Cybersecurity Law: Am I Legally Required to Protect Client Data from Cyber Attacks?

When we think of “cybersecurity laws,” we often think of national security and the protection of critical infrastructure upon which we all rely. However, data security laws also apply to businesses handling sensitive client information. As noted in previous articles from our Cybersecurity Awareness Month series, interior designers handle quite a bit of personally identifiable client information. From gate codes to home addresses, they store some of our most sensitive data.

As an interior designer, you might have asked yourself how far you must go and which cybersecurity measures you must implement to protect client data from theft and your firm from prosecution. Interior design firms—like other businesses—have a legal responsibility to protect client data, which includes safeguarding against cybersecurity threats. The extent and specifics of this responsibility can vary based on jurisdiction, local regulations, and the nature of the information collected. Let’s take a closer look.

Am I Legally Required to Protect Customer Data from Cyber Threats?

Every design firm is required to protect client data. The extent to which designers must protect client data—and the steps they must take if that data is compromised—differ from one state to the next. Depending on the jurisdiction, there may be laws and regulations that mandate the protection of personal information.

For example, there’s a patchwork of state-specific data breach notification laws in the US that require businesses to notify affected individuals of certain types of data breaches. While there isn’t a single overarching federal law for all types of businesses, specific sectors—like healthcare or finance—have dedicated regulations. If companies are found negligent, the Federal Trade Commission Act empowers the FTC to take action against those companies. The Infrastructure Security Agency or Securities and Exchange Commission might also get involved.

In Canada, the Personal Information Protection and Electronic Documents Act (PIPEDA) applies to many private-sector businesses. Provinces and territories might take data security a step further with their own laws designed to help mitigate identity theft and protect consumers against unfair or deceptive acts. In both the US and Canada, client contracts may specify certain security measures or protocols that an interior design firm agrees to adhere to—especially if dealing with high-profile clients or specific types of sensitive projects.

Some professional associations or licensing bodies also have ethical or professional standards that their members must adhere to—which could include guidelines or best practices for data protection. For example, regulated financial institutions and credit reporting agencies are subject to a wider range of laws and regulations.

Even in the absence of specific regulations, businesses generally have a duty of care to take reasonable steps to protect client data. A security breach could lead to not only regulatory penalties but also civil lawsuits if clients believe the firm was negligent.

Relevant Cybersecurity Laws in the US and Canada

Below are a few applicable laws and regulations that govern how firm owners must handle client data. Most are federal laws that protect consumers from deceptive trade practices, identity theft, and mishandling of client data.

Many states, like California with the California Consumer Privacy Act (CCPA), have their own data protection regulations that businesses must adhere to. However, we have outlined only the overarching regulations that would apply to all U.S. and Canadian businesses.

We have also chosen to include only relevant laws, so any laws that have no impact on interior design businesses will be missing from this list.

Federal Trade Commission (FTC) Act

The Federal Trade Commission (FTC) Act is a U.S. federal statute established in 1914 with the primary objective of preventing unfair or deceptive business practices and promoting competition. The Act established the Federal Trade Commission as an independent agency to enforce the provisions of the statute.

Section 5 of the FTC Act prohibits “unfair or deceptive acts or practices in or affecting commerce.” This broad provision can apply to virtually any business or profession—including interior designers under certain circumstances. Here’s how the FTC Act might apply to interior designers.

If an interior design firm makes false or misleading claims in its advertising or promotional materials, it could be considered a deceptive practice under the FTC Act. For instance, claiming to have certain qualifications, certifications, or affiliations that one doesn’t possess would fall into this category.

The FTC Act also prohibits “unfair” practices—which are acts or practices that cause or are likely to cause substantial injury to consumers that consumers cannot reasonably avoid and which are not outweighed by benefits to consumers or competition. If an interior design firm were to engage in practices that fit this description, they could be in violation of the Act.

In some cases, this can refer to data security. The FTC has taken action against businesses that fail to adequately protect consumer information, viewing such failures as unfair business practices. If an interior design firm collects and stores personal or financial information from clients, it’s essential that they have appropriate security measures in place.

If an interior design firm conducts business online or engages in e-commerce, there are additional considerations related to online privacy, data security, and digital advertising. The FTC has guidelines and regulations for online activities, and interior designers would need to be aware of and compliant with them.

