Analyzing the Impact of the Many New Rules of Cybersecurity – JD Supra
This article originally appeared in Cybersecurity Law & Strategy. © ALM Media LLC. Reprinted with permission.
The federal government is trying to find as many ways as possible to handle the cybersecurity crisis facing the United States. While it is unlikely that Congress will pass a comprehensive federal cybersecurity law for the private sector, the Executive Branch, and its many agencies, they are issuing directives and guidelines with far-reaching impacts. Additionally, states across the nation are passing their own data protection and cybersecurity laws with whiplash speed. The U.S. doesn’t have a federal cybersecurity law, but the new regulatory and state landscape is changing the way companies do business. This basket weave of new laws provides a boost to existing cybersecurity guidelines. However, the industry standard for almost all organizations is the National Institutes of Standard and Technology (NIST) Cybersecurity Framework and NIST Privacy Framework.
There are new federal regulations, directives, and guidelines as well as new case law, industry-specific guidelines, and new state laws that, when taken together, form an industry standard applicable to almost all business sectors. And the end result is if you receive, collect or hold data in an enumerated industry or sector, or collect client data, your business must have an information security program in place.
Many of the existing laws protect publicly traded companies and the banking, health care, financial, educational and insurance sectors. Third-party vendors, including law firms, are specifically enumerated in many state statutes. Nevada even has a relatively new statute that protects casinos. The combination of these new state statutes and federal guidelines provide the new landscape for compliance. The message is clear: cybersecurity compliance is for everyone.
FEDERAL OVERSIGHT
There are several federal laws, regulations and even legal opinions that have cybersecurity and data privacy implications for publicly traded companies and specific sectors. Regulations like Sarbanes-Oxley, the Privacy of Consumer Financial Information and Safeguarding Personal Information Regulation, the Gramm-Leach-Bliley Security Rule and Privacy Rule, the Health Insurance Portability and Accountability Act, the Children’s Online Privacy Protection Act (COPPA), the FTC Act, the NIST Cybersecurity Framework, the NIST Privacy Framework, the new Cybersecurity Maturity Model Certification program for defense industry contractors, the Department of Justices’ New Civil Cyber-Fraud Initiative and the Wyndham cases are many of the strands of the federal government’s net of cybersecurity guidance.
While this federal oversight is growing, holes exist in the coverage. Therefore, it may be difficult to piece together a compliance program from these federal regulations for your organization. Industries not specifically covered by a federal law should look to state laws and NIST’s Cybersecurity Framework …….
Source: https://www.jdsupra.com/legalnews/analyzing-the-impact-of-the-many-new-8487673/