Cybersecurity law is one of those responsibilities that come up in an organization when it’s too late. It’s often a data breach or a failure to comply with a regulation that causes an organization to investigate whether cybersecurity law is something their security department has prioritized. At that point, it’s often too late to ask the question.
However, minimizing the legal risk that can come from a failure to maintain proper cybersecurity standards is very important but requires a bit of a different approach and an awareness of cybersecurity law.
To get a better sense of how your organization can be equipped to tackle cybersecurity law, we spoke to Stephen Black, professor of law at the Texas Tech School of Law for his advice.
What Cybersecurity Laws Do I Need to Be Aware Of?
Unfortunately, it’s difficult to identify the exact laws and standards every company needs to abide by or comply with, especially as businesses become more globalized, and
decentralized. Industry, type of business, and location are factors that play into what laws and compliance standards an organization needs to be aware of.
“Cybersecurity law is a moving target. The technology and issues we’re being confronted with are still so new that laws are really just trying to catch up.” - Black
The entities, organizations, and governments all focus on cybersecurity in different ways, making it hard to get a sense of how to comply with a wide variety of standards and regulations.
However, a good starting point is to get a baseline understanding of whether or not your organization falls under one of the major industry-specific cybersecurity regulations. Here’s a short list.
- HIPAA - Healthcare
- FINRA - Finance
- PCI DSS - Retail (and other credit-card processing companies)
- FERPA - Education
There are also new regulations you should be aware of. This includes:
GDPR - a strict data privacy regulation, which extend to any companies that has employees or customers in the EU.
The 23 NYCRR Part 500 (NYDFS) - a cybersecurity regulation applying to any organization regulated by the Department of Financial Services, a New York State department.
CCPA - The California Consumer Privacy Act, a new regulation that is set to come into effect in 2020. While it only applies to California residents, the regulation is strict and broad-reaching enough that it may affect how companies in the US approach data privacy and protection for all their customers, not just those in California.
Lastly, there is the National Institute of Standards and Technology (NIST). While they aren’t a regulatory agency, they publish ongoing guidance regarding cybersecurity. As a result, many regulatory bodies rely on NIST’s guidelines for their own standards.
This is just a starting point for most organizations. Understanding what and how to comply with various standards and regulations can be an arduous task, especially if your organization operates nationwide, globally, or across multiple industries. As Black puts it, that makes it “fun and horribly complicated at the same time.”
However, when it comes to cybersecurity law, it’s never too late to start.
Approaching Cybersecurity Law in Your Organization
Black advises approaching cybersecurity law as one would approach most cybersecurity initiatives. First, take an audit of what is valuable to the organization (assets, information, IP, etc) and what steps or processes are in place to protect that.
Next, the single most important question to ask is, “which of these steps or processes have legal ramifications?”
Understanding the above requires some effort so as you’re auditing your organization for the purposes of cybersecurity law, think through the following:
- How does your organization interact with the public, your partners, and your third-parties?
- What data is being collected or exchanged?
- What legal process(es) do you need to be aware of?
- Is data being collected regarding a class of individuals that have specific protections? This can extend to classes of individuals like minors or people from a territory with a robust legal enforcement in place (such as the EU or China.)
- Where is the organization doing business? Part of this process requires doing a jurisdiction by jurisdiction law categorization. This will help you understand what your organization needs to comply with.
This process isn’t easy so Black advises you to speak to your organization’s in-house counsel or reach out to cyber law consultants who will help you audit your organization for the purposes of cybersecurity law. They can also help you understand any potential consequences of an organization’s business decisions.
Black encourages conducting ongoing research and information-gathering. Identify blogs, resources, and information hubs (if you’re reading Infosec Insider, you’re already doing something right!) that speak to these topics and are relevant to your organization. A good source Black identifies is the American Bar Association, which has a section dedicated to cybersecurity.
When to Prioritize Cybersecurity Law
As an organization grows, it may find itself needing to comply with new standards. Black recalls how one of his clients wanted to go nationwide. The company then needed to comply with the regulations and standards of 50 states and countless more counties. That kind of overhead could easily overload an organization’s resources.
If an organization is looking to merge or acquire another company, Black advises companies to prioritize cybersecurity as part of their due diligence. By focusing on cybersecurity law during the M&A process, you can find a undetected or undisclosed vulnerability and save you from a potentially nasty surprise.
The recent Marriot-Starwood data breach, resulting in nearly 400M exposed records, including passport numbers, is a perfect example of how cybersecurity risk can have major consequences. Marriot acquired Starwood Hotels & Resorts Worldwide on 2016 but the hack occurred in 2014. It’s unclear how much cybersecurity due diligence Marriot carried out, but the knowledge of such a large data breach could have affected the deal’s specifics.
Ongoing Cybersecurity Law
Black notes that keeping compliant with all the different standards and regulations set forth by different organizations and jurisdictions requires a balance.
“To do everything we’ve talked about, takes time and money”, Black affirms, so it’s important for you and your department to take a look at your resources and budget as part of this process.
It’s also important to stay on top of new trends in order to be proactive and ahead of the regulatory and compliance bodies. Right now the focus is on data policy and privacy and how that corresponds to trust and company perception (as evidenced by the scrutiny of major companies like Google and Facebook.)
Black notes that as technology such as AI and machine learning become mass adopted, regulatory scrutiny could shift again. Again, here’s where ongoing research and information gathering can pay off to help an organization be proactive.
Most importantly, Black emphasizes that focusing on cybersecurity law doesn’t require effort independent from what’s often required from your department. He sums it up quite nicely.
“Cybersecurity is about basic principles. Start doing what you can do today. When [organizations] start thinking about security and how to make things a little safer, protecting and preventing access, and then ask ‘Who is regulating this and where are we doing business?’, then this all becomes much easier.”