In the past, Cybersecurity was not an issue for business owners. However, many corporate activities are now defined by the internet.
Many businesses are operated entirely online, even the businesses that don’t will somehow include the internet within their operations – be it, customer marketing or maintaining accurate record keeping.
If the leader of a company does not understand cybersecurity laws relating to their operations, they could find themselves being subjected to a substantial fine. Furthermore, if regulatory bodies discover any shortcomings there will be substantial costs in ordering remedies in order to achieve compliance. Therefore, awareness should be the first step in preventing these issues. Below are four separate laws or the types of laws that are worth knowing and understanding.
1. Federal Cybersecurity Laws
It may surprise you to know that an overarching federal cybersecurity law does not yet exist in the United States. But that does not mean that businesses do not need to comply with cybersecurity standards. That is because applicable regulations apply to specific services offered by some kinds of establishments.
From 31st December 2017, The Department of Defense (DoD) contractors working within this organization must adhere to the requirements that are set out. In failing to do so, could result in a contract being lost or the completion of work orders being ceased until the contractor is verified as compliant.
In addition, by having a lax attitude regarding cybersecurity has the effect of making it extremely difficult for entities to stay competitive when bidding for new contracts. Representatives from DoD know that cybersecurity that is insufficient makes contractors become vulnerable to hacks. Which is particularly dangerous due to the potentially valuable information that contractors deal with.
One of the rules relating to cybersecurity from the DoD relates to a DFARS clause. It involves the controlled unclassified information (CUI) that the contractors handle from federal entities. Examples of the kinds of information include documents which contain content that is health-related, legal proceedings information or proprietary information.
It was also announced in January 2018 by the General Services Administration (GSA) the planning of new regulations for contractors which include stipulations in the way data is handled and quickly reporting any breaches. Once the rules have been finalized and published by the agency, uniform cybersecurity guidance will be provided throughout the government agencies.
Some industries have rules for data handling outside of the U.S Government. Health care is one sector which is governed by federal regulations in the management of patient data. Violation laws vary depending on the severity and extent of the issue, but may total more than a million dollars for civil matters. 10 year prison sentences could also apply where there is criminal violations of healthcare data privacy laws.
2. State-Specific Security Regulations
It is the responsibility of businesses to know the applicable state-specific cybersecurity laws. Many of these laws relate to the practices of data collection and the need to notify customers and follow specified procedures within a strict time frame if data has been compromised.
There are very strict cybersecurity laws in some states, such as New York’s financial sector. However one of its criticisms is that where non-compliance exists there is no clear punishment stated. Fines are issued to companies but beyond that, details are scarce.
Companies must also be aware that where they operate business in different states, such as online, they become subject to the cybersecurity laws that apply to those locations they are operating in. Effort is also being made to make these regulations become more stringent. Enforcement of California’s data privacy law will commence as of January 2020 giving people more control over the information collected by companies. In addition, it allows consumers to make companies delete the information they hold on them. If customers choose to opt out a business cannot give a lower quality of service.
3. The General Data Protection Regulation (GDPR)
The General Data Protection Regulation (GDPR) is applicable to all member states of The European Union, together with any companies that operate elsewhere but are marketing or providing services to people within the European Union. Many items enclosed in the GDPR are part of California’s law also, however it is more expansive than what is required by the state.
Various factors, for example, the number of people who have been affected and the actions carried out to mitigate the damage, will determine how much money a company could be fined for GDPR violation. The maximum fines however, could be up to 10 million euros, or 2% of the worldwide annual revenue.
It is therefore crucial for companies to get on board with compliance because of the resulting financial and damage of reputation that can result if a company is not aware of the cybersecurity laws.
The implementation of GDPR in May 2018 gained a substantial amount of press coverage, however it is not only the federally enforced cybersecurity regulation. For example, in Canada, the Personal Information Protection and Electronics Documents Act (PIPEDA) became effective in April 2000. This act applies to private sector businesses and dictates how the gathering of data for commercial reasons is treated.
4. California’s SB-237 Bill for IoT Security
The Internet of Things (IOT) encompasses devices that are internet-connected. The manufacturers of these gadgets have rightly been criticized by some people for them not being sufficiently concerned about cybersecurity. However, a bill has recently been passed in California to change things. On 1st January 2020 California’s SB-237 IoT bill will go into effect together with the state’s data privacy bill, previously mentioned above.
It sets out the security standards for devices that connect to the internet, which will include that these devices come with a password that is unique or it will require users to create one during the setup process instead of having a generic one that is easy to guess by a would-be hacker.
The SB-237 only applies to California, however it will likely have far more reaching effects simply due to the fact that is not feasible for businesses to manufacture some IoT devices that will conform to California’s standards that others do not.
If companies take the more cost-effective approach of building all IoT devices so that the are compliant with the law in California, this would enable them to be better prepared in the event of other states following California’s lead.
Several bills have been introduced to Congress beyond California, however none of them have yet made it to the voting stage. It could mean that a federal law could be forthcoming due to the fact that IOT security is on the minds of federal legislators and especially because the use of IOT devices has become increasingly more widespread.
Companies Must Take The Necessary Steps In Order to Comply
It is yet too early to predict the extent of fines companies may face for non-compliance with the future laws of California, but the punishments for non-compliance of existing regulations are without doubt certainly severe. In addition, the full understanding of cybersecurity laws mentioned above, companies must also ensure they take steps immediately to determine if they are meeting the requirements. Companies must also make cybersecurity an ongoing priority once a compliance plan is set. Regardless of what regulations may emerge in the future, most will already be set to fall in line and will therefore avoid any potential harmful implications for non-compliance.