To help defend against cyber threats and safeguard data, organizations must adhere to various laws and regulations issued by federal, state, and other regulatory bodies. Penalties for noncompliance can range widely, from fines to criminal charges.
Additionally, adjacent regulatory bodies and industry groups issue mandatory and voluntary cybersecurity standards, guidelines, and policies aimed at organizations to bolster cybersecurity and improve mitigation.
In the following sections, we cover key cybersecurity laws and regulations, and several guidelines that are essential for organizations to know.
Laws & Regulations
Laws are enacted by legislative bodies and signed by executive leaders, while regulations are detailed rules authorized by laws and issued by governmental or regulatory agencies. Adherence is mandatory for individuals and organizations to ensure compliance with legal standards and avoid penalties.
Here are some of the most significant:
Federal Trade Commission Act, 1914
Section 5 of the Federal Trade Commission Act, 1914 (the Act) prohibits unfair or deceptive actions in the marketplace and has been instrumental in the development of U.S. cybersecurity legislation.
While the Act doesn't address cybersecurity per se, the Federal Trade Commission (FTC) has interpreted its mandate to include protecting consumers’ personal data: Failing to safeguard it or misrepresenting the level of security provided can constitute an unfair or deceptive business practice.
In service to this approach, the FTC also publishes resources for cybersecurity best practices, including Cybersecurity for Small Business, Data Breach Response: A Guide for Business, and Children’s Online Privacy Protection Act (COPPA).
HIPAA
The Health Insurance Portability and Accountability Act of 1996 (HIPAA) is a well-known law establishing U.S. standards for protecting health information held or processed by covered entities, such as health plans and healthcare providers, and their business associates.
The Privacy Rule, a key component of HIPAA, outlines requirements for protecting individuals' medical records and other Personal Health Information (PHI). The Security Rule, also part of the statute, complements the Privacy Rule by setting standards for securing electronic PHI (ePHI).
GLBA
The Financial Privacy Rule and Safeguards Rule of the Gramm-Leach-Bliley Act of 1999 (GLBA) regulates, in part, the collection and handling of consumer financial information by financial institutions. Any organization that collects or stores financial data must comply with this law.
Importantly, “financial information” can include Personal Identifying Information (PII), such as names, addresses, and social security numbers, in addition to information more financial in nature一financial transactions, bank account information, credit reports, and so on.
The rules mandate the implementation of comprehensive information security programs that include “administrative, technical, and physical safeguards” to secure sensitive data against unauthorized access or cyber threats. As such, the GLBA plays a crucial role in shaping financial institutions' cybersecurity strategies and practices.
SEC Cybersecurity Risk Management, Strategy, Governance, and Incident Disclosure
The Security and Exchange Commission (SEC) recently finalized rules on Cybersecurity Risk Management, Strategy, Governance, and Incident Disclosure for public companies (the Rule).
The Rule requires companies to annually disclose their cybersecurity measures and potential risks, ensure board and management involvement in evaluating and managing cybersecurity threats, and report material cyber incidents.
Reporting requirements such as determining materiality, adhering to a four-day reporting window, and disclosing third-party material events are likely to make compliance challenging, at least in the near term as companies develop the necessary processes and controls to ensure accurate and timely disclosure.
GDPR
The European Union’s General Data Protection Regulation of 2018 (GDPR) is a detailed data protection law that empowers individuals with control over their personal information. Covered individuals encompass a broad group, including residents of the European Union (EU) and European Economic Area (EEA) and, under certain circumstances, EU and EEA citizens living abroad.
Organizations handling and processing personal data must adhere to stringent requirements, such as providing data collection, storage, and usage practices, keeping data only for as long as necessary, and instituting protocols for data breach response.
NIST 800-53
The National Institute of Standards and Technology Special Publication 800-53 (NIST 800-53), part of the Federal Information Processing Standards (FIPS) Publication 200, is a catalog of security and privacy controls aimed at governmental agencies to help them comply with the Federal Information Security Modernization Act of 2014 (FISMA) (an update of the Federal Information Management Act of 2002).
NIST 800-53 Provisions include security measures to protect information and information systems from unauthorized access, use, disclosure, disruption, modification, or destruction.
Separate directives are provided for governmental agencies and organizations related to national security.
