Managed IT Solutions Blog | ThinkSecureNet

House Bill 180 and How to Protect Your Personal Information Online

Written by ThinkSecureNet | July 15, 2021

WGMD Business Spotlight Featuring ThinkSecureNet – Episode 07/15/21

Interviewer: All right, folks. ThinkSecureNet has joined us again today, and we’re going to talk about something that is, quite frankly, one of the most important topics in business today — and that is the obligation to maintain privacy data that is under the care of your organization.

In the studio, we have Jack Berberian, CEO and co-founder, and Mark Kosloski, Vice President of Sales. You’re going to want to listen up to this.

Now, Jack and Mark, welcome to both of you again. 

Jack: Thank you for having me. 

Interviewer: As I understand it, here in Delaware, we’ve enacted House Bill 180 that covers the protection of private information. What exactly is House Bill 180?

Jack: House Bill 180 requires any person that conducts business in Delaware and owns licenses or maintains personal information to implement and maintain reasonable procedures and practices to protect personal information.

Interviewer: All right. Mark, what constitutes personal information?

 

 

Mark: That covers a lot of areas. Personal information can be defined as first name, last name, any combination of a security number, driver’s license, or something unique to that individual. 

Some of the recent breaches you hear about in the news are often [people’s] usernames, and that could be used for other locations, sites, and things to gain access to. And of course, health information has long been protected, even beyond HB 180, federally.

Interviewer: I’m just wondering about House Bill 180. Does that occur this year? 

Mark: Yeah, it came about in 2017. They recently made changes to include biometrics and some other really key components. So, it’s been updated just as recently as, I think, this year. 

Interviewer: All right. Well, I’m glad to hear that as a consumer.

Jack, what would be considered reasonable procedures and practices for a company to institute?

Jack: It really depends on the size of the business. You can start with simple things like changing your password, enforcing password changes. You can change your wireless password so that you don’t have the standard one that Comcast gives you — or whatever the wireless provider was that came in and set up your wireless.

You can set up a separate profile, and that basically means when you log into your computer, instead of logging in as Jane, you log in as Jack. Just keeping that separate profile because your kids are also using the computer and introducing all kinds of viruses, malware, and other things that you may not be aware of. 

As you scale your business and you get a little bit bigger, getting a VPN solution in place will give you secure connections. Encryption is very affordable these days. It’s not like it used to be; most of your computers actually have it embedded inside of your computer. So the software is already there. You just have to know how to turn it on. Just don’t forget your password, and make sure that you limit the amount of data that you’re actually sending out. 

When you’re emailing anything, understand that when you email outside of your address and you’re emailing another individual, that information is usually in the public domain. Unless you have a secure email, don’t send your driver’s license, credit card number, social security, all that personal information. It’s just something that shouldn’t be done. 

And Delaware was actually one of the first states that took the leap. They enacted this legislation a couple of years ago and really set the standard for the rest of the states. They took some of the legislation from HIPAA and applied it to the state, and it’s been great. It’s good to see. 

Interviewer: That’s great. Now, this sounds really expensive.

Mark: It’s not as expensive as you might think. As Jack says, we can scale the solutions to your organization, and we can accommodate what’s necessary. I think the important thing is understanding the discovery and implementing what’s appropriate based on the type of information you have and how you need to protect it. 

But, you know, it’s always cheaper to do it right. The first time you measure twice, cut once, right? You wouldn’t trust your landscaper or your unemployed son-in-law to do your taxes or defend you in court. Have a professional really take a look at how you’re providing security and protecting your information. 

And then, of course, if you encounter or have a breach, the fines, the liabilities, the remediation, that’s going to be necessary. That’s going to be far more costly. I mean, we’re not talking thousands, maybe hundreds of thousands, and even into the millions.

Interviewer: You’re talking about when they have to pay a ransom?

Mark: Well, not just ransom. There’s also the compliance aspect of it. It could be $50,000 just here in Delaware for the release of this information. 

