The federal government is trying to find as many ways as possible to handle the cybersecurity crisis facing the United States. While it is unlikely that Congress will pass a comprehensive federal cybersecurity law, for the private sector the Executive Branch and its many agencies are issuing directives and guidelines with far-reaching impacts. Additionally, states across the nation are passing their own data protection and cybersecurity laws with whiplash speed. The U.S. doesn’t have a federal cybersecurity law, but the new regulatory and state landscape is changing the way companies do business. This basketweave of new laws provides a boost to existing cybersecurity guidelines. However, the industry standard for almost all organizations is the National Institutes of Standard and Technology (NIST) Cybersecurity Framework and NIST Privacy Framework.
There are new federal regulations, directives and guidelines as well as new case law, industry-specific guidelines and new state laws that, when taken together, form an industry standard applicable to almost all business sectors. And the end result is if you receive, collect or hold data in an enumerated industry or sector, or collect client data, your business must have an information security program in place.