Year in Review: 2018’s Biggest Cybersecurity Compliance Issues
Compliance. Just hearing the word may make you want to shudder. And for good reason: Being compliant with cybersecurity and data privacy regulations can be a huge hassle for organizations. Unfortunately, the effort did not get any easier for your Chief Compliance Officer and their team in 2018. Over the past year, there has been a significant increase in the amount of legislation and regulation directed at cybersecurity and data privacy.
Tracking this ever-evolving legal and regulatory landscape can be a daunting task. When it’s easier to keep up with the Kardashians than it is to keep up with cyber regulations, you know you have a real challenge on hand. Fortunately, we’ve got you covered. Here are some of the biggest compliance issues from 2018.
This is the new big kahuna of cyber compliance — the kind of regulation that keeps your CISO, and your soon-to-hire Data Privacy Officer, up at night. The General Data Protection Regulation (GDPR) went into effect in May. GDPR has been called “the most important change in data privacy regulation in 20 years.” And the hyperbole is justified. This regulation is radically reshaping the way data is handled across every industry.
The GDPR is designed to protect the privacy and personal data of European Union (EU) citizens. GDPR sets strict rules for how companies collect and store all kinds of customer data. While GDPR is a European Union regulation, its authority extends beyond its continental borders. It doesn’t matter where your organization is physically headquartered; if your company is collecting information on EU citizens, it is required to comply with GDPR.
Perhaps the most notable aspect of GDPR is its penalties. Simply put, the fines for being in noncompliance with GDPR are astoundingly high. Businesses found in violation of this regulation can be fined up to €20 million or 4 percent of global revenues, whichever is higher. This is the kind of fine that can potentially bankrupt a business — making compliance with this regulation a high priority for any organization.
California Consumer Privacy Act (CCPA)
The California State Legislature passed A.B. 375, better known as the California Consumer Privacy Act (CCPA), in June. CCPA is designed to give consumers increased control over their data. The act requires private industry to reveal what information they are collecting from their customers. CCPA allows customers to opt out of having their personal information sold to third parties. Additionally, the legislation mandates that businesses establish “reasonable security measures” to safeguard a Californian’s personal information. The act will go into effect on January 1, 2020.
Some experts have referred to CCPA as a “mini GDPR.” While not quite as strict as GDPR, it is the toughest data privacy law in the United States to date — with penalties that could climb into the seven figure range. But perhaps more importantly, it signals that lawmakers are starting to crack down on companies that fail to secure their customers’ digital information.
California IoT law
This was the second major data privacy law coming out of California this year. In September, California Governor Jerry Brown signed SB 327 into law, which governs the so-called “internet of things” (IoT) — the ever-growing number of internet-connected devices. The law requires that the manufacturer of any IoT device must make sure each device is equipped with “reasonable” security features that “protect the device and any information contained therein from unauthorized access, destruction, use, modification, or disclosure.”
California is now the first U.S. state to enact an IoT law, but it likely won’t be the last. Historically, when it comes to laws and regulations, California has been a bellwether state. What happens in California surely doesn’t stay in California. Laws and regulations that are pioneered in the Golden State soon spread to other states. We have already started to see this trend with the state-by-state push for better breach notification laws. But SB 327 and the CCPA have raised the bar for U.S. data privacy legislation; organizations should expect to see stricter domestic cyber regulations in the future.
NYDFS Cybersecurity Regulation
Although NYDFS’s Cybersecurity Regulation (23 NYCRR 500) was passed in 2017, many of the compliance requirements had deadlines that needed to be met in 2018. This is the first regulation in the United States requiring cybersecurity policies and protections from financial institutions—such as state-chartered banks, licensed lenders, and mortgage and insurance companies—doing business in New York State (as well as any 3rd parties doing business with or supporting such financial institutions). Among other things, the NYDFS cybersecurity regulation mandates that these financial institutions: 1) adopt a robust cybersecurity program; 2) designate a Chief Information Security Officer (CISO); and 3) create an ongoing reporting system for cyber incidents.
Because 23 NYCRR 500 has a phased approach to compliance, there are a lot of deadlines to stay on top of. All affected entities are required to be in compliance with all parts of the regulation as of March 2019.
FDA Medical Device Cybersecurity Guidance
A few years ago, former Vice President Dick Cheney revealed that his doctors disabled the wireless feature on his heart defibrillator. The reason? There were concerns that threat actors could hack the device and attempt to assassinate him. This scenario sounds like something out of a spy thriller movie. But cybersecurity professionals say this once-hypothetical threat is now an emerging reality. Indeed, security researchers presenting at the Black Hat and DEFCON security conferences in Las Vegas this year once again demonstrated how pacemakers and insulin pumps can be hacked to harm their human hosts.
In response to the growing recognition of this cyber threat, the U.S. Food and Drug Administration (FDA) issued a series of non-binding recommendations to medical device manufacturers. The FDA’s Content of Premarket Submissions for Management of Cybersecurity in Medical Devices provided updated recommendations to the industry on cybersecurity considerations for device design, labeling, and documentation. The guidance covers a number of different aspects of medical device cybersecurity — including general principles and risk assessment, designing a trustworthy device using the NIST Cybersecurity Framework, labeling recommendations for devices with cybersecurity risks, and documenting cybersecurity procedures.
N2K is Here to Help
Having trouble staying on top of cyber regulations? N2K is here to help. Our Resolve program is designed to quickly get senior executives up to speed on specific and trending cyber compliance issues. Be sure to check out our Digital Cyber Risk Seminars, which come with our complimentary Executive Cyber Briefings — a monthly newsletter that wraps the latest cybersecurity headlines. That way you can stay on the right side of regulators, and protect your organization from getting slapped with costly fines and fees.