Written by Robert Barnes, Administrative Assistant with the NIST MEP Extension Services Division.
With the number of reported data breaches steadily increasing every year, they are in the news so frequently that it’s hard to keep them all straight. In 2017, Equifax suffered a massive breach, and almost 150 million customer records (representing nearly half the U.S. population) were stolen. In 2018, Marriott International experienced a breach where hundreds of millions of customer records – including personal information, credit card numbers and even passport numbers – were compromised.
Data breaches affect all types of organizations large and small, popular and little known. While the big company breaches make the news, you rarely hear about smaller companies that are often vulnerable and can find themselves in the crosshairs of cybercriminals. Most involve some type of hacking, such as a phishing attacks or malware, where an attacker successfully gains access to protected or private information.
Data Breach Notification Laws – It’s Complicated
If your manufacturing company experiences a breach, what will you do? Should you notify law enforcement right away? Notify customers? Is there anyone else to inform? How long do you have?
The answers are complicated. While no comprehensive federal laws exist, each state and territory has its own data breach notification law. These laws require anyone that suffers, or even suspects, a breach to notify customers of anything involving personally identifiable information. The laws also require notifying law enforcement and taking specific steps to remedy the situation. But state laws vary considerably when it comes to the types of information covered, timing of notifications and reporting standards. Who must comply and what even constitutes personal data varies state to state. Adding to the complexity, requirements are also changing, with some states recently updating their laws.
How Much Time Do I Have to Report a Data Breach?
Most data notification laws require that businesses notify customers without reasonable delay. The length of time varies by state and industry sector. When dealing with a data breach, manufacturers have competing responsibilities – to their company, to others in the industry, to customers and to law enforcement. There are even circumstances where law enforcement is investigating a breach and it must be temporarily concealed.
Prepare for Data Breaches Before They Happen
Treat data breach notification plans as you would any other disaster plan – don’t wait! Since there is no single, standard response to a data breach, U.S. manufacturers must understand the specific state and federal laws that apply to them. Manufacturers must consider the laws in all states where they conduct business.
Luckily, there are several excellent resources manufacturers can turn to for some clarity. Several organizations summarize state data breach laws, including National Conference of State Legislatures, IT Governance, and Perkins Coie.
To ensure that your manufacturing company complies with data protection laws, you should stay aware of current regulations for your state and industry. A data breach will always be a stressful event. Awareness of your obligations and a plan in place can ease some of the stress – and help you avoid heavy fines. Here are some tips:
- Identify the state and industry laws that cover your company
- Document the data breach notification requirements that affect your company, along with the process(es) to meet those requirements in a worst-case scenario
- Create a policy around the breach notification requirements that affect your company
- If there are overlapping regulations, use the most stringent one for your company’s policy
- Create draft notification letters and emails ahead of time
- Create a clear communication strategy for data breaches and get it through your company’s legal and public relations departments ahead of time, if necessary
IMEC is Ready to Help You
For help understanding Illinois' data breach notification laws and other cybersecurity questions, reach out to the experts at IMEC.
Read the original article.
Manufacturers who plan to retain current − or earn new − contracts through the U.S Department of Defense (DoD), must achieve Cybersecurity Maturity Model Certification (CMMC) certification by 2024.
You are not alone in navigating DoD-required cybersecurity practices. IMEC, in partnership with Cerberus Sentinel, is offering a 15-part CMMC Cybersecurity Training Series for Manufacturers that will guide you through the process towards CMMC certification, verifying to the DoD that you have adequate cybersecurity controls and policies in place to meet DoD security standards. Your participation in the monthly virtual training and completion of monthly homework can:
- Prepare you for a successful first-time CMMC audit, with costs estimated in the $20,000-$30,000 range
- Save $100,000+ in consulting costs for an external provider to complete the process of demonstrating compliance with CMMC in policies, procedures and practices.
MAKE STEADY PROGRESS:CMMC Cybersecurity
15-Part Training Series for Manufacturers
July 2021 - September 2022