Originally appeared in Legaltech News, October 2021: https://www.law.com/legaltechnews/2021/10/20/evaluating-the-new-rules-of-cybersecurity/
The U.S. doesn’t have a federal cybersecurity law, but that doesn’t mean there is no cybersecurity industry standard. There are regulations, case law, guidelines and state laws that, when combined, create an industry standard applicable to almost all business sectors. Specifically, if you receive, collect or hold data in an enumerated industry or sector, your business must have an information security program in place. Many of the existing laws protect publicly traded companies and the banking, health care, financial and insurance sectors. Third-party vendors, including law firms, are specifically enumerated in many state statutes. Nevada even has a relatively new statute that protects casinos. The combination of these new state statutes and federal guidelines provide a basketweave of compliance.
There are several laws, regulations and even case law that have cybersecurity and data privacy implications for publicly traded companies and specific sectors. Regulations like Sarbanes-Oxley (15 U.S. Code Chapter 98), the Privacy of Consumer Financial Information and Safeguarding Personal Information Regulation (SEC Rule 30, 17 CFR Part 248), the Gramm-Leach-Bliley Security Rule and Privacy Rule (16 CFR Part 314), the Health Insurance Portability and Accountability Act (Pub.L. 104–191, 110 Stat. 1936, enacted August 21, 1996), the FTC Act (15 USC s 45(a)(1)), the NIST Cybersecurity Framework and the Wyndham cases (See, most recent, 799 F.3d 236 (3d Cir. 2015)) are old news as far as cybersecurity guidance and regulations go.
NIST Privacy Framework
In 2020, the National Institute for Standards and Technology issued the first federal guidelines for privacy: the NIST Privacy Framework (See, https://www.nist.gov/privacy-framework). The new framework is a voluntary tool designed to improve privacy through enterprisewide risk management. It overlaps and works in tandem with the NIST Cybersecurity Framework, and together these risk management frameworks are effectively the equivalent of an industry standard for data protection and information security. However, because they are only guidelines, states are stepping into the role of enforcer.
New Statutes and Regulations
Since 2019, 24 states have passed a statute or regulation pertaining to information security or data protection. Many of these new laws are being passed in the name of data protection or data security, as opposed to cybersecurity. So it is important to recognize that when a statute or regulation mandates the creation of an information security program, information security training, breach notification requirements and/or lays out information security requirements for third-party service providers, it is effectively a cybersecurity law.
The sector that has been most successful at getting such laws passed is the insurance field. In 2017, the National Association of Insurance Commissioners finalized its Insurance Data Security Model Law. Eleven states, thus far, have enacted some version of this law. These are Alabama, Connecticut, Delaware, Louisiana, Michigan, Mississippi, New Hampshire, Ohio, South Carolina and Virginia. New York State passed the SHIELD Act, which went into effect in March of 2020. Additionally, New York’s Department of Financial Services has rolled out a cybersecurity regulation (23 CRR-NY 500.1) for banking, financial services and insurance sectors. The insurance industry was also front and center at the White House cybersecurity summit in August of this year.
All these efforts require licensed entities to certify their cybersecurity program’s compliance on an annual basis. Certifications are due in February, March and April of each year, depending on the state. Expect more of these laws to be passed in the next 24 months. A sample of the language in the Virginia Insurance Data Security Act – Virginia H.B. 1334, 2020 – reads as follows:
“§ 38.2-623. Information security program.
Commensurate with the size and complexity of the licensee; the nature and scope of the licensee’s activities, including its use of third-party service providers; and the sensitivity of the nonpublic information used by the licensee or in the licensee’s possession, custody, or control, each licensee shall develop, implement, and maintain a comprehensive written information security program based on the licensee’s assessment of the licensee’s risk and that contains administrative, technical, and physical safeguards for the protection of nonpublic information and the licensee’s information system. . . .”
These acts often mandate information security training, safe disposition of data, written incident response plans and/or breach notification requirements. (See, NAICS Model Law.)
By now, most data protection, privacy and cybersecurity experts are aware of the proliferation of California’s laws in this area. Since 2018, California has passed five data protection laws: the California Consumer Privacy Act of 2018 (California A.B. 375, S.B. 1125) and three amendments (AB-874 [personal information definition], AB-1355 [technical amendments] and AB-1564 [toll-free number alternative]), the Data Broker Registration Statute (which regulates the sale of personal information) and the California Privacy Rights Act of 2020 (which added third-party service provider requirements) (California Prop. 24). This web of laws and regulations applies to so many businesses that they are essentially applicable to businesses across the nation.
While most of these state laws and regulations require businesses to have information security programs, the standard for what those programs should entail is outlined in the NIST Cybersecurity Framework and the NIST Privacy Framework. Those frameworks together make up the industry standard for data protection, cybersecurity and risk management. NIST is very good about creating easy to understand guides like its Special Publication 1271: Getting Started with the NIST Cybersecurity Framework: A Quick Start Guide. An easier way to meet these risk management and compliance requirements is to hire a cybersecurity expert to help you build an information security program that follows the recommended guidelines.
Kenya Parrish-Dixon is the general counsel and COO of Empire Technologies Risk Management Group, a cybersecurity, information governance, eDiscovery and managed review company. She can be reached at Kenya.firstname.lastname@example.org.