Operational technology systems used by public and private organizations are now more connected than ever. Modern cybercriminals can disrupt these critical systems and pose major financial risks to these organizations.
The incidence of high-profile security breaches in 2021 was alarming, to say the least. Solar Winds, Uber, and the U.S. Securities and Exchange Commission were just some of the organizations hacked in 2021. In fact, the costs, sophistication, and danger of cybersecurity breaches were the worst ever in 2021.
To combat the never-seen-before rise in cybersecurity attacks, organizations now need to address these risks at a similar never-seen-before scale. And reviewing the foundational rules and cybersecurity regulations that govern our data security would be a good place to start.
According to a recent Forbes article, there are some unspoken yet immutable laws of cybersecurity that organizations must understand. They include –
- There are cyber criminals who will deliberately attack any and every vulnerability in your system.
- All technology systems are vulnerable in one way or another. That’s why even organizations like Target or A.B.C. that reportedly follow all compliance laws for data security are at risk.
- Human operators (especially those with no knowledge of data security laws) are likely to fall for phishing scams, impostors, etc.
- More innovation in tech invites more security risks. As organizations enter the age of “IoT,” they’ll discover even more vulnerabilities in their systems.
These “laws” discuss the common concerns associated with cybersecurity. But, an organization’s ability to properly defend itself from hackers is incomplete without a total understanding of global cybersecurity regulations.
The impact that cybersecurity risks have on the economy’s safety has been recognized by several international administrations. These laws require all leaders of organizations to manage cyber security risks with total compliance.
The penalties for non-compliance include – heavy fines, the inability to secure lucrative contracts, and more. 2022 will be another year of high-volume hacking.
U.S. FEDERAL CYBERSECURITY LAWS
Unlike many countries (e.g., members of the E.U.), there’s no single federal law overseeing cybersecurity or cyber-privacy in the U.S. Different states have different cybersecurity laws. This lack of clarity may confuse leaders of private or public organizations across all 50 states. However, there are some critical federal compliance requirements that all organizations in the U.S. must follow. The most critical federal cybersecurity laws include –
The Gramm-Leach-Bliley Act (GLBA)
The GLBA is a data security and privacy law that applies to all financial institutions in the U.S., including –
- Insurance agencies
- Securities firms
- Non-bank mortgage lenders
- Tax preparation service providers
The data security rule (16 C.F.R. Part 314) requires financial organizations to create, implement, and sustain thorough data security programs. These programs must contain physical, administrative, and technical data safety measures as per the organization’s size and complexity.
The details of your organization’s data security program must be clearly defined and accessible to auditors. For example, an organization must declare the following while drafting its data security program –
- The nature of its activities.
- The scope of its activities.
- The potential risks facing the customer data collected by the organization.
You can read about the importance of the GLBA here. Financial institutions that don’t implement or violate the GLBA could face the following penalties –
- Fines up to $1 million
- Termination of the company’s Federal Deposit Insurance Corporation (FDIC) insurance plan.
- The latter penalty could effectively terminate a financial firm in the U.S.
Health Insurance Portability and Accountability Act (moniker – HIPAA)
The HIPAA was passed in 1996. It’s a U.S. federal statute that covers rules regarding data security, privacy, and data breach notifications. It applies to all entities in the U.S. healthcare sector, including –
- Healthcare providers
- Companies that sell healthcare plans
- Healthcare clearinghouses
- Business associates of healthcare-related organizations (“covered entities”)
The term “covered entity” could apply to pharmaceutical companies and health insurance companies. However, HIPAA compliance varies for different organizations. The main aims of making healthcare organizations HIPAA-compliant include –
- Make health insurance portable. Patients shouldn’t be forced to stick to specific jobs or healthcare plans due to pre-existing medical conditions.
- Eliminate healthcare abuse and fraud.
- Implement clear standards for sharing and storing healthcare-related data.
- Guarantee the security of health-related information.
Fines for non-compliance depend on the extent/nature of the violation. For example, Anthem, Inc. had to pay a record fine of $16 million to the U.S. H.H.S. in 2020. Fines for medical organizations that are non-HIPAA-compliant have been increasing a lot recently.
The Federal Information Security Management Act (FISMA)
Passed in 2002, the FISMA is a U.S. federal law that applies specifically to U.S. federal agencies. It’s part of the broader E-Government Act of 2002, which intended to improve the administration of “electronic government” processes.
The FISMA mandates the development, documentation, and implementation of appropriate information security and protection programs for all federal agencies. It’s by far the most vital federal regulation regarding data security.
It aims to cut down security risks to federal data while handling federal expenses on information security.
- All federal agencies, including state agencies that oversee federal programs (e.g., Medicare), must adhere to the FISMA.
- This federal law also applies to private businesses/contractors working with federal agencies (e.g., DoD contractors).
Here are some basic security standards that FISMA auditors want organizations to implement –
- All federal agencies/contractors must keep inventories of all the FISMA-regulated information systems they use to perform federal duties.
- Ensure all sensitive information is stored or shared via FISMA regulated information systems.
- Federal agencies must create, implement, and sustain information security plans.
- Agency heads must conduct yearly security reviews and obtain their FISMA certifications and accreditations.
FISMA compliance improves the security of federal information. It also enables private companies/contractors to earn federal contracts. Government and private companies that fail to comply suffer from – permanent reputational damage, loss of federal funding, and financial penalties.
The Department of Homeland Security (D.H.S.)
Will the Department of Homeland Security ever get involved if your company is affected by a data breach? Yes. When cybercrimes happen, the D.H.S. provides immediate assistance to impacted organizations. This assistance includes –
- Analyzing the impact of the cyberattack across the critical infrastructure in the organization.
