Over the last couple of years, cybersecurity laws have commonly required that sensitive information be protected through the use of “reasonable security.” Business owners have likely heard that they are required to protect sensitive information, but may not understand how to specifically go about this. The term “reasonable security” often has been left ambiguous and guidance as to what is required for your specific business might be hard to find.
As a starting point, it is important to understand that what constitutes appropriate security safeguards may depend upon the type of information that you collect and the type of business that you operate. For example, if you are a medical professional, or holding information for a medical professional, you may be subject to the HIPAA Security Rule (HIPAA) (which lists specific safeguards for the protection of electronic health information), and if you are a financial institution, or holding information for a financial institution, you may need to comply with the Gramm-Leach-Bliley Act (GLBA) (which identifies specific requirements and safeguards for the protection of customer information). See 45 CFR Part 160 and Part 164, Subparts A and C (HIPPA); 15 U.S.C §6801(b) (GLBA). Administrative guidance elaborates on each of these laws by laying out certain cybersecurity safeguards that should be put in place, including but not limited to: access controls, monitoring solutions and disaster recovery procedures. See Security Rule Guidance Material, U.S. Department of Health & Human Services; 12 C.F.R. Pt. 364, App. A. Further, under both HIPAA and GLBA, if any of the regulated entity’s vendors receive protected information from that regulated entity, then the regulated entity is required to contractually bind that vendor in writing to treat the protected information in the same manner as the regulated entity. See 12 C.F.R. Pt. 364, App. A III.D.; 45 C.F.R. 164.502(e).
