The European General Data Protection Regulation (GDPR) might be ushering in a new age of cyber regulations. In establishing parameters for how customer’s sensitive information should be protected and communication standards for communicating a breach, the GDPR has raised the level of awareness of cyber laws and protecting personal information.
It has also sparked similar laws at the state level in the U.S. New York and California have both written into law cybersecurity measures that may be used as a template for other states or even broader initiatives to regulate the protection of digital information. The following provides a closer look at what the GDPR, California, and New York’s laws entail and their potential for broader application.
What the U.S. Could Take from the GDPR
Countries in the European Union (EU) adopted the GDPR on May 25, 2018. At its core is a philosophical difference between the EU and the United States, namely that privacy, including ePrivacy, is a fundamental right that merits legal protection.
The legal right to privacy means that the GDPR takes information security a step further than traditional U.S. information security practices. For example, the GDPR includes a provision on the “right of portability” whereby a customer can ask for an organization to essentially return the customer’s information and then purge his or her information from the organization’s records.
U.S. information security regulations have not traditionally been comprehensive. Industries that deal with the most sensitive types of information—health care entities, financial institutions, and federal agencies—have their own requirements to follow. The 1996 Health Insurance Portability and Accountability Act (HIPAA), the 1999 Gramm-Leah-Bliley Act, and the 2002 Federal Information Security Management Act (FISMA) address the unique risk factors posed to their respective sectors and have extensive requirements for companies within those sectors to follow.
Industry-agnostic cybersecurity federal laws have been limited to information sharing or voluntary public-private partnerships to increase cybersecurity awareness. It will be interesting to see whether the GDPR leads to a national, comprehensive approach to enforcing information security standards within the U.S. Companies should monitor for legislative developments, although for the time being, it appears Congress has other higher priority issues on its agenda.
What California Took from the GDPR
The U.S. may be slower to respond at the federal level to the GDPR, but California has already issued its response. In 2018, it passed a digital privacy law that allows individuals based in California to have more control over the information that companies collect from them. It specifically addresses the portability issue by allowing an individual to ask that companies delete his or her information as well as restrict a company’s ability to sell or provide the individual’s information to other companies. The law goes into effect in January 2020 and is expected to undergo some revisions before then.
New York Financial Institution Regulations
A few years ago, New York passed its own cybersecurity requirements for financial institutions, the New York Department of Financial Services Cybersecurity Regulation (23 NYCRR 500). The NYCRR 500 were released Feb. 16, 2017, and require financial institutions based in the state to have key components to their cybersecurity regulations, including:
- A formal cybersecurity program and policy
- A chief information security officer
- Regular penetration testing and vulnerability assessments
- A cybersecurity audit trail
- Access privileges requirements
- Application security measures
- Cybersecurity personnel and intelligence
- A formal third party service provider security policy
- Multifactor authentication for network access
- Limitations on data retention
- Ongoing training and monitoring
- Encryption of nonpublic information
- An incident response plan
- Confidentiality measures
Companies subject to 23 NYCRR 500 were permitted to implement changes to their cybersecurity program in phases with all of the provisions required to be in place by March 1, 2019.
Although designed for financial institutions, the fundamental requirements apply generally to every industry, and include best practices for information security. Companies may want to adjust their cybersecurity strategy to incorporate these core provisions.
Next Steps for Businesses
Comprehensive change may be a ways off, but the tide has shifted toward more complete cybersecurity regulations. Whether it comes at the state or federal level, the time may soon arrive where a robust information security program and controls over customer’s personally identifiable information are requirements. Businesses will need to work with their information security and internal audit teams to ensure they are prepared to address key privacy and information security risks.
For more information about what changes may need to be made to your organization’s approach to cybersecurity, please contact us.
Published on March 22, 2019