In the first article of this series, I wanted to get you thinking about the basics of information security for your small-to-medium sized business. I asked you to learn which legal and industry security requirements your business is subject to, and I wanted you to think about where your business data is and who has access to it. If you’re like most owners or IT managers for a small business, you probably don’t feel very confident about your answers. Let’s help you get there.
Information Security Requirements by Law
As a business owner, you are required by law or statue to do a lot of things. For example, you are required to have a business license, pay taxes, pay workman’s comprehension insurance premiums, and any number of other legal and regulatory requirements depending on which business you are in and where you conduct your business. You can think of information security requirements in much the same way.
You can choose to ignore these regulatory requirements, just like you can choose not to pay your taxes, but you should at least be aware of the rules and the consequences for not following them.
State Computer Security and Privacy Laws
Disclaimer: I am not a lawyer and am not qualified to dispense legal advice. Please see your lawyer for legal advice.
You are probably aware of the well known government and industry compliance requirements such as PCI-DSS, HIPAA HITECH, SOX, but are you aware that many states now have computer security and privacy laws?
For example, Nevada requires that personal information be protected and it defines how it should be protected. Any organization that collects “nonpublic personal information” is subject to the law. This means if your business is in Florida and you store personal information of people who live in Nevada, it is my understanding that you are subject to this law.
At least 38 states have laws that relate to computer security, privacy and data breaches, and new laws are passed every year. For example, Texas just passed a new health privacy law that is tougher than HIPAA. Keeping up with these changes is tough for those of us in the information security business, and probably impossible for the SMB owner.
Data breaches in violation of these laws can result in heavy fines and restitution costs. Many SMBs would be wiped out by such penalties.
What is Computer Security Compliance Going to Cost
The last thing you want to do is overspend on your computer security program, but how do you know how much is enough and how much is too much? I use the computer security requirements to define how much I need to spend. For example, why would I spend money on data encryption if I’m not required to encrypt my data? Another example might be that I change a business process rather than spend money on security. I don’t have to secure data that I don’t collect. I also can’t lose and be fined for data that I don’t collect – think about that.
Hiring a security partner who can help you understand and stay current with your regulatory compliance requirements is probably your best option. If you want to do this yourself, the UCF has products that can help you keep up to date on new laws and regulations.
Please leave a comment or contact me on Twitter if you have anything to add or if you have a question.
All related posts will be in the SMB/SOHO Computer Security category on this site. If you like it, subscribe to my blog and come back for future articles.
{ 3 trackbacks }