Top 5 Privacy and Cyber Regulations and Why They Should Concern Risk Managers
Europe’s GDPR rule isn’t the only privacy/cyber regulation that’s changed and impacted how cyber risks are mitigated. Here are 5 cyber-and-privacy related changes risk managers should keep on their radar as legal and governing bodies continue to adapt to the growing digital age.
1) The EU General Data Protection Regulation (GDPR)
Considered the world’s strictest data protection rules, GDPR went into effect May 25, 2018, with the purpose of upgrading European Union laws that protect personal data and create more transparency among any organization that communicates with citizens in the EU.
GDPR protects data security by obligating businesses to appoint a Data Protection Officer; implement technical and administrative measures for data security and be held legally accountable for compliance; deploy data protection impact assessments; and report any security breach to authorities within 72 hours, while communicating risks to individuals whose data might have been lost.
Organizations that fail to comply may be subject to harsh financial penalties — up to 4 percent of annual global sales.
2) California Consumer Privacy Act (CCPA)
California’s AB 375, or the Consumer Privacy Act, was passed with lightning speed this past year and will be implemented in January 2020.
The law allows consumers the right to find out who has access to their personal data. Consumers can stop data from being sold or transferred to third parties through an opt-out function that must be prominently posted or request that companies delete their data. While experts anticipate that the law will undergo changes before it’s put into effect, it remains the nation’s most far-reaching consumer privacy and security law.
3) SEC Guidance
Released in response to a raft of recent massive data breaches and security incidents, the U.S. Securities and Exchange Commission’s 2018 guidance focuses on cyber security policies and procedures that cover incident response, disclosure and more robust and integrated risk management programs.
Though it’s not regulation per se, it indicates that increased oversight from the agency could be coming soon, with the exponential increase in financial sector breaches and investors seeking assurances of risk awareness from public companies. In the meantime, the guidance serves as an important roadmap for assessing and addressing key security, privacy, data integrity and regulatory compliance issues.
4) New York State Department of Financial Services 23 NYCRR Part 500
New York’s Cybersecurity Regulation (23 NYCRR Part 500) went into effect in 2017, and covered entities are required to be in complete compliance by March 1, 2019.
The regulations apply to financial institutions — banking, insurance and financial services — with the aim of protecting customer data from criminal cyber attacks.
The regulations stipulate that companies conduct regular security risk assessments, maintain audit trails of asset use, create defensive infrastructure, develop cyber security policies and procedures and maintain an incident response plan.
5) Changing State Regulations
With New York taking the lead on cyber security for its state financial institutions, it’s only a matter of time until other states follow suit.
In lieu of strong federal law, states are proposing a number of measures to improve security infrastructure, encourage best security practices and implement better measures for consumer privacy, both in the private and public sectors.
Cyber security legislation was introduced in 35 states plus D.C. and Puerto Rico so far in 2018. At least 22 states have enacted 51 cyber security bills in the same period. &