From GDPR to CCPA – Staying Ahead of the Curve in a Rapidly Changing Regulatory Landscape
In 1986, the United States enacted a vital piece of legislation known as the Computer Fraud and Abuse Act (CFAA) to address a rise in computer-related crimes. CFAA made many computer-based offenses illegal, including hacking, computer trespassing, unauthorized access to computers and computer networks, and using computers to commit fraud or access national security information.
As cybercrime has evolved, the law has been amended to address more recent illegal activities, including trafficking passwords and access codes, distributing malicious code, and denial-of-service attacks. Countries worldwide have followed suit, enacting laws and regulations to protect computer systems and personal information from cyberattacks.
Despite the laws and threats of prosecution, the number of criminal empires and individual hackers has skyrocketed, with security experts estimating an attack happens every 11 seconds. Companies that provide essential services, financial products, or critical infrastructure, such as Colonial Pipeline, Capital One, and CNA Financial Corp, are too big and too public to avoid publicly reporting cyber incidents, but about 85% of cybercrimes go unreported, according to the US Department of Justice.
That happens for a multitude of reasons. Some companies may honestly be unaware of the occurrence. Others, like Uber, knowingly covered up incidents, believing that paying the ransom would cost less than all the expenses associated with an investigation and public backlash. They may fear reputational damage, loss of trust from customers and investors, and legal action if found to be negligent, or they might feel that keeping the incident quiet will avoid exposing trade secrets.
While acknowledging a cyber incident can help prevent further damage, identify the source of the attack, and provide security experts with insights into how to prevent future attacks, many companies choose not to. That situation has led numerous countries to decide that they must implement additional regulations.
How to Comply With Regulations
Across the world, cyber security and data protection regulations share similarities, but there are also crucial differences. For example, the GDPR applies to companies that handle the personal data of EU citizens regardless of the companies’ location, whereas the CCPA/CPRA only applies to companies that conduct business in California. Some regulations cover all personal data, while others only protect personal information used for commercial purposes.
Regardless of the different frameworks and laws in place, companies and service providers need to remain compliant and can do so responsibly by focusing on a few key strategies and processes.
Know the regulations
Ignorance is not an excuse any government, investor, or customer will accept. Businesses need to invest time and resources into becoming familiar with the regulations where they reside and any others pertaining to their customers’ locations. Organizations may also need to comply with industry-specific security and protection frameworks such as the US’s HIPAA for the healthcare sector or NERC-CIP for the utility and power sectors.
For businesses with fewer resources, working with security consultants and lawyers could be the best way to fully understand these frameworks and their impacts on infrastructure and data protection.
Perform an audit
An audit can provide valuable insights into a company’s risks and security posture by identifying vulnerabilities and weaknesses in its network and application security, data protection, and access controls. It can also help them assess their compliance with cybersecurity laws and regulations and evaluate their incident response plans and capabilities to determine how well the company can detect, respond to, and recover from cyber incidents.
The audit should result in actionable recommendations, such as which tools should be added and which security controls, policies, and procedures should be implemented or fine-tuned to harden security and reduce risk.
Select the proper tools and processes
Since regulations are tech-agnostic, businesses can choose the solution providers they prefer. Every company should use firewalls, antivirus, and anti-malware software. Security information and event management (SIEM) systems can be incredibly helpful as they monitor network traffic and log data, detect security incidents, and automate threat response.
One of the most valuable compliance solutions is a managed security operations center (SOC) that melds technological tools with best practice processes and a team of analysts, threat hunters, and other security specialists. SOCs address every angle of security by providing 24/7 continuous monitoring, threat detection, digital forensics and incident response services, log analysis, vulnerability management, and threat intelligence. SOCs also include compliance monitoring, vulnerability management, threat intelligence, and reporting, all of which help companies avoid penalties, proactively protect systems, and demonstrate their commitment to cybersecurity.
Depending on industry regulations, companies can also turn to vulnerability scanning and penetration testing, data loss prevention (DLP) systems, access control and identity management systems, and encryption technologies to remain compliant.
