It started with Europe’s General Data Protection Regulation (GDPR). Enactment of the GDPR went into effect in May 2018 with the purpose of protecting personal data and creating more transparency among any organization that communicates with people in the EU. The stringent data compliance and protection rules impact U.S. companies that process personal information and either monitor EU citizens or offer products or services to them.
This is just one example of the stronger cyber regulations taking place in our increasingly digitized world. It will serve businesses in all industries, especially those that handle significant customer data and sensitive consumer information, to take note of the GDPR requirements. If you haven’t already done so, it’s a very good time to be working toward a GDPR-compliant cybersecurity strategy that takes these and a few other protections into account.
1. More on GDPR
GDPR is fundamentally reshaping how all sectors of business approach data privacy and protect data security. To comply with the EU data protection rules, an organization is obligated to:
- Appoint a Data Protection Officer (DPO);
- Implement technical and administrative measures for data security and be held legally accountable for compliance;
- Deploy data protection impact assessments; and
- Report any security breach to authorities within 72 hours, while communicating risks to individuals whose data might have been lost.
Do you need a Data Protection Officer? To better understand the type of organization that would require the appointment of a DPO, think of a hospital that processes large sets of sensitive patient data, a security company responsible for monitoring shopping centers and public spaces, or even a small recruiting firm that profiles individuals on a regular basis. The penalties can be harsh for companies that fail to comply with the GDPR—up to 4% of annual global sales.
2. California Consumer Privacy Act (CCPA)
This data privacy regulation is the first U.S. law that follows directly in the footsteps of GDPR, and it’s far-reaching. Businesses both inside and outside of California will be affected by the requirement of the California Consumer Privacy Act when it is implemented in January 2020.
The CCPA regulation extends privacy protections and rights to all California residents, defined as anyone “enjoying the benefit and protection of laws and government” in California. It will grant consumers new rights with respect to the collection of their personal information. The law affords consumers the right to find out who has access to their personal data and the ability to stop data from being sold or transferred to third parties through an opt-out capability. If you sell a product or service (through any channel, including reseller or third party) anywhere in California, you will be required to comply—with a few exemptions for smaller businesses.
3. SEC Cyber Attack Guidance
Although not a regulation per se, the U.S. Securities and Exchange Commission’s 2018 guidance update put an emphasis on cybersecurity policies and procedures that cover incident response, disclosure, and more robust and integrated risk management programs. This guidance serves as an important roadmap for businesses in assessing and addressing key security, privacy, data integrity, and regulatory compliance issues. It may be a good indicator of what’s to come from the SEC in response to the continued uptick in financial sector data breaches and investors seeking assurances of sound risk management practices from public companies.
4. 23 NYCRR 500
New York State’s Department of Financial Services Cybersecurity Regulations (23 NYCRR 500) went into effect in March 2017, but required covered entities to be completely compliant by March 1, 2019. The regulations essentially require financial institutions, including those in banking, insurance, and financial services, to assess their cybersecurity risk profiles and implement a comprehensive plan to effectively protect consumer data privacy.
The regulations call for companies to:
- Conduct regular security risk assessments,
- Maintain audit trails of asset use,
- Create defensive infrastructure,
- Develop cybersecurity policies and procedures, and
- Maintain an incident response plan.
5. State Regulations
In lieu of sweeping federal law, states are implementing their own measures to improve security infrastructure, encourage best practices in cybersecurity, and apply better measures for consumer data privacy in the private and public sectors. California and New York are states that have taken the lead on cybersecurity, but it’s only a matter of time until more states follow suit.
The GDPR, CCPA, 23 NYCRR 500, and other regulations may signal a coming global standard for data protection. Organizations that don’t have a sound cybersecurity plan in place and that don’t get on board with these regulations could be leaving themselves open to attacks and legal issues.
Cybint recognizes the challenges executives face in addressing today’s cybersecurity risks as regulations grow in complexity and frequency. We are here to help you better understand how cybersecurity issues impact your organization and learn to manage your organization’s cyber risk. Reach out to a Cybint representative to get started.