Many companies are now facing the challenges posed by malicious hackers attacking their IT environment. Unfortunately, the fallout continues even after the attack is contained, including dealing with incidents involving data breaches.
While there are laws and regulations in place to protect businesses against cybercrime, the often overlooked aspect of the law is the harsh penalties for businesses that fail to protect their customers’ data. In this blog, I’ll provide an overview of what everyone should know about cybersecurity laws and regulatory compliance in 2024.
Cybersecurity Regulations To Know and Follow
With no consolidated cybersecurity law in place in the United States, companies are left to determine which requirements they fall under based on a number of criteria, including state, industry, data and contract type, international business presence, and data storage locations.
The following is a brief list of the regulations that companies and organizations should review as they begin to see what cybersecurity compliance items they are required to follow.
1. Gramm-Leach-Bliley Act
The Gramm-Leach-Bliley Act (GLBA) enacted a set of rules in 1999 that requires financial institutions – companies that offer consumers financial products or services like loans, financial or investment advice, or insurance – to explain their information-sharing practices to their customers and to safeguard sensitive data.
The FTC also issued an additional rule — the Standards for Safeguarding Customer Information, which sets standards for financial institutions to follow when implementing these safeguards. This rule took effect in 2003, but compliance was repeatedly delayed until June of 2023, and it now includes more technical requirements. Read this blog to learn more about these requirements and the businesses that are affected.
Section 314.4 of the Safeguards Rule outlines nine elements that a reasonable information security program must include. Below are some of the more important elements:
- Designate a Qualified Individual to implement and supervise your company’s information security program.
- Conduct a risk assessment.
- Encrypt customer information on your system and when it’s in transit.
- Implement multi-factor authentication for anyone accessing customer information on your system.
- Train your staff.
- Create a written incident response plan.
The FTC has more information about the Safeguards Rule and general guidance on data security here.
2. Homeland Security Act and FISMA
The Federal Information Security Modernization Act (FISMA) requires every government agency to develop a method to protect their information systems against cyber attacks. This act was originally passed in 2014, but it was overhauled in 2023 to support more effective cybersecurity methods and improve coordination amongst various federal agencies.
3. Cybersecurity Information Sharing Act
The Cybersecurity Information Sharing Act (CISA) was passed in 2015 to provide relevant security threat information and make prosecuting cybercriminals easier. Many cybercrimes are never reported, and if they are, evidence is often difficult to collect in order to do anything about them.
CISA provides a way for companies in different sectors like technology, finance, and manufacturing, to share internet traffic and cyber threat information to improve threat intelligence feeds. This information can also be used as evidence to prosecute cyber criminals. The sharing of personal information between private companies and the U.S. government isn’t as scary as it sounds — there are provisions in place to protect private information and data unrelated to these crimes.
4. The Cyber Incident Reporting for Critical Infrastructure Act of 2022
The Cyber Incident Reporting for Critical Infrastructure Act (CIRCIA) was passed in the spring of 2022. It requires the Cybersecurity and Infrastructure Security Agency (CISA) to develop and publish rules for companies providing critical infrastructure, such as the requirement to report covered cybersecurity incidents within 72 hours.
Stay tuned: These rules are expected to be issued very soon.
5. The Health Insurance Portability and Accountability Act
The Health Insurance Portability and Accountability Act (HIPAA) was enacted in 1996 to protect sensitive patient health information from being disclosed without the patient’s consent or knowledge. The HIPAA Privacy Rule also outlines standards for an individual’s rights to understand and control how their data is used.
The Office of Civil Rights (OCR) is tasked with enforcing HIPAA, and this office has offered several recommendations to businesses to help them with compliance. Unfortunately, the penalties for failing to comply with HIPAA can be severe. One healthcare organization recently entered into a $1.3M settlement after it repeatedly failed to protect sensitive data.
We understand that every healthcare organization in America would prefer to spend its precious dollars on improving patient outcomes. However, with the dependency that exists in modern healthcare on IT systems, proper cybersecurity practices have become critical in keeping operations up and running.
One ransomware attack shut down several emergency rooms across the U.S., causing incoming emergencies to be diverted and time-sensitive operations to be postponed. So just like with any other business, protecting data and systems shouldn’t be seen as just an annoying bit of housekeeping to avoid a fine or a PR nightmare. In 2024, proper cybersecurity can save lives.
6. The Health Information Technology for Economic and Clinical Health Act
The Health Information Technology for Economic and Clinical Health Act (HITECH) of 2009 is part of the American Recovery and Reinvestment Act. Essentially, it expanded notification requirements and increased penalties in the case of a HIPAA breach and made business associates liable for failing to comply with HIPAA rules.
7. The Fair Credit Reporting Act
Originally enacted in 1970, The Fair Credit Reporting Act (FCRA) was crafted to help shield consumers from malicious or negligent use of their data in credit reports. It also requires consumer reporting agencies to provide notifications when a breach poses a significant risk of identity theft or fraud.
8. The Children's Online Privacy Protection Act
The Children’s Online Privacy Protection Act (COPPA) is intended to help parents have more control over the data that websites collect from their children. It also requires online service providers to notify parents when the personal information of any child under 13 is compromised.
9. Additional Considerations
For those looking to continue their compliance, regulations, and standards journey, consider investing some time into identifying how the following may affect your organization:
- The Payment Card Industry Data Security Standard (PCI-DSS)
- Compliance with CMMC/NIST 800-171, which requires any companies working with the Department of Defense (prime or subcontractors) to secure Controlled Unclassified Information (CUI)
- International privacy laws
- General Data Protection Regulation (GDPR) for companies conducting business or storing data in the European Union
- Personal Information Protection and Electronic Documents Act (PIPEDA) for companies conducting business or storing data in Canada
- Other state and national laws and regulations that may cover where you are conducting business or storing data
Navigating Cybersecurity Laws
More cybersecurity laws are expected in 2024 that will affect US defense contractors, certain cloud providers that use AI models, and more. And more regulators are holding individuals accountable for failing to comply.
If this blog has you throwing up your hands in defeat, you’re certainly not alone. Cybersecurity is becoming a specialized field, and keeping on top of it is simply beyond the scope of many internal IT teams. One way to combat this threat while crossing off a few other business goals for 2024, like boosting productivity and offering a better employee experience, is to invest in managed IT services.
Another way to manage these requirements is to hire a highly experienced Chief Information Security Officer (CISO). Salaries for these in-demand positions are ballooning. However, at Marco, we also offer IT consulting services, including fractional CISO positions. It’s a great way for small to mid-sized organizations — who, sadly, are a cybercriminal’s favorite target — to get the specialized expertise they need at an affordable price.
Click the link below to learn more about what a vCIO or vCISO could do for your business!