The protection of your and your customers’ data is no longer just a matter of best practice — it’s a legal imperative. With federal and state statutes such as the Gramm-Leach-Bliley Act (GLBA) and the California Consumer Privacy Act (CCPA) setting out guidelines for cybersecurity, it’s crucial for businesses to not only safeguard their and their customers’ data but also ensure compliance with these regulatory frameworks. Your defense posture is a key determining factor in data breach liability cases, so getting it right is mission critical. However, achieving this isn’t as simple as adopting a one-size-fits-all approach.

The fact of the matter is that non-compliance with these statutes carries heavy risk, not just in the form of a potential enforcement action, but in punitive liability as well. If your business is the target of a cyberattack or suffers a data breach, and an audit shows that you ignored or failed to adequately implement the safeguards required by statute, a class action lawsuit has significantly stronger grounds for punitive relief against your company.

One size defense posture doesn’t fit all

I recently had the opportunity to speak with Jenifer S. McIntosh, a lawyer with Stinson LLP, about the challenges businesses face in creating cybersecurity defense postures that align with GLBA, CCPA, and other relevant regulations (e.g. NY DFS 500). According to McIntosh, these statutes provide guidelines rather than rigid templates for cybersecurity plans, emphasizing the need for customized approaches tailored to each organization’s unique digital landscape.

“GLBA and CCPA only set out security guidelines in the statutes and the regulations,” explains McIntosh. “It would be highly problematic to require all organizations to follow the same exact plan.”

This sentiment underscores the importance of conducting a thorough assessment of a company’s digital and physical data environment and overall defense posture.

Every company “will need to do an assessment of its digital and physical data environment (the software, databases, infrastructure, service providers, applications, and hardware [it] uses, unique to [your company]) to determine what the “plan” will need to look like and what protections it needs to implement specific to [your company], which is then what the company’s other policies are built out from to document actual practices,” McIntosh advises.

This approach ensures that cybersecurity plans aren’t just theoretical documents but practical frameworks that reflect the organization’s actual practices and capabilities. McIntosh warns against the dangers of misrepresentation, urging businesses not to document practices that haven’t been implemented:

“Please, above all, do not document practices as having been implemented if, in fact, those protections are something the company does not do,” she cautions. “That will not go well in any audit nor does it look good to regulators, investors, or in a data breach.”

You don’t want to get sued… so what do you do?

So, where does this leave businesses seeking to establish a robust cybersecurity defense posture? It starts with crafting comprehensive Information Security Policies that outline the organization’s security processes and tools. However, McIntosh emphasizes the importance of collaboration between legal, IT, and leadership teams to ensure alignment with regulatory requirements and operational realities.

“Now, if [your company] has controls in place around the data, and you are just looking for an umbrella document to set out what the business is doing to put a cybersecurity program in place, then the ‘Information Security Policy’ document is where the company can start,” she suggests.

While the Information Security Policy document is a great place to start, it’s not a silver bullet. The path to effective cybersecurity isn’t a one-stop shop — it’s a journey of customization and collaboration. Businesses must take proactive steps to assess their digital infrastructure, align their practices with regulatory requirements, and document their cybersecurity defense posture accurately. This is where we can play a pivotal role in helping you do just that.

At Leverage Technologies, we specialize in helping small and medium-sized businesses assess, design, and implement customized cybersecurity defense postures that not only protect their data and customers but also ensure compliance with federal and state statutes. Drop us a line today to learn how we can support your cybersecurity journey and safeguard your business against emerging threats.