U.S. State Legislation
Within the U.S., most states have enacted some form of cybersecurity legislation, though laws can vary widely in definition and scope. That said, they often focus on protecting personal information, implementing security measures, and requiring notification of data breaches. Here are a few states with cybersecurity legislation:
- California. The California Consumer Privacy Act (CCPA), one of the more comprehensive state-level cybersecurity and privacy laws in the U.S., safeguards California residents’ personal information. It requires businesses to allow consumers to access, manage, and control their information. Similar to the GDPR, the CCPA covers all organizations that interact with California residents and entities一not just those in the state.
- Other states with comprehensive protections include New York, Massachusetts, and Virginia.
23 NYCRR 500
In November 2023, the New York Department of Financial Services released updates to the 23 NYCRR 500, which regulates the management of sensitive data by financial institutions operating under the jurisdiction of the New York Department of Financial Services (NYDFS). This regulation requires implementing measures such as access controls, routine penetration testing, risk evaluations, and creating incident response strategies to mitigate data breach risks.
Cybersecurity Executive Order
The Executive Order on Improving the Nation’s Cybersecurity, signed into law by President Biden in 2021, is designed to strengthen the U.S.’s cybersecurity posture in response to increasing cyber threats and incidents. Events included the SolarWinds Orion Software supply chain attack, Microsoft Exchange Server hacks, and Colonial Pipeline ransomware attack.
The executive order outlines a series of initiatives and standards to enhance the security of federal networks, improve information sharing between the government and the private sector, and bolster the country's overall cyber defense.
Standards & Guidelines
When standards and guidelines are legally binding, they must be followed by organizations within their scope. Other voluntary provisions reflect best practices. Organizations are encouraged, though not required, to adhere to them.
Here are some of the most common cybersecurity standards and guidelines to be familiar with:
PCI DSS
Merchants and service providers that handle, transmit, or store cardholder information must comply with the Payment Card Industry Data Security Standard (PCI DSS), which encompasses operational and technical cybersecurity protocols and mandates restricting access to data.
NIST Cybersecurity Framework
The NIST Cybersecurity Framework includes guidelines and best practices for several industries, including financial services, healthcare, energy and utilities, retail, and more. Provisions cover methodologies for reducing cyber crime exposure and enhancing communication about cybersecurity risk management. Adherence is voluntary. The framework also addresses the role of corporate governance and supply chain partners in an organization’s cybersecurity posture.
CMMC
Introduced in 2020 and revised in 2021 to CMMC 2.0, the Cybersecurity Maturity Model Certification (CMMC) employs a three-tier system to map an organization's cybersecurity maturity and guarantee the security of controlled unclassified information (CUI). Notably, starting in 2025, any company working with the U.S. Department of Defense (DoD) must obtain this certification.
ISO 27001
ISO 27001, issued by the International Organization for Standardization, provides an international framework for creating, implementing, managing, monitoring, evaluating, preserving, and enhancing information security management systems (ISMS). To obtain optional certification, organizations must undergo an audit conducted by an accredited certification body.
SOC 2
The American Institute of CPAs (AICPA) designed the System and Organization Controls (SOC) 2 as an audit procedure to evaluate a company's security, availability, processing integrity, confidentiality, and privacy measures for handling user data. Obtaining SOC 2 certification involves an assessment by a Certified Public Accountant (CPA). Though certification is optional, it demonstrates adherence to stringent data security standards and can be a competitive advantage for attracting clients.
Next Steps in Strengthening Your Cybersecurity Posture
When compliance and cybersecurity are approached as a cohesive strategy, the benefits extend beyond simple adherence to regulations. Adopting a more holistic cybersecurity framework that includes legal mandates and best practices strengthens an organization's resilience in the face of the constantly growing spectrum and incidence of cyber threats.
Navigating the complexities of cybersecurity and compliance, however, and the array of tools available, might seem overwhelming.
That’s where Cybersafe can make a difference. Partnering with a seasoned cybersecurity provider can streamline the process and optimize your organization’s overall security infrastructure, making it resilient against evolving cyber threats, and compliance aligned.
Cybersafe is a leading MSSP providing unmatched continuous monitoring, risk assessment, and incident response. For more about how to bolster your cybersecurity posture with our services, schedule a consultation or contact us today.