New Cybersecurity Laws
New Cybersecurity Laws: Is Your Business Up to Par?
Last month, President Joe Biden signed the first K-12 cybersecurity-focused law, a considerable addition to the ever-growing list of laws and regulations targeting cybersecurity practices and protocols. However, this is still just the beginning of the nationwide focus aimed at discovering how businesses, organizations, institutions, and even consumers can keep their data safe from cyberattacks and hacks. Each new law brings us one step closer to a safer, more secure digital space. Still, it also requires businesses and organizations to adapt to the ever-changing landscape of cybersecurity rules and regulations. So, what do business owners and leaders need to know about the different cybersecurity laws and regulations? In this blog, we will walk through a few of the latest cybersecurity laws and discuss if and how they impact different companies and organizations. Let’s get started!
1- The K-12 Cybersecurity Act
There’s no better place to start than the most recent cybersecurity law. The K-12 Cybersecurity Act, recently signed into law by President Biden, gives the Cybersecurity and Infrastructure Security Agency (CISA), a United States federal agency, 120 days to study the cybersecurity risks facing K-12 schools. These risks include ransomware attacks, phishing attacks, and the like. In undertaking this study, CISA will consult with teachers, school administrators, and other relevant organizations and agencies to learn more about the cybersecurity issues they face. CISA will then recommend guidelines to help K-12 schools improve their cybersecurity procedures and protocols.
This law is a significant step in K-12 cybersecurity because it marks the first time the federal government has waded into K-12 data security issues. However, at this point, the law won’t force schools to change any of their security protocols. After conducting their study, CISA’s recommendations will be entirely voluntary, meaning schools can take them or leave them. The hope is that this is enough to begin diving deeper and create safer data security systems for schools across the nation.
2- New York Stop Hacks and Improve Electronic Data Security (SHIELD) Act
Although the federal government has been slow to enact widespread cybersecurity laws and regulations, states have begun to address these issues, with hundreds of bills addressing privacy, cybersecurity, and data breaches currently pending. One New York bill signed into law in 2019 is the New York Stop Hacks and Improve Electronic Data Security (SHIELD) Act. The main focus of this law is to impose affirmative cybersecurity obligations on specific organizations and entities—effectively requiring businesses who own data that includes the private information of a resident of New York to implement and maintain reasonable safeguards to protect that information.
Under SHIELD, organizations must maintain reasonable administrative, technical, and physical safeguards. These safeguards are considered reasonable based on the size and complexity of the business, the nature and scope of the business’s activities, and the sensitivity of the personal information the company collects. So, any business that owns the information of a resident of New York (even if the business is not headquartered in New York) must assess their administrative, technical, and physical safeguards to ensure compliance with this law. This includes designing and coordinating a security program, detecting, preventing, and responding to cyberattacks, and protecting information storage and transportation. Suppose you are a business owner required to meet these protocols. In that case, it’s helpful to partner with a cybersecurity provider to review your systems and make sure they meet or exceed the level of those mandated by the New York law.
3- Washington’s Data Breach Law
Another state that has recently enacted new cybersecurity laws is Washington. In 2019, Governor Jay Inslee signed SHB 1071, which requires organizations to notify individuals if certain private information is breached. Private information includes individuals’ first and last names, dates of birth, passport numbers, biometric data, and more. Under this law, organizations have 30 days to deliver the required notifications to individuals. These notifications must include a timeframe of exposure, including the date of the breach and the date of the breach’s discovery, the types of personal information affected, a summary of steps taken to contain the breach, and a sample copy of the breach notification sent to Washington residents.
In order to comply with this law, companies conducting business in Washington must have systems in place that can track all the different sets of personal information covered by the statutory definition. Further, businesses should have a robust prevention, detection, and recovery plan in place in order to provide all the necessary information if a breach does occur (or better yet, to prevent a breach from occurring in the first place). This is another place where a cybersecurity partner can come in handy. An experienced cybersecurity firm can help organizations create cybersecurity protocols tailored to their specific needs and goals while also helping them develop disaster recovery plans to help them get back on track as quickly as possible and comply with any necessary laws during the process.
Overall, new cybersecurity laws and regulations are popping up quickly. As data breaches continue to increase, the government is taking a vested interest in protecting individuals and their private information. Currently, state governments have taken the lead in enacting cybersecurity laws that require corporations and businesses to develop and maintain a certain level of cybersecurity protocols. This has created a hodgepodge of different laws that are difficult to keep track of—especially for businesses operating in multiple states. The signing of the new K-12 Cybersecurity Act may be a sign that the federal government is stepping up in creating legislation that will apply uniformly across the states. Either way, having a cybersecurity expert by your side will make complying with any and all laws that much easier. A good cybersecurity partner will stay up-to-date on all the different, ever-changing laws and ensure that your business is up to par. Schedule a consultation with us today to discover if your cybersecurity posture meets compliance requirements.