How To Simplify Cyber-Security Controls Amid Abundant Laws

July 13, 2015 – In The News
Compliance Week

Scott L. Vernick was quoted in the Compliance Week article, “How To Simplify Cyber-Security Controls Amid Abundant Laws.” Full text can be found in the July 13, 2015, issue, but a synopsis is below.

Most compliance officers have heard the warning that it’s a matter of when you suffer a data breach, not if.

After a breach comes compliance with varying breach disclosure rules, which can often be confusing with virtually every state in the country having its own breach notification law. In addition, many federal agencies have their own regulations protecting consumers’ financial data, health records and more, each with separate disclosure requirements.

Companies that operate in industries that are regulated heavily by the government may need to prioritize federal standards and guidance in response to a breach.

“Look first to what your primary regulator requires you to do,” says Scott L. Vernick, a noted privacy attorney. “First and foremost, you are going to adhere to the prescriptions and dictates of a primary federal regulator like the Office of Civil Rights if you are talking about protected health care information, or the Federal Energy Regulatory Commission if you are a utility.”

Companies need to remember that individual state regulations cannot be ignored, however.

“Look at the states that are the most aggressive when it comes to these issues, both in terms of what their statutes say and what their reporting and breach notification requirements are,” Vernick says. “That doesn’t get you out of complying with technical requirements that are applicable to other states, but it will help in terms of planning.”

According to Vernick, some of the states with the most difficult privacy and data breach notification laws are Massachusetts, California, New York and Minnesota, with Florida even requiring the submission of a written incident response plan.

Click here to view the full article.