The Oklahoma Bar Journal September 2023

number of states and countries – and that is disregarding the fact that failing to operationalize data policies and procedures increases the risk of a cyberattack. Standard data privacy policies and procedures inform individ uals what categories of data are being collected about them, how that data is being used and with whom the information is being shared. 20 Similarly, data privacy policies and procedures also typically inform individuals that they have a right to know what personal data the company has in its possession, how to correct the data, whom the data has been shared with and, in certain cases, how to have the data deleted. 21 These are common terms and con ditions, because nearly every state and international law requires these sorts of provisions. 22 Notice the last sentence omit ted “federal law.” This is because the federal government does not have a comprehensive data privacy law requiring anything. Rather, up to now, the federal govern ment’s approach has been sectoral.

For example, your data privacy rights with healthcare providers are generally governed by the Health Insurance Portability and Accountability Act (HIPAA). 23 Your data privacy rights with banks are generally governed by the Gramm Leach-Bliley Act. 24 But if you share your health information with a general tech company, via your wristwatch, for example, that enter prise does not fall under HIPAA scrutiny; therefore, that informa tion can be bought, sold and traded at will by the company. 25 As a result, many states have stepped in to regulate the data privacy realm. The first state was California, but since then, a total of nine states have gone on to pass some form of comprehensive data privacy legislation. 26 While state laws vary, they generally require the information contained in the aforementioned privacy policies. To determine whether any given state or country’s data privacy law applies to a company, you generally have to ask two questions: 1) Is the client collecting data on persons within the state or country? and

But the entire reason insurance companies ask for policies and procedures, trainings and tech nical controls is because, in all reality, insureds need them any way. Here’s just one example as to why: If a company is experiencing a ransomware attack and the per petrators are on a sanctions list, then insurance companies cannot legally pay the ransom. The point being, prevention is the best med icine because even with all the right coverage in place, the client can still be left holding the bag. Indeed, nearly 60% of small busi nesses fail following a cyber-attack . 19 LOOKOUT NO. 4: POLICIES AND PROCEDURES ARE BORING BUT IMPORTANT Policies and procedures are only as good as the paper they are written on. In order to realize their value, businesses must actually operationalize their policies and procedures. This is especially true in the cyber realm. If companies do not think through their cyber policies and procedures, they can face regulatory fines in a growing

If companies do not think through their cyber policies and procedures, they can face regulatory fines in a growing number of states and countries – and that is disregarding the fact that failing to operationalize data policies and procedures increases the risk of a cyberattack.

Statements or opinions expressed in the Oklahoma Bar Journal are those of the authors and do not necessarily reflect those of the Oklahoma Bar Association, its officers, Board of Governors, Board of Editors or staff.

SEPTEMBER 2023 | 9

THE OKLAHOMA BAR JOURNAL