Here’s What Each Industry Should Know.
Who is responsible for protecting clients, employees, and customers on the internet?
Well, it depends.
Educational institutions, healthcare organizations, governmental divisions, and businesses across all industries are all targets for cyberattacks. More and more organizations, of different sizes and different industries, are being caught in a crossfire of cyber attacks and cyber responsibilities.
Who shoulders the responsibility for user data?
It’s easy to read articles about weak passwords, phishing emails, and human error, and blame the average user for being the source of an attack. And while in some cases, a single account is the entry point for a damaging attack, this doesn’t mean the responsibility is that of individuals. The problem of compromised credentials is much larger than one weak password. It can only be solved with organizational involvement.
In many cases, the onus to protect data falls to the organization itself—even if users are the “source” of the problem. It is more practical and easier to regulate privacy laws when this is the case. In different industries, a variety of acts determine how enterprises must safely store and protect PII:
Businesses & the FTC
The Federal Trade Commission (FTC) is the governing body most often responsible for enforcing consumer privacy laws, including digital cases. Over the past two decades, the FTC has taken several internet behemoths (like Google and Facebook) to court for misrepresenting user-facing privacy policies and fined them billions of dollars.
As recently as last year the FTC has updated the Safeguards Rule to reflect the need for additional standards of cyber safety for financial institutions (everyone from mortgage brokers to automotive dealerships). Becoming FTC-compliant involves training employees on safer internet practices, having an IT employee and plan, and reporting each year—to name a few of the requirements. If companies don’t comply, they run the risk of being fined or becoming part of a lawsuit.
Healthcare & HIPAA
Healthcare organizations and hospitals across the country are juicy targets for cybercriminals, for several reasons: they hold massive amounts of patient data, from contact information to insurance plan numbers, and many facilities are operating with outdated technology and legacy systems. But healthcare organizations are legally obligated to protect patient data, according to the HIPAA Privacy Rule. If facilities do not comply, they are at risk of lawsuits and fines.
Within the Privacy Rule, HIPAA provides some sweeping recommendations for password security, but the real, practical guidelines healthcare organizations rely on are provided by the Health Information Trust Alliance (HITRUST) and by NIST.
Educational Institutions & FERPA
Much like healthcare organizations, educational institutions of all sizes, and in all regions, are being targeted by cybercriminals. School districts, K-12, and colleges are all at risk—like hospitals they are also rich sources of personal data that hackers are eager to obtain. The need for digital security in schools has increased over the last three years due to the pandemic, which forced many classrooms into the virtual realm.
Student education records and PII are protected by the Family Educational Rights and Privacy Act (FERPA), and by the Protection of Pupils Rights Amendment (PPRA). But in many cases, it’s a challenge for educational institutions to know how to enforce cybersecurity policies, especially if they are underfunded, which is the case for many public institutions.
While organizations in every industry need to be kept accountable for protecting client, employee, and customer data safely, the reality is that it’s not going well. Breaches are still happening daily, and companies are struggling to stay an extra step ahead of the cyber threats that surround them.
So to protect user data and privacy, as well as avoid lawsuits and fines from their respective governing bodies… companies, hospitals, and schools of all sizes have to prioritize cybersecurity. Allocating both IT team time and budget is the first step.
Fortunately, there are cybersecurity guidelines that apply to all industries. Strengthening the password layer, requiring MFA, and screening for compromised credentials are three steps that, if enacted, could change the game. Let’s shore up defenses across the board.