Know What Laws Apply

Privacy and security laws, particularly in the U.S., have changed dramatically in the last few years. It’s not surprising many leaders are unsure which new laws or updated regulations apply to their organization. Whether it’s the Oregon Consumer Privacy Act (OCPA), the EU General Data Protection Regulation (GDPR), updated regulations of the Gramm-Leach-Bliley Act (GLBA), or Colorado’s Artificial Intelligence Act, once a business understands its requirements, it’s easier to prioritize its efforts.

Personal Information, not PII    

Nearly all Americans can be identified using birthday, gender, and zip code alone. These data points, none of which are considered personally identifiable information (or “PII”), are information that can be linked to a particular individual. Recognizing that individuals can easily be identified without the use of PII, the term personally identifiable information or PII has largely been abandoned. Today, many, including lawmakers and enforcement officials, use terms like ‘personal data’ or ‘personal information’ which they define broadly to include information that identifies, or is capable of being associated with or linked to, a particular individual. Personal Information includes direct identifiers, such as a full name or email address, as well as indirect identifiers, such as cookie and device IDs.

Data Inventory

Keeping in mind the broad definition of personal information, inventory the categories of personal information the organization collects, creates, shares, and stores. What personal information is collected from customers, website visitors, applicants, employees, and business partners? Keeping an up-to-date ‎inventory can help better assess the risks. It can also come in handy for situations like a ransomware attack. Knowing what categories of personal information may be implicated in a cybersecurity incident can help a business weigh its ‎options and determine its obligations.

Delete. Repeat. ‎

Is personal information that is no longer need deleted, to reduce cybersecurity risks and lower the cost of the next data breach? ‎Yes, that’s right. It’s not an if, unfortunately. It’s a when! Implementing a data or records retention and deletion policy can reduce (1) real costs, such as the cost of storage, and (2) potential costs, such as the expense of offering identity theft protection to those implicated in the next data breach. A great place to start is to consider how many years employee records should be retained after termination.

Give Thanks

Cybersecurity and IT leaders are vital to every organization’s success. But they might also be burning out now when you need them more ‎than ever. 93% of security leaders say they’ve considered quitting their job due to the high stress and demands. ‎Thank everyone who keeps the business’s network and information safe! Reducing turnover among the cybersecurity and IT team, roles that can take months to fill, can reduce risks.

Require Multifactor Authentication (MFA)

Consider requiring employees to use MFA. According to Microsoft, more than 99.9% of compromised accounts don’t have MFA, which leaves ‎them vulnerable to password spray, phishing, and password reuse.‎

Incident Response Planning

A solid Incident Response Plan (IRP) can limit risks. How will the leadership team communicate if the ‎network is compromised? Who should be called if there is a ransomware attack? Does the response team know how to ‎use Attorney-Client Privilege and the Work Product Doctrine to reduce breach litigation risks? Planning ahead can reduce risks and the foreseeable challenges of security incident.

Keep Your Privacy Statement Current

If the business hasn’t updated its privacy statement in the last year, it may be time for a makeover. A good-looking, comprehensive, and accurate privacy ‎statement is a great risk-mitigation tool. Having an older “last updated” date at the top of your privacy statement can signal privacy has not been prioritized.

Develop an AI Policy

By late 2024, nearly 40% of the U.S. population between 18 and 64 was using generative AI. As much as 23% of employed respondents had used it for work at least once in the preceding week, and 9% used it every workday. Do employees know the ‎guardrails? Implementing an AI Policy is a great way to reduce risks that employees share personal information with AI Services, in violation of legal obligations, or that the business loses control over sensitive, confidential, or proprietary information about the business.

Recording Rules

Many people are using notetaking and recording apps to enhance their productivity. This has many organizations on edge, concerned about how such practices can lead to unintentional disclosures of confidential information, privacy violations, and an erosion of trust in the workplace. As many of these apps are powered by generative AI, rules around recordings can be added onto an AI Policy.

Know Who Has Access to Your Information

Consider compiling a list of third parties who (1) have access to business information or (2) collect information on behalf of the business about customers, employees, applicants, and business partners. This list, which can be compiled with a data inventory, can include cloud service providers, ‎marketing vendors, business partners, analytics companies, and even staffing services. Do agreements with these third ‎parties limit their use of the business’s information and impose sufficient security controls?

Finetune Your Templates

Under privacy laws, agreements with third parties that entail the exchange of personal information should include key privacy and security provisions. Has the business updated its vendor agreements or sales templates lately?‎

Privacy Impact Assessments

Most state privacy laws require completion of a Privacy Impact Assessments (PIA) for riskier information ‎processing operations. Does the business do anything with customer, employee, or applicant information that might require a PIA?

Know the Cybersecurity Policy

Find the company’s cybersecurity insurance policy. Mix up a cocktail or mocktail. And get ready to go on a journey. What does the policy ‎actually cover in the most common security breach scenarios?

Raise Awareness

Information protection is 24/7 and all-hands-on-deck. Do all employees have access to training materials? Can they spot the biggest threats and risks? Do they know how to report privacy and security incidents appropriately?

Don’t Let Perfection Be the Enemy of the Good

Privacy and Cybersecurity work is tough. With laws, regulations, best practices, and threats in these areas changing rapidly, it is hard to keep up. The most accomplished professionals in this space report imposter syndrome and become overwhelmed with the relentless change. Don’t let perfection stop you from making meaningful improvements.

This article summarizes aspects of the law and does not constitute legal advice. For legal advice with regard to your situation, you should contact an attorney.