The Fair Credit Reporting Act and Accurate Credit Transactions Act

Established in 1970, the FCRA promotes accuracy, fairness, and privacy of information in the files of consumer reporting agencies—often referred to as credit bureaus. Among its many provisions, the FCRA sets guidelines for how consumer reporting agencies can collect, disseminate, and use consumer information. It also provides consumers with rights—such as the ability to view their credit report—dispute inaccurate information, and be informed if the information in their report has been used against them.

FACTA was enacted in 2003 as an amendment to the FCRA. It was primarily designed to help consumers prevent identity theft. One of the most recognized provisions of FACTA is the “Red Flags Rule”—which requires certain businesses and organizations to implement a written identity theft prevention program. FACTA also provides for consumers to receive one free credit report per year from each of the major credit bureaus. Another notable provision is the requirement for truncation of credit card numbers on electronic and paper receipts to the last five digits or less.

While these laws are largely directed toward credit bureaus, covered financial institutions, and certain other businesses, there are a few ways they could be relevant to interior designers. If an interior design firm bills clients over time and allows them to maintain an open account, it might fall under FACTA’s “Red Flags Rule.” In such cases, the firm would need to have procedures in place to detect and respond to “red flags” that might indicate identity theft.

If the firm accepts credit card payments, FACTA requires that only the last five digits of the card number—or fewer—be visible on receipts given to the cardholder. Both the FCRA and FACTA have provisions related to the safe disposal of consumer information. If an interior design firm collects sensitive personal or financial data from clients, it needs to ensure that information is discarded securely.

Health Insurance Portability and Accountability Act (HIPAA)

HIPAA, the Health Insurance Portability and Accountability Act of 1996, primarily addresses the protection and confidential handling of protected health information (PHI). At first glance, it might seem that HIPAA would not make our list of data and cybersecurity legislation relevant to the work of interior designers. However, there are scenarios in which the worlds of healthcare and interior design intersect, and in these cases, certain aspects of HIPAA could come into play.

If an interior designer is involved in designing a healthcare space, such as a doctor’s office, clinic, hospital, or other healthcare facility, they might come into contact with areas where PHI is stored or accessed. While the designers themselves might not be directly accessing PHI, they should be aware of the importance of privacy and security regulations to ensure the spaces they design maintain patient confidentiality.

While designing spaces, interior designers could learn about specific patient needs, health conditions, or treatment areas that might indirectly indicate the type of services a patient is receiving. Even if this information isn’t detailed medical records, it’s crucial to handle such knowledge with care and discretion.

Part of HIPAA’s Security Rule involves implementing physical safeguards to protect PHI. An interior designer working on healthcare spaces can play a role in this by considering secure areas for storing PHI, ensuring there’s adequate privacy for areas where patient information is discussed, and incorporating designs that limit unauthorized access.

Personal Information Protection and Electronic Documents Act (PIPEDA)

As some of our readers are Canadian, we will take a brief look at international laws. The Personal Information Protection and Electronic Documents Act (PIPEDA) is a Canadian federal privacy law that governs the collection, use, and disclosure of personal information in the course of commercial activities by private sector organizations. PIPEDA applies to personal information collected, used, or disclosed by private-sector organizations during commercial activities—regardless of the industry they are in. The law is designed to protect Canadians from identity theft and other consequences of data loss.

Interior designers, like other professionals and businesses operating in the private sector in Canada, could be subject to PIPEDA if they collect, use, or disclose personal information in the course of commercial activities. This might include client names, contact details, preferences, or any other personal data collected during the course of business. Even if designers engage in interprovincial or international transactions, PIPEDA still applies to personal data that are collected, used, or disclosed across provincial or national borders.

For interior designers in Canada, this means that they must obtain client consent when they collect any type of information—not just personally identifiable or sensitive data. They can use personal information only for the purpose for which it was collected. Designers need to protect personal information using appropriate security practices. Clients have a right to access their personal information held by the designer and can challenge its accuracy. They also have the right to know why their personal information is being used and to whom it’s disclosed.

When and How Are You Required to Notify Clients After a Data Breach?

The requirements for notifying clients after a data breach vary by jurisdiction and by the specific regulations that apply to a particular organization. However, there are some general principles and practices that are commonly found in data breach notification laws across different regions.

Timing and Content of Notification

Generally, regulations require that notifications be made “without undue delay” after becoming aware of the breach. Specific time frames can vary. For example, under the GDPR in the European Union, the notification to the supervisory authority must be made within 72 hours of becoming aware of the breach, unless the breach is unlikely to result in a risk to the rights and freedoms of individuals.

