Cybersecurity Laws, Regulations and Compliance

We are providing this evergreen and living document on Cybersecurity Laws, Regulations and Compliance With an Emphasis on Threat Detection Recon. Please let us help you with your best practices.

These are laws, regulations, and compliance requirements related to cybersecurity and the protection of sensitive data, along with a summary of each, an explanation of why following these is important to CEOs, CISOs, and security architects, and the potential consequences of not following best practices:  

  1. The General Data Protection Regulation (GDPR): This is a regulation in EU law that establishes rules for the protection of personal data. It applies to the processing of personal data by organizations that are based in the EU, as well as organizations that are based outside the EU but that offer goods or services to individuals in the EU. Obeying the GDPR is important because it helps to ensure that personal data is collected, used, and disclosed in a responsible and transparent manner, and it helps to protect the privacy rights of individuals. Potential consequences of not obeying the GDPR include fines, legal penalties, and damage to an organization’s reputation.  
  1. The Health Insurance Portability and Accountability Act (HIPAA): This is a U.S. federal law that establishes standards for the protection of health information. It applies to health plans, healthcare providers, and healthcare clearinghouses. Obeying HIPAA is important because it helps to ensure that sensitive health information is protected, and it helps to prevent unauthorized access to or disclosure of this information. Potential consequences of not obeying HIPAA include fines, legal penalties, and damage to an organization’s reputation.  
  1. The Payment Card Industry Data Security Standard (PCI DSS): This is a set of security standards that are designed to ensure the secure handling of credit card information. It applies to organizations that accept, process, or transmit credit card transactions. Obeying PCI DSS is important because it helps to protect against credit card fraud and data breaches, and it helps to maintain the trust of customers. Potential consequences of not obeying PCI DSS include fines, legal penalties, and damage to an organization’s reputation.  
  1. The Sarbanes-Oxley Act (SOX): This is a U.S. federal law that establishes certain requirements for publicly traded companies. It includes provisions related to the protection of sensitive financial data and the implementation of internal controls. Obeying SOX is important because it helps to ensure the accuracy and reliability of financial statements, and it helps to restore investor confidence in the financial markets. Potential consequences of not obeying SOX include fines, legal penalties, and damage to an organization’s reputation.  
  1. The California Consumer Privacy Act (CCPA): This is a state law in California that establishes certain rights for California consumers with respect to their personal information. It applies to businesses that collect, use, or disclose personal information about California consumers. Obeying the CCPA is important because it helps to protect the privacy rights of California consumers, and it helps to maintain the trust of customers. Potential consequences of not obeying the CCPA include fines, legal penalties, and damage to an organization’s reputation.  
  1. The Personal Information Protection and Electronic Documents Act (PIPEDA): This is a federal privacy law in Canada that applies to organizations that collect, use, or disclose personal information in the course of commercial activities. It sets out rules for the collection, use, and disclosure of personal information, and gives individuals the right to access and correct their personal information. Obeying PIPEDA is important because it helps to ensure that personal information is collected, used, and disclosed in a responsible and transparent manner, and it helps to protect the privacy rights of individuals. Potential consequences of not obeying PIPEDA include fines, legal penalties, and damage to an organization’s reputation.  
  1. The Children’s Online Privacy Protection Act (COPPA): This is a U.S. federal law that establishes rules for the collection of personal information from children under the age of 13. It applies to operators of websites or online services that are directed to children or that have actual knowledge that they are collecting personal information from children. Obeying COPPA is important because it helps to protect the privacy rights of children, and it helps to ensure that children’s personal information is collected, used, and disclosed in a responsible and transparent manner. Potential consequences of not obeying COPPA include fines, legal penalties, and damage to an organization’s reputation.  
  1. The Health Information Technology for Economic and Clinical Health Act (HITECH Act): This is a U.S. federal law that establishes rules for the use of electronic health records (EHRs) and other health information technology (HIT). It applies to healthcare providers, health plans, and healthcare clearinghouses. Obeying the HITECH Act is important because it helps to ensure the secure handling of sensitive health information, and it helps to prevent unauthorized access to or disclosure of this information. Potential consequences of not obeying the HITECH Act include fines, legal penalties, and damage to an organization’s reputation.  
  1. The Family Educational Rights and Privacy Act (FERPA): This is a U.S. federal law that protects the privacy of student education records. It applies to educational agencies and institutions that receive federal funding. Obeying FERPA is important because it helps to ensure the confidentiality of student education records, and it helps to protect the privacy rights of students. Potential consequences of not obeying FERPA include the loss of federal funding and damage to an organization’s reputation.  
