Most people know of HIPAA, but only those in the medical profession and the business associates that serve these organizations are subject to the legislation’s many complex regulations. That may be about to change, as the New York State Attorney’s Office recently proposed HIPAA-like cybersecurity regulations that would apply to financial services institutions.
Modeled after HIPAA and enforced with a similar approach, this is a detailed program of security regulations and policies that would be mandatory for financial services institutions and their business associates. And while New York is the center of activity right now, we in the information security world have been seeing signs that indicate that along with the financial sector, the legal profession as well can expect this type of regulation to be implemented on a nationwide basis.
New York’s proposed financial services cybersecurity framework mandates that covered entities complete multiple steps to safeguard data, including:
- Conduct a risk assessment and establish an organizational cybersecurity program
- Adopt a clear and comprehensive cybersecurity policy
- Appoint a Chief Information Security Officer (CISO)
- Notify the state’s Superintendent of Financial Services of any cybersecurity events, such as data breaches or hacks, whether successful or not
- Ensure that their business associates also adhere to security regulations
- Implement specific controls such as encryption, multi-factor authentication for remote access and limits on privileged access
- Train staff on cyber risks and security policies
- Monitor their information systems and conduct periodic testing
As with efforts to comply with HIPAA, it will take considerable time and firm resources for financial services providers to meet the stringent cybersecurity regulations that will apply to them. The legal profession can expect the same level of challenge when their turn comes. The fact is, creating a secure environment for sensitive information is a difficult and expensive undertaking – but one that is absolutely necessary.
Financial services providers hold all the personal data needed to complete theft and identity fraud on a massive scale, so securing this data and the systems that store and transmit it is an obvious necessity. But hackers are no longer limiting their goals to illegally accessing social security and credit card numbers; they’re going after everything. In the eyes of a cyber criminal, law firms represent a treasure trove of information about the stock market as well as personal communication that can be used for blackmail.
The U.S. has a national cybersecurity framework – a voluntary but highly specific set of guidelines that, like HIPAA, can be used to build a formal cybersecurity program. At Kardon Compliance we utilize this framework to create strong cybersecurity programs for our law firm clients, for whom – also like HIPAA – adhering to its many facets poses some difficulty. For clients in every sector, we share three basic truths about operating within a proper cybersecurity program:
- It will not be convenient. Making it harder for hackers to get into your info means some things will be harder for you.
- It is not optional. Regardless of your role in the company, from janitor to CEO, you must follow the same rules as everyone else. If there is even one loose end or opening, hackers will find it.
- You can still do your job. Though it will a bit more cumbersome, any cybersecurity program should still allow you to accomplish the things you need to accomplish.
Protecting your company and your clients through a rigorous and comprehensive cybersecurity policy is a priority too important to ignore. While some degree of inconvenience and added expense is unavoidable, the risks of failure to create a secure environment vastly exceed these considerations. Legal practitioners, financial services providers and others who handle sensitive data should prepare for a HIPAA-like experience as we collectively face the growing threat of cybercrime.
Donna Grindle is the owner and president of Kardon Compliance. Her 30 years of professional experience include such titles as titles such as Programming Manager, Customer Support Manager, Director of Operations and Vice President of Operations before starting her own technology company in 1998. Donna has helped many kinds of small businesses over the years, with an extensive background in the Healthcare IT niche, and has spent most of her career as an IT Consultant specializing in the private practice and business associates segments of healthcare.