When you announce the breach, you must describe what happened, provide information about the types of personal data that were involved in the breach, and explain what the implications of the breach might be for the affected individuals. You must also outline the steps your firm has taken or plans to take in response to the breach.

If relevant, you may provide recommendations for the affected individuals on how they can protect themselves. You must also include details on how affected individuals can reach out for more information.

Who to Notify

Be sure to notify those who were impacted by the breach, relevant regulatory authorities, and partners or other entities. Many jurisdictions require that relevant regulatory or supervisory authorities be notified about the breach. This can vary based on the type of data involved and the sector in which the organization operates. In some cases, other entities like credit monitoring agencies or partners may also need to be informed.

Some regulations have exceptions or thresholds for when notifications must be made. For instance, if the breached data was encrypted and the encryption key wasn’t compromised, notification might not be necessary. There might be thresholds based on the number of individuals affected or the likelihood of harm. For example, a breach that’s unlikely to result in harm to the affected individuals might not require notification under some regulations.

Direct communication methods, such as emails or letters, are typically preferred. However, if this isn’t feasible—due to excessive costs, lack of contact details, etc.—, alternative methods like public announcements or notices on the organization’s website might be used. Some laws may stipulate specific methods of communication based on the nature of the breach or the type of data involved.

Other Requirements

Organizations are often required to document any data breaches, regardless of whether they were required to notify anyone. This documentation can be crucial for regulatory oversight and potential audits.

Given the complexity of data breach notification requirements and the variation across jurisdictions, it’s crucial for organizations to be familiar with the laws and regulations that apply to them. It’s also beneficial to have a data breach response plan in place so that in the event of a breach, the organization can act swiftly and in accordance with legal requirements.

As always, consulting with legal professionals can help clarify and navigate these requirements.

What Are the Consequences of Non-Compliance with Cybersecurity Laws?

The consequences of non-compliance with cybersecurity laws can be wide-ranging—varying by jurisdiction, the specific law or regulation in question, and the nature and extent of the non-compliance.

Financial Penalties

Many cybersecurity regulations carry hefty fines for non-compliance. Under the GDPR in the EU, organizations can be fined up to €20 million or 4% of their annual global turnover (whichever is higher) for serious violations.

In the U.S., penalties for HIPAA violations can range from $100 to $50,000 (or more) per violation, with an annual maximum of $1.5 million. Violations of the CCPA in California can result in fines of up to $2,500 per unintentional violation and $7,500 per intentional violation. It’s essential to understand your legal responsibilities to ensure data security under federal and state laws.

Civil Lawsuits

Non-compliance can lead to legal actions by affected individuals or groups. For instance, a data breach resulting from non-compliance can lead to class action lawsuits by the affected parties.

Criminal Penalties

In some jurisdictions and under certain laws, egregious non-compliance or intentional mishandling of data can result in criminal charges, which might lead to imprisonment.

Reputational Damage and Remediation Costs

Data breaches or publicized instances of non-compliance can severely tarnish an organization’s reputation. This can result in a loss of customer trust, a decline in business, and damage to brand value.

If non-compliance is identified, the costs associated with becoming compliant can be significant. This might include technological upgrades, legal fees, cybersecurity training, and other associated costs.

Many cybersecurity laws require entities to notify affected individuals in the event of a data breach. This process can be expensive and resource-intensive.

Loss of Business Opportunities

Some industries and clients will only conduct business with entities that adhere to certain cybersecurity standards. Non-compliance can thus result in missed contracts or partnerships.

Operational Disruptions

In some cases, regulatory bodies might force non-compliant businesses to halt certain operations until compliance is achieved. Non-compliance might lead to a revocation of necessary business licenses or certifications.

Increased Oversight, Auditing, and Insurance Premiums

Entities that have been found non-compliant or that have suffered breaches might be subjected to more frequent and rigorous oversight and auditing by regulatory bodies.

Companies that don’t adhere to cybersecurity regulations may see an increase in premiums or might even be denied coverage.

Final Thoughts

Given the broad range of potential consequences, it’s crucial that each interior design firm invests in compliance and regularly reviews and adjusts its cybersecurity practices in line with current laws and regulations. Consulting with legal and cybersecurity experts can help businesses navigate this complex landscape and minimize risks.