the basics
When your business must adhere to disparate and fragmented cyber rules, regulations and laws, the first task at hand is to prioritize your needs, identifying, in effect, the “low hanging cyber fruit.” First, understand the requirements common to most cyber legislation. What are the states requiring a business such as yours to do in the event of a breach of “protected information”?

All 50 states and U.S. territories have laws mandating that businesses provide notifications to those whose protected information has been breached while in the care of the business. But each state has different requirements. It is conceivable that a single data breach will require a business to comply with 50 different sets of requirements. Consequently, a business should:

  • Take inventory of the states of residence of its clientele
  • Determine what it must do to comply with those states’ requirements
  • Prepare a plan to implement in the event of a data breach

Getting down to specifics
Following are details on the data breach notice laws for the states in which most HBK client reside: Florida, Ohio, Pennsylvania and New Jersey.

Florida Information Protection Act of 2014i: Any commercial entity that acquires, maintains, stores, or uses Personally Identifiable Information (PI) must notify affected Florida residents by written mail or electronic mail within 30 days of the breach.

  • If the security breach affects more than 500,000 people, or the cost of notification exceeds $250,000, the business may use other means and methods of notifying those affected.
  • If the data breach involves more than 500 Florida residents, the business must report the breach to the Florida Department of Legal Affairs.
  • A breach affecting more than 1,000 Florida residents must be reported to credit reporting agencies.

Ohio Notification requirementsii: In Ohio, any business that experiences a harmful data breach must notify affected Ohio residents within 45 days by mail, telephone, or electronic mail.

  • Businesses can use public service announcements in the event than 500,000 Ohio residents are affected, if notification costs exceed $250,000, or the business has ten or fewer employees and notification costs exceed $10,000.
  • When more than 1,000 Ohio residents are affected by a breach, all consumer-reporting agencies must be informed.

Pennsylvania Breach of Personal Information Notification Actiii: When a Pennsylvania business experiences a harmful data breach, it must notify affected Pennsylvania residents as soon as possible by mail, telephone, or email.

  • If the security breach affects more than 175,000 people, or the cost of notification exceeds $100,000, public service announcements can be used instead.
  • When a breach affects 1,000 or more people, you must report it to all consumer-reporting agencies.

New Jersey Data Breach Identity Theft Prevention Activ: Businesses in New Jersey are required to respond to a data breach quickly. A business must first notify the Division of the State Police in the Department of Law and Public Safety, then alert the affected consumers through email or written notice.

  • If the breach affects more than 1,000 people, the business owner must notify all consumer-reporting agencies.
  • A business that willfully, knowingly, or recklessly violates the New Jersey Consumer Fraud Act, including failing to adhere to the Theft Prevention Act, may have to pay the injured party three times the damages, plus attorney fees and court costs.

While the laws are similar, the nuances require businesses to attend to the particulars of each. And the nuances turn into stark reminders of the perils of cyber-crime. Having to author a letter to clients admitting their data was stolen while they entrusted it to your care can make for a formidable backlash.

We will explore various other cyber and data security laws that impact your business in our next article.





Speak to one of our professionals about your organizational needs

"*" indicates required fields

HBK uses the contact information you provide to send you information about our products and services. You may unsubscribe from these communications any time. For information on how to unsubscribe, as well as our privacy practices and commitment to protecting your privacy, check out our Privacy Policy.

Cyber Security: It’s Everyone’s Job

Date August 13, 2019
Article Authors
HBK CPAs & Consultants

HBK is in the cyber security business. Our Risk Advisory Services group exists to serve our clients and help ensure they remain healthy, active and viable. That is our business, ethical and moral purpose. We also realize that we alone cannot entirely handle your cyber security needs, because so much of cyber security is a function of business culture and self-awareness.

Here are five reasons cyber security starts and ends in the business setting:

1. Laws put the burden on your business to protect cyber data. If you peruse the California Consumer Privacy Act, the New York Department of Financial Services Cyber Security Regulations, the Ohio Cyber Security Safe Harbor Law, the Florida Information Protection Act, and the mother of all data regulations, the General Data Protection Regulation of the European Union, you will find two common denominators: none of them make it illegal to steal data and all of them make it incumbent on the business to protect data.

Each regulation sets forth actions businesses must take to protect data. This type of law used to be reserved for national security matters—power plants, national emergencies, disaster recovery—but state governments in the U.S. and foreign sovereigns are delivering a clear message that these laws apply generally. You are responsible for protecting data, and if you do not you will be punished.

2. The burden to protect cyber data is being pushed by big businesses to small and medium businesses (SMBs) under contractual mandates. Large multinational businesses are being attacked through their vendors. Target took a data breach hit because of an HVAC vendor. Capital One just announced a data breach allegedly caused by an employee of one of its vendors.

Large businesses are now insisting that their vendors adopt safe cyber hygiene practices or risk losing the business. The role of “vendor risk manager” has risen to the top of the charts as supply chain logistics expand and state laws mandate cyber security measures. SMBs risk losing their best customers if they do not tow the line on cyber security.

3. Blind Faith in outsourced IT and cyber security measures does not work. Pay close attention. Pushing problems to a third party does not solve problems, it merely hides them. Many SMB’s outsource IT and presume that their vendor has cyber security covered. This is flawed for two major reasons. First, IT vendors are only one part of the cyber security solution. Second, IT companies are particularly susceptible to data attacks because they are an entry point into your systems. SMBs must be assured that the people they pay are addressing cybersecurity. As one CFO recently told me, he is afraid of what he doesn’t know. That type of self-realization is healthy. Have your vendors demonstrate their cyber security.

4. Cyber Insurance underwriting guidelines will not accept cyber security indifference from management. Financing a cyber data breach or a ransomware heist is a big financial deal. CEOs, COOs, CFOs and BODs are tasked with managing the business vessel. Running afoul of cyber insurance guidelines can deprive a business of the requisite financial resources provided by insurance during a cyber data calamity. Good business management practices as well as operating agreements, by-laws and partnership agreements entrust these levels of decision to management. If C-level management and boards do not fulfill their obligations, they place the financial status of the business in peril. Study the cyber security laws and regulations listed in item 1 of this article. They are aimed directly at management.

5. Fiduciary Duty of Company Officers. Talk to your business lawyers about the respective duties owed to companies by their officers. Most state laws place this high level of responsibility upon the company officers. Fiduciary duties are non-delegable.

We do not have the luxury of cyber police patrolling the data streets of homes and businesses. Security always begins with the individual. Never confuse law enforcement with security. It is incumbent upon each person to do their part in cyber and data security because each person is a link in the cyber data chain. HBK understands this reality and bases its cyber security services on understanding the human, technical and management elements as being inextricably intertwined. In the end, you are only as secure as your weakest link.

For more information or to review your cyber security responsibilities and readiness, contact Steve Franckhauser at 614.228.4000 or

Speak to one of our professionals about your organizational needs

"*" indicates required fields

HBK uses the contact information you provide to send you information about our products and services. You may unsubscribe from these communications any time. For information on how to unsubscribe, as well as our privacy practices and commitment to protecting your privacy, check out our Privacy Policy.