In past eras, cybersecurity wasn’t an issue for business owners. But now, the internet defines many corporate activities.
Some businesses operate entirely online, and even the ones that don't typically include the internet in their operations somehow - whether it’s marketing to customers or keeping accurate records.
If company leaders do not understand the cybersecurity laws that relate to their operations, they may be subjected to substantial fines. Moreover, substantial costs could result from having to achieve compliance after regulatory bodies discover shortcomings and order remedies. But awareness is the first step to avoiding issues. Here are four individual laws or types of laws worth understanding.
1. Federal Cybersecurity Laws
It may be surprising that an overarching federal cybersecurity law doesn’t yet exist in the United States. However, that doesn't mean all businesses don’t need to comply with cybersecurity standards. That's because some kinds of establishments that offer specific services have applicable regulations. As a start, government contractors have rules to follow.
As of December 31, 2017, all contractors working for the Department of Defense (DoD) must abide by requirements set by the organization. Failing to do so could mean losing a contract or having to cease the fulfillment of work orders until the contractor is verifiably in compliance.
Also, having a lax attitude toward cybersecurity makes it exceptionally difficult for entities to remain competitive when bidding new contracts. DoD representatives know insufficient cybersecurity makes contractors vulnerable to hacks. That's particularly dangerous since contractors deal with potentially valuable information.
One of the cybersecurity rules from the DoD relates to a DFARS Clause. It's about controlled unclassified information (CUI) from federal entities that contractors handle. Examples of such information include documents containing health-related content, information about legal proceedings or proprietary material.
In January 2018, the General Services Administration (GSA) also announced planned new regulations for contractors, including stipulations for handling data and reporting breaches quickly. Once the agency finalizes and publishes its rules, they’ll provide uniform cybersecurity guidance across government agencies.
Outside of the U.S government, some industries have rules for data handling. Health care is one sector governed by federal regulations for managing patient data. Laws for violation vary depending on the extent of the issue - but could total over a million dollars for civil matters. Additionally, criminal violations of those health care data privacy laws could result in up to 10-year prison sentences.
2. State-Specific Security Regulations
Businesses are also responsible for knowing the applicable state-specific cybersecurity laws. Many of them relate to data collection practices and the need to notify customers within strict timeframes and through specified methods if data gets compromised.
Some states have particularly strict cybersecurity laws, such as New York's regulations for the financial sector. One of the criticisms is there’s no clear punishment stated for non-compliance. Companies get fined, but details beyond that are scarce.
Also, companies must be aware that if they do business in various states — such as by operating online — they’re subject to cybersecurity laws in those locations. There are efforts to make the regulations more stringent, too. California will enforce its data privacy law as of January 2020. That act gives people more control over the information that companies collect.
It also allows consumers to make companies delete their information. Businesses cannot give customers a lower quality of service after they opt out.
3. The General Data Protection Regulation (GDPR)
The General Data Protection Regulation (GDPR) applies to all European Union member states, as well as any companies operating elsewhere that market or provide services to people in the European Union. Many items in the GDPR are part of California's law, too. But, the GDPR is more expansive than what the state requires.
Various factors — such as the number of people affected and the actions taken to mitigate damage — determine the amount of money a company could get fined for violating GDPR. However, the maximum fines could be up to €10 million — or two percent of the worldwide annual revenue.
Because of the financial and reputational damage that can result when a company is not aware of cybersecurity laws, it's crucial to get the company on board with compliance.
The GDPR gained substantial press coverage recently due to its May 2018 implementation. But, it's not the lone federally enforced cybersecurity regulation. For example, Canada has Personal Information Protection and Electronic Documents Act (PIPEDA) that went into effect in April 2000, applying to private sector businesses and dictating treatment of data gathered for commercial reasons.
4. California's SB-327 Bill for IoT Security
The Internet of Things (IoT) encompasses internet-connected devices, and some people have rightly criticized the manufacturers of those gadgets for not being sufficiently concerned about cybersecurity. However, California recently passed a bill to change things. California's SB-327 IoT bill goes into effect on January 1, 2020, the same day as the state's data privacy bill mentioned above.
It sets forth security standards for internet-connected devices, including making all of them come with unique passwords or requiring users to create them during the setup process instead of having generic ones hackers could guess.
Although SB-327 only applies to California, it will likely have effects that are more far-reaching. That's because it's not feasible for businesses to make some IoT devices that conform to California's standards and others that don't.
The most cost-effective thing to do is build all IoT devices so they are compliant with California's law. Taking that approach could make companies better prepared if other states follow California's lead.
Beyond California, several bills have been introduced to Congress, but none have made it to the voting stage. The fact that federal legislators have IoT security on their minds means a federal law could be forthcoming, especially since IoT device usage is becoming increasingly widespread.
Companies Must Take the Necessary Steps to Comply
It's too early to know the extent of fines companies could face for non-compliance with California's future laws, but punishments for non-compliance with existing regulations are most certainly severe. In addition to fully understanding the basics of the cybersecurity laws mentioned here, companies must take steps to immediately determine if they meet these requirements.
Once a compliance plan is set, companies must make cybersecurity an ongoing priority. No matter what regulations emerge in the future, most will already be set to fall in line and avoid the potentially harmful implications of non-compliance.
Note: This blog article was written by a guest contributor for the purpose of offering a wider variety of content for our readers. The opinions expressed in this guest author article are solely those of the contributor and do not necessarily reflect those of GlobalSign