  1. The Graham-Leach-Bliley Act (GLBA): This is a U.S. federal law that establishes rules for the protection of financial information. It applies to financial institutions, including banks, credit unions, and insurance companies. Obeying the GLBA is important because it helps to protect the financial privacy rights of consumers, and it helps to prevent unauthorized access to or disclosure of sensitive financial information. Potential consequences of not obeying the GLBA include fines, legal penalties, and damage to an organization’s reputation.  
  1. The National Institute of Standards and Technology Cybersecurity Framework (NIST CSF): This is a framework that provides guidance for managing cybersecurity risks. It is voluntary and can be used by organizations of any size or in any industry. Obeying the NIST CSF is important because it helps to ensure the confidentiality, integrity, and availability of an organization’s information and systems, and it helps to protect against cybersecurity threats. Potential consequences of not obeying the NIST CSF depend on the specific risks and vulnerabilities that an organization faces.  
  1. The International Organization for Standardization (ISO) 27001: This is an international standard that provides a framework for establishing, implementing, maintaining, and continually improving an information security management system (ISMS). It can be used by organizations of any size or in any industry. Obeying ISO 27001 is important because it helps to ensure the confidentiality, integrity, and availability of an organization’s information and systems, and it helps to protect against cybersecurity threats. Potential consequences of not obeying ISO 27001 depend on the specific risks and vulnerabilities that an organization faces.  
  1. The Cybersecurity Maturity Model Certification (CMMC): This is a framework that establishes cybersecurity standards for defense contractors and other organizations that handle sensitive U.S. government information. It is mandatory for organizations that contract with the Department of Defense (DoD). Obeying the CMMC is important because it helps to ensure the confidentiality, integrity, and availability of sensitive U.S. government information, and it helps to protect against cybersecurity threats. Potential consequences of not obeying the CMMC include the loss of contracts with the DoD and damage to an organization’s reputation.  
  1. The Data Breach Notification Laws: There are various laws in different jurisdictions that require organizations to notify individuals and/or regulatory authorities in the event of a data breach. These laws often apply to the personal information of individuals, and they may have specific requirements for the timing, content, and method of notification. Obeying data breach notification laws is important because it helps to ensure that individuals are informed in a timely manner if their personal information has been compromised, and it helps to protect the privacy rights of individuals. Potential consequences of not obeying data breach notification laws include fines, legal penalties, and damage to an organization’s reputation.  
  1. Insurance is getting much more strict with cyber crime: Insurance companies that offer cyber crime insurance typically have underwriting guidelines that outline the types of cyber attacks and losses that are covered under their policies. These guidelines may specify the types of cyber threats that are covered, such as data breaches, ransomware attacks, and other types of cyber threats. They may also specify the types of losses that are covered, such as the cost of responding to a cyber attack, the cost of notification and credit monitoring services for affected individuals, and the cost of legal fees and other expenses associated with a cyber attack. In general, insurance companies that offer cyber crime insurance will consider the specific risks and vulnerabilities of an organization when deciding whether or not to offer coverage. They may require organizations to demonstrate that they have appropriate cybersecurity controls in place and that they have followed best practices for protecting sensitive data. They may also require organizations to have incident response plans in place to mitigate the impact of a cyber attack. It is a good idea for organizations to carefully review the terms and conditions of any cyber crime insurance policies they are considering and to work with a trusted insurance broker or advisor to ensure that they have the coverage they need to protect against potential losses from a cyber attack. 
  1. SEC: The SEC has issued guidance on cybersecurity and has brought enforcement actions against companies that have failed to adequately protect their sensitive data or that have misled investors about their cybersecurity practices. In 2011, the SEC issued guidance to publicly traded companies on their obligations to disclose material information about cybersecurity risks and incidents. This guidance stated that companies should disclose “material” cybersecurity risks and incidents in their public filings, such as annual and quarterly reports, as well as in their proxy statements and registration statements. The guidance also stated that companies should have processes in place to assess the materiality of cybersecurity risks and incidents and to determine whether they should be disclosed to investors. In addition to this guidance, the SEC has brought enforcement actions against companies that have failed to adequately protect their sensitive data or that have misled investors about their cybersecurity practices. For example, in 2018, the SEC settled charges with Yahoo for failing to disclose a 2014 data breach that affected all 3 billion of its user accounts. The SEC found that Yahoo had failed to properly assess the materiality of the data breach and to disclose it to investors in a timely manner. It is important for publicly traded companies to be aware of their obligations to disclose material information about cybersecurity risks and incidents, and to have processes in place to assess the materiality of these risks and incidents and to determine whether they should be disclosed to investors. Failure to do so could result in enforcement actions by the SEC. This is an upcoming law from the SEC. 
  1. The FTC takes this stuff pretty seriously too.