An Overview of Current Cybersecurity and Data Protection Regulations
While the below table isn’t comprehensive, it should provide some insights and direction for companies.
|European Union||2016||GDPR – General Data Protection Regulation||Applies to: Any business established in the EU or business that collects and stores EU citizens’ private data
What it covers: 99 articles related to consumer data access rights, data protection policies, data breach notification requirements and more
|United States||2014||FISMA – Federal Information Security Management Act||Applies to: US federal agencies
What it covers: Requires federal agencies and third-party vendors to inventory digital assets and identify integrations between networks and systems
|United States||2011||FedRAMP – Federal Risk and Authorization Management Program||Applies to: US federal agencies that use cloud services provided by commercial and non-profit organizations
What it covers: A wide range of security controls, including access control, incident response, configuration management, and vulnerability scanning and more for cloud service providers that offer services to federal agencies
|United States||1996||HIPAA – Health Insurance Portability and Accountability Act||Applies to: Healthcare organizations
What it covers: Requires controls for protecting and securing the privacy of electronic health information
|United States||1999||GLBA – Gramm-Leach-Bliley Act||Applies to: Financial Institutions
What it covers: Requires financial institutions to explain their information-sharing practices to their customers and safeguard sensitive data.
|United States||2018||CCPA||Applies to: Consumers residing in California
What it covers: Regulates the protection of California residents’ personal data
|United States||2022||SEC Cyber Disclosure||Applies to: All public companies and foreign private issuers
What it covers: Requires public companies to report material cybersecurity incidents within four business days after determining that an event has occurred
|United Kingdom||2018||Data Protection Act||Applies to: Professional or commercial organizations that handle personal data within the UK
What it covers: Controls how your personal information is used by organizations, businesses or the government
|United Kingdom||2018||NIS Regulation – Network and Information Systems Regulations||Applies to: Operators of essential services (OES) and digital service providers (DSPs) that provide services in the UK
What it covers: Overall level of security (both cyber and physical resilience) of network and information systems that are critical for the provision of digital services and essential services
|China||2017||Cybersecurity Law||Applies to: All network operators in China
What it covers: Establishes a cybersecurity review mechanism for network products and services that may put China’s national security at risk
|Australia||1988||Privacy Act||Applies to: Government agencies and private sector organizations with an annual turnover of $3 million or more
What it covers: Protects the handling of personal information about individuals, including the collection, use, storage and disclosure of personal information in the federal public sector and in the private sector
|Singapore||2013||PDPA – Personal Data Protection Act||Applies to: All electronic and non-electronic communications involving the collection, processing or transfer of data within Singapore, regardless of whether the company is physically in Singapore
What it covers: Covers personal data stored in electronic and non-electronic formats
|Canada||2004||PIPEDA – Personal Information Protection and Electronic Documents Act||Applies to: All Canadian businesses and foreign businesses that have some connection with Canada
What it covers: How private organizations collect, use, and disclose personal information in the course of for-profit, commercial activities across Canada, and the personal information of employees of federally-regulated businesses
|Germany||2021||KRITIS||Applies to: Organizations and facilities related to critical infrastructures
What it covers: Requires organizations in the critical infrastructures sector to take appropriate security measures to protect against cyber threats and to report significant incidents to the relevant authorities
|Global||2006||PCI DSS – Payment Card Industry Data Security Standard||Applies to: All entities involved in card payment processing, including merchants, processors, acquirers, issuers, and service providers
What it covers: All technical and operational system components included in or connected to cardholder data
|United States||2002||SOX – Sarbanes-Oxley Act||Applies to: Publicly-traded U.S. companies and their auditors
What it covers: Protects investors from fraudulent financial reporting by corporations
Simply put, a SOC monitors log data, keeping an organization’s compliance in check. Depending on the regulatory requirements, every organization should configure logs in order to comply with the standards. Once configured and sent to a SIEM, a SOC monitors and writes rules to flag activities that do not comply with the regulatory requirements.
That’s just a handful of examples of the many regulations companies must comply with in today’s digital landscape. Understanding the key provisions and implementing the appropriate protection measures, such as setting minimum security standards and requiring incident reporting, are now part of the newest requirements from regulators worldwide looking to minimize the impact of cyberattacks.
New regulations, such as CIRCIA in the US, are constantly being drafted and approved. Numerous countries, including Singapore, are starting to encourage businesses to engage with only licensed cybersecurity service providers. There is an increased understanding that having a service provider assist with keeping businesses up to date on compliance matters simplifies the compliance process and ensures organizations are aware of the latest changes to regulations.