- Investigating the perpetrators of the cybercrime (along with other law enforcement agencies)
- Creating a national response to prevent similar cyber incidents from impacting other U.S. entities.
The D.H.S. works in close coordination with federal agencies as well as private cybersecurity firms in these cyber-missions. The D.H.S. has had the authority to oversee the application of information security policies for federal executive branch systems since 2014.
The Federal Information Security Modernization Act (short – “FISMA 2014”) codified the D.H.S.’s role in implementing data security practices in federal agencies.
U.S. STATE CYBERSECURITY LAWS
In the U.S., along with federal laws, companies must obey cybersecurity laws passed in their state.
- All 50 states have laws that local companies must follow in case they experience cybersecurity breaches.
- The definition of “private, personal information” varies in different states.
- Companies must comply with the cybersecurity laws of the state where their customers reside.
Two states – New York and California lead the country when it comes to state-based cybersecurity laws.
The most important state-based cybersecurity regulations include –
- The Californian Consumer Privacy Act (CCPA): The CCPA obligates companies operating in California to constantly meet new cybersecurity requirements. It’s the first cybersecurity law in the U.S. that covers companies involved in the IoT sector (internet of things). All IoT companies must integrate “reasonable cybersecurity measures” in their devices.
- The California Privacy Rights and Enforcement Act (CPRA): Although not effective until January 2023, all U.S. companies must learn the new CPRA rules as quickly as possible. It imposes new, super-strict requirements regarding information privacy on organizations located or serving customers in California. It basically gives consumers the full right to how companies share their sensitive personal information (S.P.I.). The term “S.P.I.” refers to a consumer’s Social Security Number, financial account numbers, passport details, health/genetic data, etc.
- New York’s SHIELD Act Of 2019: SHIELD stands for “Stop Hacks and Improve Electronic Data Security.” It was passed in 2019. This law requires all organizations operating in N.Y. to implement “reasonable” technical, physical, and administrative safeguards while tracking customer data. Read the bill to understand what’s defined as “personal information” as per the New York Attorney General. Non-compliance with SHIELD could lead to penalties of up to $5,000 per violation.
- New York State Department of Financial Services Cybersecurity Regulations: All financial and related institutions operating in N.Y., such as credit unions, investment companies, mortgage brokers, etc., must follow the NYDFS cybersecurity regulations.
U.S. Cybersecurity Laws and Regulations – Frequently Asked Questions
If you are an individual or organization operating in the US, you’d likely have a few questions about cybersecurity laws and regulations, such as –
- Is it illegal to determine the vulnerabilities of IT systems?
- What measures are organizations permitted to use to secure their IT systems?
- Can organizations take out an insurance policy against cybersecurity attacks? If yes, then are there any regulatory restrictions on the coverage amount?
For answers to such questions and a plethora of other F.A.Q.s, check out this detailed article by the International Comparative Legal Guides (ICLG).
E.U. CYBERSECURITY LAWS
Cybersecurity regulations and standards in the U.S. provide a solid basis of operations for private and public organizations. The European Union (E.U.) creates more customized regulations that specifically apply to businesses operating within the EEA (European Economic Area). If your organization does business in the E.U., it needs to follow three major regulations.
- The E.U. General Data Protection Regulation (EU GDPR), passed in 2016.
- The European Union Agency for Cybersecurity (ENISA)
- The N.I.S. Directives (Directive on Security of Network and Information Systems)
All three are part of the E.U.’s Digital Single Market strategy. In addition to these three, all organizations doing business in the E.U. must also adhere to the E.U. Cybersecurity Act. Enforced in June 2019, the E.U. Cybersecurity Act has introduced –
- An EU-wide certification scheme to enforce higher cybersecurity standards for companies providing products/services in the I.C.T. sector (Information and Communication Technologies).
- Stronger cybersecurity mandates for all EU-affiliated agencies.
With these regulations and certification schemes, the E.U. aims to simplify and secure trade across the E.U. They want to build consumer trust in I.C.T. products/services while enhancing the growth of the cybersecurity market in the E.U.
The union is also in the process of passing two legislative proposals to address the recent rise in online/offline risks. They are –
- The E.U. Cybersecurity Strategy created by the European Commission
- The E.U. Cybersecurity Strategy created by the European External Action Service (EEAS)
Both these directives are designed to improve the resilience of the network and information systems used by E.U. organizations.
INTERNATIONAL CYBERSECURITY LAWS
Do international laws apply in cyberspace? Yes. The Convention on Cybercrime passed in 2001 was the first international cybersecurity agreement intended to reduce cybercrime by –
- Harmonizing national laws
- Enhancing investigative techniques
- Improving international cooperation
The United Nations Charter also features some rules that govern activities conducted in international cyberspace. These laws don’t discuss countermeasures to cyberattacks. But, the charter does state that affected parties can execute countermeasures for self-help and coercively enforce their rights.
However, international laws in cyberspace are hard to implement, especially on state-sponsored actors. These laws are instilled to clarify that all sovereign countries have total jurisdiction over their data, cyberinfrastructure, and cyber activities.
The Importance of Staying Up to Date
Want to operate legally and compliantly in cyberspace? Cybersecurity laws are constantly evolving. Every month, policymakers are proposing new regulations to keep up with up-and-coming technologies and new threats. Organization leaders must regularly study the latest cybersecurity laws imposed or even proposed, worldwide. Here’s a helpful source to keep you up-to-date with all the latest cybersecurity laws, news, policies, and updates.
From the actions of private organizations to government agencies – these regulations attempt to safeguard vital functions in cyberspace. These vital functions directly impact consumers, so government agencies are rightfully very serious about implementing them.