Data breaches are on the rise and a concern for businesses of all industries. For instance, since January 2017, at least 14 retailers have been hacked and likely had information stolen from them. The healthcare industry has also been a target for cyber-criminals, along with the City of Atlanta and many more.
On March 28,, 2018, Alabama enacted the Alabama Breach Notification Act of 2018 (2018-396), which requires a business entity that “acquires or uses sensitive personally identifiable information” to have certain security measures in place and predetermined notification measures to alert impacted individuals of the breach within a reasonable amount of time. The act is estimated to go into full effect on June 1, 2018.
What is “sensitive personally identifiable information”? According to the act, this is information that relates to non-truncated or non-encrypted social security numbers, Tax IDs, drivers licenses; financial institution account numbers in connection with security access codes and passwords; medical history or diagnosis; health insurance numbers or IDs; or a username or email address in connection with a password or security question and answer. If your business deals with this information, the act requires that you enact security measures to prevent and mitigate cybersecurity breaches.
Warren Averett’s IT experts evaluated the new requirements and mapped out these 6 steps for organizations to take:
- Designate an individual or team to oversee security measures. These individuals should be knowledgeable of cybersecurity and how it pertains to their organizations. For instance, they should be aware of the organization’s risks, potential risks, current security measures and controls and how sensitive information is communicated to third-party vendors and internally.
- Identify internal and external risks. To determine where your organization’s cybersecurity is weak, an annual risk assessment should be completed.
- Adopt security measures to mitigate risks. Use the results from the risk assessment to determine what security controls need to be put in place to prevent potential breaches.
- Inform third-party providers of the security measures. If applicable, determine what information is accessible to each of your vendors and how they are using the information. Inform vendors of your security measures and discuss what controls they have in place that may impact your business.
- Review and evaluate security measures. Because cybersecurity and your organization are constantly changing, it’s essential to review, evaluate and make necessary adjustments to your cybersecurity controls periodically.
- Establish clear communication standards between relevant parties. Ensure clear communication guidelines exist between your organization’s information security department and its management and board of directors.
If followed, these six steps should provide your organization with the ability to prevent potential cybersecurity risks. For further details, read Warren Averett’s full article here.