Issue link: https://nebusinessmedia.uberflip.com/i/1427549
Well-publicized cyberattacks have recently hit some of the biggest and most well-known businesses in the world (British Airways, Capital One, Marriott, Target), costing hundreds of millions of dollars and negatively impacting customers. Cybercrimes persist because cyber criminals stay one step ahead and find new ways to disrupt and cause harm, despite organizations enacting stringent policies to avoid them. Unlike most crimes in the physical world, crimes in the digital world can go undetected for months, and take even more time to rectify. Depending on the industry, we have seen that cyberattacks can take anywhere from six to eight months to detect, and two to three more months to contain and rectify the breach. Some cases in the health care and public sectors have taken nearly a full year until finally contained. In addition to protecting the integrity of data and verifying that vendors meet cybersecurity standards, there are concerns about brand protection and poor public perception, not to mention customer protection and legal liability. Much is at stake because breaches can prove costly on many levels. State governments have taken serious action in recent years to protect people against cybercrimes. Cyber regulations come with two general objectives: • Forcing businesses to implement protocols that can reduce the likelihood of a breach • Requiring businesses to notify impacted individuals of potential damages as a result of a breach Organizations are responsible for both regulatory and contractual compliance. The majority of U.S. states and territories have enacted laws that may require notifying people if an attack occurs. However, many organizations are unaware they need to comply with these laws, much less how. Leadership needs to set the tone that robust security programs are as much a priority to their organization as financial success or human resource issues. While there can be an added expense involved in compliance, these costs may pale in comparison with the cost of a breach itself, or to the fines an organization may receive due to noncompliance. As cyberattacks grow in frequency, complexity and sophistication, state legislatures are looking to improve existing laws to protect citizens from breaches. Some common legislative proposals this year require government entities to report attacks or breaches, expand the definition of what "personal information" is, and require businesses and organizations to report attacks to the appropriate state regulatory authorities. Additionally, many states have established tighter timeframes for reporting breaches to stakeholders, and others seek to provide an affirmative defense for entities that had reasonable security practices in place at the time of a breach. For example, a bill is pending in Connecticut — Senate Bill 1202 — includes a provision to protect consumer's online data. Senate Bill 893, "An Act Concerning Consumer Privacy," has been condensed into a provision of SB 1202. Senate Bill 893 requires companies to lessen the amount of data they collect and only use it for the purposes it is collected for — therefore limiting data breaches and identity theft. The aforementioned provision in SB 1202 creates a consumer data bill of rights. Companies will be required to clearly cite a privacy policy telling consumers what data is being collected, how it is being used, and why. This will inform consumers that they have the right to know what information is being collected, the ability to see and fix any false data, and the right to have collected data deleted. An effective roadmap to compliance may first include an assessment of a company's environment to identify gaps between what an organization has and what the state requires. Cybersecurity plans can then be created to address the gaps. Once implemented, the plans should be frequently examined for potential needed updates. Compliance is not a one-time occurrence. It requires continual monitoring and commitment throughout the entire organization. Humans can be the largest risk to an organization, and technology alone can only protect so much. To a hacker, one click of a mouse by an unsuspecting employee could open up Pandora's box. Such strict regulatory requirements may not seem ideal, but given the persistent threat of cyberattacks, it has become necessary to enhance protection of data and customers. Some companies have paid hundreds of millions of dollars in fines following cybersecurity breaches, so the investment of time and resources now is likely to become well worth it down the road. For more information on cybersecurity, contact: David Sun david.sun@CLAconnect.com Heather Bearfield heather.bearfield@claconnect.com Frank Rudewicz frank.rudewicz@CLAconnect.com They can also be reached via phone at 860-561-4000. Cybersecurity is Leading to Legislation, and Businesses Need to Comply The information contained herein is general in nature and is not intended, and should not be construed, as legal, accounting, investment, or tax advice or opinion provided by CliftonLarsonAllen LLP (CliftonLarsonAllen) to the reader. For more information, visit CLAconnect.com. CLA exists to create opportunities for our clients, our people, and our communities through our industry-focused wealth advisory, outsourcing, audit, tax, and consulting services. SPONSORED CONTENT By Frank Rudewicz, David Sun, Heather Bearfield