Laws are often passed when a situation becomes so dire that legislators feel the need to step in and apply some teeth. And when it comes to combating cybersecurity incidents, there seems to be no shortage of global legislative and regulatory reaction to the ongoing procession of headline-grabbing data breaches and attacks affecting organizations around the world. Major security events have been occurring for more than a decade, but as global connectivity and reliance on IT systems rises, the perilous consequences of these incidents continue to expand.
Here is a breakdown of five measures – two in the United States, one in the European Union, one in Australia and one in China – that are likely to impact you in the not-too-distant future, if they haven’t already. Get your compliance and legal teams ready.
1) New York State Department of Financial Services Regulation (23 NYCRR 500)
Current status: Effective as of March 1, but full compliance not required for 18 months
What’s it all about? New York state enacted a prescriptive law affecting banks and insurers (with greater than 10 employees) doing business within its borders. With New York serving as a primary hub for global finance, the requirements are certain to have ripple effects around the world.
In addition, the regulation is expected to serve as a model for other states, much like California’s trailblazing S.B. 1386 did data for data breach notifications. Among other provisions, the New York state law requires that “covered entities”:
- Designate a CISO (who can be employed by an affiliate or third-party provider).
- Conduct a periodic risk assessment, including of outside vendors, which are the sources of a growing number of breaches. For example, law firms.
- Detect security events.
- Perform annual penetration testing and bi-annual vulnerability assessments of information systems.
- Ensure secure development practices for application development.
- Restrict and review user access privileges to only those systems that access non-public information.
- Limit data retention.
- Establish a written incident response plan.
- Use “qualified” security personnel, which can include third-party providers, to manage risks and core security functions.
What’s next? Covered entities also are required to attest to annual compliance. More details can be found here (PDF).
2) The European Union General Data Protection Regulation (GDPR) (Regulation (EU) 2016/679)
Current status: Becomes law May 2018
What’s it all about? The goal of the regulation, which affects all businesses operating in the EU, is to harmonize data protection laws across the 28 member states and “make Europe fit for the digital age.” The GDPR aims to “give citizens back control over of their personal data, and to simplify the regulatory environment for business.” The regulation will place a clear onus on businesses that collect and manage the personal information of EU citizens to protect that information from misuse.
What’s next? Businesses are racing to comply with the new regulation – or risk being sued.
3) The Cybersecurity Disclosure Act of 2017 (S. 536)
Current status: Introduced in the U.S. Senate
What’s it all about? We all know the security skills shortage is an issue for IT departments. But did you know the conundrum also extends to boards of directors? New proposed legislation from Democratic Sen. Mark Warner of Virginia would require boards of directors at public firms to disclose to the Securities and Exchange Commission if one of their members has security expertise. If they are unable to disclose that, they must explain how they are compensating for this shortcoming. Consumer advocates have reportedly voiced support for the measure as calls for boardroom accountability on security issues grows.
What’s next? This one has far less certainty than the others included in this list. The bill is expected to come up for a vote at an undetermined date.
4) Privacy Amendment (Notifiable Data Breaches) Bill 2016
Current status: Passed both houses of the Parliament of Australia in February, expected to take effect in February 2018
What’s it all about? Organizations will be required to notify the Australian privacy and information commissioner if they experience a breach and affected individuals are at “risk of serious harm” due to the disclosure of sensitive data.
What’s next? This bill has been many years in the works, but now organizations must study the measure and prepare for what, when and how they would disclose in the event of a breach. More details can be found here.
5) The People’s Republic of China Cybersecurity Law
Current status: Adopted last year, expected to take effect June 1
What’s it all about? All eyes are on this measure, as many governments and corporations don’t quite know what to expect when it takes hold. Specifically the law calls for critical infrastructure protection under the guise of national security, but it has been met with strong foreign opposition and confusion from companies and human rights groups – mainly over fears of further internet regulation and concerns that businesses that operate in the country will be forced to turn over sensitive information for storage in mainland China. The law is unofficially translated to English here.
What’s next? The compliance groups at global companies are diligently working to determine how they can meet the new law.