With no national data privacy law in sight, many companies are faced with a patchwork of state laws, various international data regulations and industry-specific federal laws that can become cumbersome to comply with. In response, Harris Beach attorneys created CyMetric, a regulatory compliance tool that drafts policies and controls for companies to meet the variety of regulations.

CyMetric is a cloud-based software financially backed by New York-based Harris Beach subsidiary Caetra, an entity geared toward compliance and reducing risk.

Harris Beach member and CyMetric chief development officer Alan Winchester said the idea for the product came up three years ago. While drafting compliance policies for clients, he noticed many of the policies required analysis of the law and not specifics about a client company.

He thought constructing a compliance policy could be simplified for clients at a reduced rate compared to a lawyer's hourly rate.

By the end of 2018, CyMetric was available for licensing and public use. While an outside software developer created the software's user interface, CyMetric's policy controls, essentially the actions needed to conform to a regulation, were researched and analyzed by Harris Beach attorneys.

Users fill out a short form that includes explaining what data their company stores, the data's risks and what regulations they want to comply with. With a click of a few buttons, the user receives a report listing the controls the company needs to enact to comply with one or more regulations.

“This process, by centralizing and organizing it, creates more operational gains for a complicated process,” noted Caetra president Michael Compisi.

The software, Winchester explained, is also beneficial to lawyers because it's “moving the legal engagement a little more downstream” and allows counsel to focus on finding solutions for more challenging issues their clients face.

CyMetric includes compliance controls for the General Data Protection Regulation, Health Insurance Portability and Accountability Act, New York State Department of Financial Services Cybersecurity Regulation and other laws. Winchester acknowledged the regulations are not exhaustive and if a user needs to comply with a regulation not currently listed in the software, Harris Beach attorneys can research the law and add it to the software in roughly 30 days.

The controls are also updated when new amendments or case law occurs regarding the regulation, Winchester added. Users are notified of such changes, though they can decline to update their controls. Additionally, there are plans to allow users to add contract compliance controls into the software, as companies are held to both regulatory and contractual demands.

As regulatory and cybersecurity requirements grow, technology provides the efficiency to quickly assess what controls can be placed on data to make companies compliant, Winchester noted.

“[It] would have taken a month to [understand how to make] a new system compliant with the law,” Winchester noted. Now, it only takes a few keystrokes.