Data Privacy v. Data Security
Data privacy is the right of individuals to control how their personal information is used by companies and government entities. For businesses that control personal information it is the policies related to the control of personal information of others. Data security is the set of practices put in place to keep hackers from stealing or otherwise maliciously accessing any data on your business systems.
Personal information is anything beyond what is publicly known about an individual. It can be as rudimentary as name and what pages were viewed on your website. Every state in the US defines what personal information means for their state.
“Personal information” means an individual’s first name or first initial and last
name in combination with any one or more pieces of non-public information.
The full definition can be found here along with data breach notification requirements.
No Consumer Protection Identity Laws
In Iowa there are no personal information regulations that are required to be followed if your business does not retain health information and doesn’t do business in California or the European Union. Individual’s health data falls under HIPAA regulations that do have to be adhered to for health related data. Only one state in the US has regulations that force companies to setup specific data privacy controls for how and what is done with personal information. California enacted the California Consumer Privacy Act in 2020. Colorado and Virginia have policies that will be going into effect in 2023.
Data Breach Notification Requirements
While there are no requirements for data privacy in Iowa, there are requirements if personal information your company controls is released. The Iowa Attorney General requires that any individual’s data that is breached must be notified of the breach. If more than 500 individuals’ data is breached, then notification must be given to the Iowa Attorney General. The Attorney General posts these notifications for everyone to see, and it is shocking how many data breaches happen in the state of Iowa alone. More data privacy laws will almost certainly be put in place over the coming years and possibly national regulations similar to the European Union’s GDPR.
Privacy & Security
Since there are no regulations other than breach notifications, what should your business be doing about data privacy and security? Having helped several companies deal with data breaches and knowing that more laws will be put into place, you absolutely should take privacy and security seriously. You may also think being located in Iowa and being a small business gives you some protection. I can say from direct experience it does not. If you have an Internet connection and a bank account, you are a target. Here are some tips for what you should do to prepare for data privacy laws and protect your system from hackers.
Data Privacy Tips:
- Classify the data you already have. Knowing what you have will help you assess the risk associated with that data. Even if you don’t store information about your customers, which is unlikely with today’s technology, you almost certainly have information on your employees. Know and understand what kind of data is stored on your systems.
- Make sure you don’t fall under California’s CCPA or GDPR from the EU. The penalties are high and more laws like Colorado and Virginia’s data protection acts will be coming online to a state near you.
Data Security Tips:
1. Understand your risk and what the impact would be if all of your data was stolen or unusable because of a ransomware attack.
2. Implement a multilayered cyber security defense system that includes:
- Patch Management – updating all of the software and systems on your network.
- Employee Training – your employees are the first line of defense against cyber-attacks.
- Managed Next Generation Anti-Virus – make sure you are alerted if systems are not running or up to date.
- Disaster Recovery – your DR solution should include a combination of onsite and offsite data storage that is encrypted.
- Password Management and MFA – All users of your system should have a minimum of complex passwords with a managed change policy, and multi-factor authentication should be used wherever possible.
3. A through E above are the minimum you should implement within your business network. Talk to your IT provider about additional layers of security that are appropriate.
4. Finally, cyber liability insurance should be evaluated and implemented, depending on the risk to your company. The smallest of data breaches will be much more expensive than you think just to determine what happened, let alone notify those affected and recover.