Q: The regulatory landscape is continually changing, and I know that the price for inadvertently running afoul of a data law can be steep. What are the best ways to stay on top of the rapidly changing regulatory landscape for data cultivation and protection?
Data is the most valuable currency in cyberspace. Due to this, legislation has broadened in recent years to allow for greater consumer protections and privacy considerations. Your MSP needs to know the laws, so you and your clients can stay compliant. The cost of not complying can be hefty.
In fact, the fines and penalties have become so severe that MSPs considering taking on healthcare and financial clients need to weigh the benefits of new business with the risk of criminal or civil lawsuits and hefty fines for inadvertent breaches that may happen on your watch.
For instance, an MSP in Philadelphia was fined $650,000 in 2016 for not properly securing HIPAA-protected data. This is why liability insurance is a must in today’s MSP environment.
There is also a web of regulations that cover behavior after a data breach. Sentara Hospitals in North Carolina was fined $2.175 million in 2019 — not for a data breach (that fine will be assessed later), but for failing to report the violation.
Regulations for MSPs to watch
For perspective on this issue, we turned to Dr. Nazli Hardy, associate professor of computer science at Millersville University in Pennsylvania, who has researched network and information security. According to Hardy, here are some of the regulations that loom the largest for MSPs:
- California Consumer Privacy Act: Enacted in January 2020, this contains a package of provisions that protect consumer data from being sold and gives consumers new rights.
- NYS DFS: All entities and persons regulated or licensed by the New York State Department of Financial Services are required to file various cybersecurity notices.
- Insurance Data Security: Passed in 2017, this establishes standards for cybersecurity breaches within the insurance industry.
- GDPR (2016) – This is Europe’s groundbreaking and far-reaching consumer protection and privacy mandate. After a lot of initial disruption, most businesses seem to have embraced the new normal of the GDPR era.
Hardy says that all types of industry, whether it is banking, health, or education, can and should expect new cyber data regulation at local, state, and federal levels. But after the laws are made, the rest is up to you.
“We cannot expect any of these entities, especially local and state, to follow any standard in disseminating these laws. It is entirely up to each organization to ensure they know,” stresses Hardy.
Hardy compares knowing regulatory law to learning traffic laws:
“Just like when we drive and make a mistake on the road, we cannot use ignorance as an excuse. It is up to us to make sure we are up to date on all laws, or we can expect to be fined.”
The importance of staying involved
Still, you can stay on top of the shifting regulatory landscape by remaining involved. Here are some of Hardy’s tips staying plugged into the ever-changing landscape:
- Join local, state, and federal level organizations and associations pertaining to your industry.
- Subscribe to industry journals, magazines, and newsletters.
- Attend well-known conferences.
- Join webinars given by specialists in your industry.
By staying “plugged in” you’ll hear the chatter of the latest laws and regulations. It can be easy to stay in a bubble of resolving trouble tickets and installing routers, that you forgot to stay connected to the larger ecosystem of knowledge, but not doing so can leave you in peril.
The MSP’s responsibility
The single most important step that Hardy believes companies should follow, is to assign a team or person in charge of knowing the new rules and disseminating them in a clear format to all employees. The responsibility falls on the company to be alert, interested, and informed, because they are responsible for their privacy and customer data that they actively mine for.
Many smaller companies don’t have the staff or hours to have a point person staying on top of all the different laws. MSPs should make it their mission to stay on top of the legislation.
Ultimately, Hardy says these regulations are a good thing, helping to keep consumers and data safe. Federal laws that mirror California’s are probably still rather far on the horizon.
“It costs corporations a lot of money to follow privacy regulations — while mining (and then possibly misusing) consumer data is relatively cheap,” admits Hardy. Still, she expects that the USA will eventually go the way of Europe and have privacy be the law of the land.
In the meantime, MSPs need to work on shifting the culture of the workplace towards one that views privacy as priceless and stay on top of the laws that add protection.
Photo: create jobs 51 / Shutterstock
