What Do You Know About PII Disclosure Laws in Your Industry?
Whether you work in restaurants or law, healthcare or engineering, you probably use technology to make your day-to-day tasks easier. We make professional connections online, video chat with coworkers and onboard new customers through our screens. These computer systems thus store data on everything from workflow to employee birthdays to customer credit cards when you sign them up for your services. Whenever personally identifying information, better known in cybersecurity as PII, gets transferred through or onto the company database, you as an employee are designated responsibility for the safety of that information.
It’s not only your employer who wants to make sure you keep that information safe. Myriad laws cover the protection of PII in both digital and physical forms that you are subject to, although which ones apply to YOU may change when you start a new job or work with people in different industries.
Laws to Protect National Infrastructure
“Critical infrastructure” refers to those industries that assist our daily lives, from telecommunications to transportation and beyond. Most of the time, people these days book flights, text friends and spend money electronically. That puts all of our information at risk if those databases were to be hacked. That’s why governments around the world have created their own data privacy laws, and even joined together to increase our global focus on cybersecurity threats to critical infrastructure and the contractors with whom they work.
- In 2018, the federal government established the Cybersecurity and Infrastructure Security Agency (CISA) to oversee the development of better cybersecurity practices in both the public and private sector
- The CCPA (California Consumer Privacy Act) of 2018 protects the right to know what businesses are doing with collected data
- CIRCIA (Cyber Incident Reporting for Critical Infrastructure Act) was signed in March 2022 and included new cyber-protections, such as mandated reporting within 72 hours of a cyber event and within 24 hours of ransomware payments
These agencies and laws that have begun popping up in the past few years suggests that the public at large is developing a deeper understanding of how important cybersecurity is to keeping our daily lives on track! The European Union has the EU General Data Protection Regulation (GDPR) which has protected the communication, transfer and storage of PII since it first went into effect in 2018. While the U.S. doesn’t have something quite so comprehensive just yet, state and federal governments have clearly been turning their eyes in that direction.
Role-Based Laws
Depending on where you work, you might also be liable for data privacy because of the specific industry you’re in. For example, you might be aware of HIPAA which protects your medical information from disclosure without your express permission. ALL healthcare providers are beholden to this. Although that’s one of the more well-known, did you know that attorneys, bankers and internet providers (to name just a few) have to follow special privacy laws too?
You might also be expected to meet various compliance regulations based on the role you play within your organization. For example, an assistant might be responsible for only their machine, but the manager would be additionally responsible for the assistant’s compliance to departmental standards. Similarly, the financial department is more vulnerable to certain attacks while the CEO might face other kinds of phishing scams. When you accept a position that handles, transports or stores people’s private data, you are automatically beholden to data privacy and compliance laws congruent with the role. Pay attention at your security awareness trainings to learn what’s expected of you!
Conclusion
The more people learn about data collection and sales, cybercriminal threats to their digital transactions, and vulnerabilities in their online accounts, the more state and federal governments have been enacting laws to protect PII from inappropriate disclosure. This effort goes back to the ’90s, when medical records went digital and the need for electronic protection quickly arose, ultimately spawning HIPAA. In the unending war against unauthorized access to confidential data, we are all responsible for keeping PII safe in communication and storage.
Navigating the cyber-landscape safely can be daunting alone. Keep this blog in your pack for biweekly tips and news about information security!
References
- https://www.cisa.gov/critical-infrastructure-sectors
- https://www.huntonprivacyblog.com/2022/09/30/cyber-incident-reporting-for-critical-infrastructure-act/
- https://www.cisa.gov/about-cisa
- https://www.privacyshield.gov/article?id=European-Union-Data-Privatization-and-Protection
- https://oag.ca.gov/privacy/ccpa