Then there’s another thing: it’s your brand and your reputation at stake here. If you have a breach of more than 500 individuals, you’re obligated to report that breach to the attorney general. The attorney general’s going to enforce a notification to all of those individuals that are affected. And then your name and organization get posted to the website for everyone to see. We call it the wall of shame. 

So, the costs don’t always come up to dollar value. It can be your reputation. And that’s a critical thing when you’re trying to start up your business and keep it going well.

Interviewer: I think that Delaware has a lot of financial businesses in the state, and a lot of companies are incorporated in the state of Delaware. I’m glad to see that they took the lead in this House Bill 180.

Back to you, Jack. What do you need to do if you fall victim to an incident, a hack?

Jack: Yeah. So, Mark was talking about a couple of different reporting responsibilities. Depending upon the type of business you’re in, it’s really going to make a difference in how you need to report and what you need to do during that incident. 

One of the examples he gave was the wall of shame, which speaks directly to healthcare facilities. You can go, and you can actually type in “wall of shame.” And there you can see all of the organizations that have had a breach of 500 records or more. 

The first thing you have to do is actually have an incident plan. It sounds complicated. It sounds expensive. You can download one online for free and model yours after someone else in your vertical. You don’t have to start from scratch. You don’t have to pay somebody thousands of dollars to create it, but have a plan and practice it. 

In other words, if something does happen, these are the steps we will take:

Who is going to respond? Who’s going to report it to the attorney general? Who’s going to notify the media? Who’s going to call the credit agency? Who’s going to notify the people? What is the letter going to be? 

And then, obviously, figuring out what are you going to do with your reputation, right? Cause that’s the biggest hit. 

So, you want to make sure that you have a plan that’s comprehensive, and you should definitely get a cybersecurity policy as well. They’re not very expensive. Call your local insurance agent and get a cybersecurity plan; it’s probably going to cost you a few hundred bucks a year.

Interviewer: So, you can get an insurance plan? If something like this happens, your insurance pays for it? How long has this been in operation, insurance plans for cybersecurity? Ten years, twenty years? 

Jack: No, they haven’t been in place for ten years. I would say we first started seeing them about seven, eight years ago. And people still don’t get them, and I just don’t understand why because the cost to actually recover from a breach is usually four or five times the amount of the fines you’re going to get. The cost of paying the fines is minuscule compared to what you have to do to actually recover.

Interviewer: Gotcha. But I would think that if you did have an insurance policy and something happened, the insurance company is going to want to know if you had some things in place, or they might not pay out?

Jack: They’ll actually ask you every year. They asked me to fill out a questionnaire to make sure you have a secure connection, that you have somebody managing and monitoring. 

Interviewer: Or they’re not going to insure you, right?

Jack: That’s right. You’ll just pay ten times.

But you know, you can actually get a deduction. You can get a discount for some of the implementation recommendations you made. The VPN having multiple-factor authentication, things like that actually could drive a 25% discount on some of that cybersecurity insurance.

And on your general liability policies as well, it can drive down all of your files. So that’s a no-brainer, I would think. 

Interviewer: Right. It shouldn’t be. Yeah. Gotcha. Well, look, it’s a no-brainer to have car insurance, but not everybody gets it. 

So, we’ve talked about Delaware being a leader in this kind of process. Does this carry over to other states or nationally? I know you said some states weren’t on board yet.

Jack: There’s a handful of states that have enacted something similar to HB 180, but you’re going to see a lot more coming down after President Biden’s recent executive order to protect data. You’re going to see all the states getting on board now.

Interviewer: All right. How can our listeners learn more about all that we’ve talked about here today?

Jack: The best thing to do is go to our website. It’s www.ThinkSecureNet.com. There are white papers there; there are checklists you can download. That will help you analyze what you need to look at. Check out our blog. We’re always adding content there. Or you can call us at (855) 645-8647. Our team of professionals will help you through all the compliance questions you have.

Interviewer: So a lot of freebies on the website just to get familiar with the topic and then make the phone call, right?

Jack: Then make the phone call. 

Interviewer: Well, guys, Mark and Jack, thank you so much. ThinkSecureNet.com. We’ll see you next week. Same time. Same place. Thank you. Take care.