Companies across the nation are coming to grips with new privacy standards implemented by local, state, and even foreign governments. The city of Washington D.C. is the latest in a growing list of governments to enact legislation intended to protect the confidentiality of their constituents' personal data.
Few companies in Washington DC are likely even aware that if they get breached, they could be subject to fines for not taking "reasonable" IT security measures to protect their client's data.
The good news is, MSP IT services can reduce the organizational burden of complying with data security standards, which is getting ever more complex.
In 2019, the mayor of D.C. signed the Security Breach Protection Amendment Act of 2019, updating the previously implemented (2007) Consumer Security Breach Notification Act.
And as recently as March 2020, in the midst of the COVID-19 challenges, the DC legislature amended this act with significant overhauls which included the expansion of what "personal information" means, updates to notification requirements, and more.
In concise terms, the new legislation provides the District of Columbia's Attorney General (AG) broader authority to prosecute companies that do not take "reasonable" IT security measures to protect their clients' data.
The AG can now, under the District's Consumer Protection Procedures Act, fine businesses that fail to manage their data protection adequately.
Similar to the EU's General Data Protection Regulation (GDPR), the California Consumer Privacy Act of 2018 (CCPA), and Canada's Personal Information Protection and Electronic Documents Act (PIPEDA), the new D.C. law applies to companies that do business with D.C. residents.
Previous privacy law defined Personally Identifiable Information as any one of the following:
In addition to the earlier list of PII (Personally Identifiable Information) the new DC legislation brings more recent data use into consideration such as genetic profiles, biometric data, health information, military ID, and passport numbers into the list of PII that a company must protect.
New compliance requirements have been designed to help enforce the protection of this information.
Under the new law, a data breach can be described as the unauthorized access of electronic personal information.
Examples include access to personal financial information, health records and government-authorized identification numbers.
Data breaches can occur in a company as a result of:
Proving compliance can be a challenge for businesses that don't have the resources to hire in-house cybersecurity teams.
In this case, business leaders have been turning to third-party Managed Service Providers to help protect their business operations and implement cybersecurity features such as cloud-based, encrypted data backup and disaster recovery protocols.
These information technology specialists are trained and equipped to set up concentric rings of security around a company's information infrastructure.
Managed Service Providers (MSPs) deliver proactive IT management, support, help desk services, and cybersecurity services to businesses within a flat-rate, monthly subscription payment model.
These IT professionals work diligently to secure and optimize a company's IT network - which houses the PII of clients.
These are a selection of common services provided by an MSP:
Managed IT Services providers deliver customized pricing for each client, so it's impossible to provide pricing that applies to all companies on a website.
Each business has its unique blend of technology assets within its IT environment that support the workflow of the company.
An MSP does a thorough survey of a company's IT infrastructure, applications, and cloud assets to determine what must be implemented and monitored on an ongoing basis to achieve industry-standard cybersecurity and legislative compliance.
Pricing is factored from that discovery process based on the complexity of each company's IT setup.
A Managed Service Provider (MSP IT) brings a full-stack of IT security solutions to the table that work in concert to protect your business technology.
A managed services team partners with companies like yours and provides a roadmap to compliance, implementation of compliance protocols, and monitoring / reporting as needed for compliance documentation.
According to the OAG (Office of Attorney General) website, "No breach occurs under the law if the personal information has been rendered secure (e.g., through encryption or redaction) and unusable by a third-party."
What does that mean?
Even if the bad guys do get access to your company's network and steal information, it is not considered a "data breach" under the new law if the data that has been stolen is encrypted and is unusable by the criminals.
That's why encryption is the key to compliance with DC's new legislation.
Encryption is the last line of defense for your clients' PII.
A data breach needs to be reported when it has been determined that the personal information of a client (or clients) has been mistakenly released or accessed by unauthorized individuals.
Once you have confirmed that there indeed has been unauthorized access of customers' data, it's time to report that breach in compliance with the law.
You must report the breach to the customers and to the Office of Attorney General of DC by emailing databreach@dc.gov
Further instructions regarding what the notice to customers and the OAG should contain are found on the OAG DC website.
As we have already noted, partnering with an MSP to access their cybersecurity expertise and management is an important step toward compliance with DC's new privacy regulations. In addition, it also helps with compliance in other states and countries.
Why?
Because hiring a third-party management firm to secure and monitor your network gives your compliance efforts credibility.
And...
Because a managed services team specializing in cybersecurity stays current on data threats existing today along with horizon-level threats.
A Managed Service Provider (MSP IT) helps you stay compliant by implementing the following proactive IT management services:
Compliance isn't simply about avoiding the reputational loss and financial cost of a catastrophic data breach. The same solutions used to bring your business operations into compliance are the same solutions that deliver some significant business benefits as well:
Looking for an MSP partner that understands compliance with privacy legislation? The Ntiva team works with businesses just like yours every day to help them stay secure, productive, and compliant. Call or email us to begin a no-obligation conversation!