GDPR and Cyber laws

While the General Data Protection Regulation (GDPR) applied only to EU nations, several similar attempts to protect consumer information were floated in Congress and the States. The GDPR was created to focus computer companies and others who collect private information via the Internet, to place privacy and safety of consumer’s information at the top of the priority list. Among those proposed acts include requiring the Federal Trade Commission to establish new privacy protections for consumers who use services delivered within a software program.
‍

Many states have introduced legislation to mirror the GDPR. Others, like California and Vermont, have expanded beyond the GDPR’s required notice of breech. Those laws require heightened transparency and control of data processing operations.  All 50 states, and some territories, have expanded the definition of personal information in their cyber laws within the last year or two.
‍

Other key state provisions worth noting include Alabama’s requirement that companies dispose of data by shredding, erasing or otherwise modifying sensitive personal information (including health information). Louisiana now has a similar data destruction rule. Other states, including Oregon, have shortened the notification period for companies doing business in their state to report data breeches to consumers.
‍

Additionally, the topics of legislation that states introduced but did not pass on cyber security may indicate legislative priorities for 2019 and beyond. Those topics include: better funding for cyber security education; creating a statewide cyber security network; creating task forces to further study potential threats on the state level; adding computer crimes to the RICO statutes (regarding organized crime) and creating cyber security innovation funds to further research in to better response methods.
‍

New Jersey, and several other states, moved to create a fund whereby companies could access money to update their cyber security efforts. Pennsylvania moved legislation to make it impossible for state employees to use non-secure mobile technology helping to ensuring data breaches could be contained within the state computer system. Virginia also moved to created a fund for increasing training, as well as a veteran’s fund for those wanting to enter the Cyber security field.
‍

As the internet of things continues to expand, so too do efforts by congress to set standards for vendors that require hardware and software protections (such as digital signatures and authentication protections). This legislation was also introduced in California.
‍

On the State level, many states like Georgia, have heightened the punishments for hacking. Interestingly, this law has raised concerns that white hat hacking, those who find flaws or soft spots in a public system so as to increase the public good (by finding methods to shore the soft spots up) is not excepted from the law’s coverage.
‍

Colorado has also increased punishments for cybercrime and has added additional crimes of using a computer to engage in prostitution of a minor. Illinois has created a new crime of cyber extortion, whereby ransomeware would be considered extortion (by holding a person or company’s computer systems hostage until an amount is paid to the hacker). Maryland also introduced similar legislation. New York introduced similar legislation and also introduced legislation specifically aimed at spyware. New York also added additional details to its laws on phishing – using a computer to fraudulently gain personal information from a consumer.
‍

All of these laws, pending, past and to be introduced, show that financial advisors need to place the privacy of their client’s information at the top of the priority list. Any plans to build new databases or dashboards on existing databases should start with privacy as the first critical inquiry.