Some businesses operate entirely online, and even the ones that don't typically include the internet in their operations somehow - whether it’s marketing to customers or keeping accurate records.
If company leaders do not understand the cybersecurity laws that relate to their operations, they may be subjected to substantial fines. Moreover, substantial costs could result from having to achieve compliance after regulatory bodies discover shortcomings and order remedies. But awareness is the first step to avoiding issues. Here are four individual laws or types of laws worth understanding.
It may be surprising that an overarching federal cybersecurity law doesn’t yet exist in the United States. However, that doesn't mean all businesses don’t need to comply with cybersecurity standards. That's because some kinds of establishments that offer specific services have applicable regulations. As a start, government contractors have rules to follow.
As of December 31, 2017, all contractors working for the Department of Defense (DoD) must abide by requirements set by the organization. Failing to do so could mean losing a contract or having to cease the fulfillment of work orders until the contractor is verifiably in compliance.
Also, having a lax attitude toward cybersecurity makes it exceptionally difficult for entities to remain competitive when bidding new contracts. DoD representatives know insufficient cybersecurity makes contractors vulnerable to hacks. That's particularly dangerous since contractors deal with potentially valuable information.
One of the cybersecurity rules from the DoD relates to a DFARS Clause. It's about controlled unclassified information (CUI) from federal entities that contractors handle. Examples of such information include documents containing health-related content, information about legal proceedings or proprietary material.
Businesses are also responsible for knowing the applicable state-specific cybersecurity laws. Many of them relate to data collection practices and the need to notify customers within strict timeframes and through specified methods if data gets compromised.
Some states have particularly strict cybersecurity laws, such as New York's regulations for the financial sector. One of the criticisms is there’s no clear punishment stated for non-compliance. Companies get fined, but details beyond that are scarce.
Also, companies must be aware that if they do business in various states — such as by operating online — they’re subject to cybersecurity laws in those locations. There are efforts to make the regulations more stringent, too. California will enforce its data privacy law as of January 2020. That act gives people more control over the information that companies collect.
It also allows consumers to make companies delete their information. Businesses cannot give customers a lower quality of service after they opt out.
The General Data Protection Regulation (GDPR) applies to all European Union member states, as well as any companies operating elsewhere that market or provide services to people in the European Union. Many items in the GDPR are part of California's law, too. But, the GDPR is more expansive than what the state requires.
Various factors — such as the number of people affected and the actions taken to mitigate damage — determine the amount of money a company could get fined for violating GDPR. However, the maximum fines could be up to €10 million — or two percent of the worldwide annual revenue.
Because of the financial and reputational damage that can result when a company is not aware of cybersecurity laws, it's crucial to get the company on board with compliance.
The GDPR gained substantial press coverage recently due to its May 2018 implementation. But, it's not the lone federally enforced cybersecurity regulation. For example, Canada has Personal Information Protection and Electronic Documents Act (PIPEDA) that went into effect in April 2000, applying to private sector businesses and dictating treatment of data gathered for commercial reasons.
The Internet of Things (IoT) encompasses internet-connected devices, and some people have rightly criticized the manufacturers of those gadgets for not being sufficiently concerned about cybersecurity. However, California recently passed a bill to change things. California's SB-327 IoT bill goes into effect on January 1, 2020, the same day as the state's data privacy bill mentioned above.
It sets forth security standards for internet-connected devices, including making all of them come with unique passwords or requiring users to create them during the setup process instead of having generic ones hackers could guess.
Although SB-327 only applies to California, it will likely have effects that are more far-reaching. That's because it's not feasible for businesses to make some IoT devices that conform to California's standards and others that don't.
The most cost-effective thing to do is build all IoT devices so they are compliant with California's law. Taking that approach could make companies better prepared if other states follow California's lead.
Beyond California, several bills have been introduced to Congress, but none have made it to the voting stage. The fact that federal legislators have IoT security on their minds means a federal law could be forthcoming, especially since IoT device usage is becoming increasingly widespread.
