read

MSP IT Services - How To Comply with Washington DC Data Security Laws

By Corey Shields | February 9, 2021
Corey is the Digital Marketing Manager at Ntiva, and brings with him over a decade of working in the information technology and services industry.
ntiva

Companies across the nation are coming to grips with new privacy standards implemented by local, state, and even foreign governments. The city of Washington D.C. is the latest in a growing list of governments to enact legislation intended to protect the confidentiality of their constituents' personal data.

Few companies in Washington DC are likely even aware that if they get breached, they could be subject to fines for not taking "reasonable" IT security measures to protect their client's data. 

The good news is, MSP IT services can reduce the organizational burden of complying with data security standards, which is getting ever more complex.

In 2019, the mayor of D.C. signed the Security Breach Protection Amendment Act of 2019, updating the previously implemented (2007) Consumer Security Breach Notification Act.

And as recently as March 2020, in the midst of the COVID-19 challenges, the DC legislature amended this act with significant overhauls which included the expansion of what "personal information" means, updates to notification requirements, and more.

In concise terms, the new legislation provides the District of Columbia's Attorney General (AG) broader authority to prosecute companies that do not take "reasonable" IT security measures to protect their clients' data.

The AG can now, under the District's Consumer Protection Procedures Act, fine businesses that fail to manage their data protection adequately.

Similar to the EU's General Data Protection Regulation (GDPR), the California Consumer Privacy Act of 2018 (CCPA), and Canada's Personal Information Protection and Electronic Documents Act (PIPEDA), the new D.C. law applies to companies that do business with D.C. residents.

What is Personal Information?

Previous privacy law defined Personally Identifiable Information as any one of the following:

  • Social security number
  • Driver’s license number or District of Columbia Identification Card number
  • Credit card number or debit card number
  • Any other number, such as account number, security code, access code, or password, that allows access to or use of an individual’s financial or credit account

In addition to the earlier list of PII (Personally Identifiable Information) the new DC legislation brings more recent data use into consideration such as genetic profiles, biometric data, health information, military ID, and passport numbers into the list of PII that a company must protect.

New compliance requirements have been designed to help enforce the protection of this information.


What is a Data Breach?

What is a Data Breach?

 

Under the new law, a data breach can be described as the unauthorized access of electronic personal information.

Examples include access to personal financial information, health records and government-authorized identification numbers.


How Does a Data Breach Occur?

Data breaches can occur in a company as a result of:

  • Employee error in handling client information
  • Ransomware attack
  • Industrial espionage
  • Hacking

What Should a Company Do to Comply with the Security Breach Protection Amendment Act?

Regulatory Compliance Washington DC


Proving compliance can be a challenge for businesses that don't have the resources to hire in-house cybersecurity teams.

In this case, business leaders have been turning to third-party Managed Service Providers to help protect their business operations and implement cybersecurity features such as cloud-based, encrypted data backup and disaster recovery protocols.

These information technology specialists are trained and equipped to set up concentric rings of security around a company's information infrastructure.

 

What is a Managed Service Provider?

Managed Service Providers (MSPs) deliver proactive IT management, support, help desk services, and cybersecurity services to businesses within a flat-rate, monthly subscription payment model.

These IT professionals work diligently to secure and optimize a company's IT network - which houses the PII of clients.

 

What Does an MSP Provide?

What Does an MSP Do?

These are a selection of common services provided by an MSP:

 

What Does Compliance Management Cost? - MSP Services Pricing

Managed IT Services providers deliver customized pricing for each client, so it's impossible to provide pricing that applies to all companies on a website.

Each business has its unique blend of technology assets within its IT environment that support the workflow of the company.

An MSP does a thorough survey of a company's IT infrastructure, applications, and cloud assets to determine what must be implemented and monitored on an ongoing basis to achieve industry-standard cybersecurity and legislative compliance.

Pricing is factored from that discovery process based on the complexity of each company's IT setup.

 

How Do Managed Services Bring Your Business Systems into Compliance with Recent DC Legislation?

A Managed Service Provider (MSP IT) brings a full-stack of IT security solutions to the table that work in concert to protect your business technology.

  • Operational and cybersecurity monitoring
  • Secure cloud-based applications
  • Secure customer collaboration tools
  • Remote systems updates, upgrades, and patching
  • Encryption of data - (both in transit and at rest)
  • Encryption of email

A managed services team partners with companies like yours and provides a roadmap to compliance, implementation of compliance protocols, and monitoring / reporting as needed for compliance documentation.

 

Managed Service Providers Say That Data Encryption is Critical

According to the OAG (Office of Attorney General) website, "No breach occurs under the law if the personal information has been rendered secure (e.g., through encryption or redaction) and unusable by a third-party." 

What does that mean?

Even if the bad guys do get access to your company's network and steal information, it is not considered a "data breach" under the new law if the data that has been stolen is encrypted and is unusable by the criminals.

That's why encryption is the key to compliance with DC's new legislation.

Encryption is the last line of defense for your clients' PII.

 

When to Report a Data Breach

A data breach needs to be reported when it has been determined that the personal information of a client (or clients) has been mistakenly released or accessed by unauthorized individuals.

 

Where Do I Report a Data Breach?

Once you have confirmed that there indeed has been unauthorized access of customers' data, it's time to report that breach in compliance with the law.

You must report the breach to the customers and to the Office of Attorney General of DC by emailing databreach@dc.gov

Further instructions regarding what the notice to customers and the OAG should contain are found on the OAG DC website.

 

How Does a Managed IT Services Provider (MSP) Help You Stay Compliant?

As we have already noted, partnering with an MSP to access their cybersecurity expertise and management is an important step toward compliance with DC's new privacy regulations. In addition, it also helps with compliance in other states and countries.

Why?

Because hiring a third-party management firm to secure and monitor your network gives your compliance efforts credibility.

And...

Because a managed services team specializing in cybersecurity stays current on data threats existing today along with horizon-level threats.

A Managed Service Provider (MSP IT) helps you stay compliant by implementing the following proactive IT management services:

  • Data encryption
  • Proactive IT systems maintenance
  • Secure communication and collaboration solutions
  • Incident response and remediation
  • Compliance monitoring
  • Compliance assessments
  • Compliance reporting

 

Partnering with a Managed Services Team to Assist with Compliance is Good for Your Business Operations

Compliance isn't simply about avoiding the reputational loss and financial cost of a catastrophic data breach. The same solutions used to bring your business operations into compliance are the same solutions that deliver some significant business benefits as well:

  • Better productivity
  • Lower downtime
  • Higher efficiency
  • Fewer distractions
  • Better cybersecurity posture
  • More secure remote-work options

 

Looking for an MSP partner that understands compliance with privacy legislation? The Ntiva team works with businesses just like yours every day to help them stay secure, productive, and compliant. Call or email us to begin a no-obligation conversation!

 

New call-to-action

 

 

Tags: Compliance