If company leaders do not understand the cybersecurity laws that relate to their operations, they may be subjected to substantial fines. Moreover, substantial costs could result from having to achieve compliance after regulatory bodies discover shortcomings and order remedies. But awareness is the first step to avoiding issues. Here are four individual laws or types of laws worth understanding.
1. Federal Cybersecurity Laws
It may be surprising that an overarching federal cybersecurity law doesn’t yet exist in the United States. However, that doesn't mean all businesses don’t need to comply with cybersecurity standards. That's because some kinds of establishments that offer specific services have applicable regulations. As a start, government contractors have rules to follow.
As of December 31, 2017, all contractors working for the Department of Defense (DoD) must abide by requirements set by the organization. Failing to do so could mean losing a contract or having to cease the fulfillment of work orders until the contractor is verifiably in compliance.
Also, having a lax attitude toward cybersecurity makes it exceptionally difficult for entities to remain competitive when bidding new contracts. DoD representatives know insufficient cybersecurity makes contractors vulnerable to hacks. That's particularly dangerous since contractors deal with potentially valuable information.
One of the cybersecurity rules from the DoD relates to a DFARS Clause. It's about controlled unclassified information (CUI) from federal entities that contractors handle. Examples of such information include documents containing health-related content, information about legal proceedings or proprietary material.
2. State-Specific Security Regulations
Businesses are also responsible for knowing the applicable state-specific cybersecurity laws. Many of them relate to data collection practices and the need to notify customers within strict timeframes and through specified methods if data gets compromised.
Some states have particularly strict cybersecurity laws, such as New York's regulations for the financial sector. One of the criticisms is there’s no clear punishment stated for non-compliance. Companies get fined, but details beyond that are scarce.
Also, companies must be aware that if they do business in various states — such as by operating online — they’re subject to cybersecurity laws in those locations. There are efforts to make the regulations more stringent, too. California will enforce its data privacy law as of January 2020. That act gives people more control over the information that companies collect.
It also allows consumers to make companies delete their information. Businesses cannot give customers a lower quality of service after they opt out.
Know more on this through the Cyber Security Course in India
3. The General Data Protection Regulation (GDPR)
The General Data Protection Regulation (GDPR) applies to all European Union member states, as well as any companies operating elsewhere that market or provide services to people in the European Union. Many items in the GDPR are part of California's law, too. But, the GDPR is more expansive than what the state requires.
Various factors — such as the number of people affected and the actions taken to mitigate damage — determine the amount of money a company could get fined for violating GDPR. However, the maximum fines could be up to €10 million — or two percent of the worldwide annual revenue.
Because of the financial and reputational damage that can result when a company is not aware of cybersecurity laws, it's crucial to get the company on board with compliance.
The GDPR gained substantial press coverage recently due to its May 2018 implementation. But, it's not the lone federally enforced cybersecurity regulation. For example, Canada has Personal Information Protection and Electronic Documents Act (PIPEDA) that went into effect in April 2000, applying to private sector businesses and dictating treatment of data gathered for commercial reasons.
4. California's SB-327 Bill for IoT Security
The Internet of Things (IoT) encompasses internet-connected devices, and some people have rightly criticized the manufacturers of those gadgets for not being sufficiently concerned about cybersecurity. However, California recently passed a bill to change things. California's SB-327 IoT bill goes into effect on January 1, 2020, the same day as the state's data privacy bill mentioned above.
It sets forth security standards for internet-connected devices, including making all of them come with unique passwords or requiring users to create them during the setup process instead of having generic ones hackers could guess.
Although SB-327 only applies to California, it will likely have effects that are more far-reaching. That's because it's not feasible for businesses to make some IoT devices that conform to California's standards and others that don't.
The most cost-effective thing to do is build all IoT devices so they are compliant with California's law. Taking that approach could make companies better prepared if other states follow California's lead.
Beyond California, several bills have been introduced to Congress, but none have made it to the voting stage. The fact that federal legislators have IoT security on their minds means a federal law could be forthcoming, especially since IoT device usage is becoming increasingly widespread.
Know more on cybersecurity through Cyber Security Course
0 comments:
Post a Comment