Written by T. Piccirilli
2020 saw cybersecurity become an increasing focus in state and national legislatures, as new measures continue to be proposed to address cyber threats in both the public and private sector. In the US, at least 38 states, Washington D.C. and Puerto Rico introduced or considered more than 280 bills or resolutions dealing with cybersecurity. The National Conference of State Legislatures identified five key areas receiving the most legislative attention in the US: government training and security standards, penalties for cybercrime, cybersecurity regulation within the insurance industry, and the creation of and support for training programs.
Of the myriad of bills identified as relating to cybersecurity, only 43 were enacted or adopted, with many of those being adopted or enacted only tangentially relating to cybersecurity. Still, this year represents a step forward for US cybersecurity policy with California and Oregon each implementing the first serious pieces of the internet of things regulation in the US. California’s IoT law, SB 327, requires IoT device manufacturers in the state to have reasonable security features that are appropriate to the nature and functions of their devices and their information. The law is vague but was praised as a good first step. Oregon’s IoT law featured similar loose requirements but again was met with praise from security experts for being a good starting point. The future of these laws remains somewhat unclear, however, as a new federal IoT law was passed unanimously in both the house and senate.
The federal law is the most substantive federal cybersecurity law to date. The law tasks the National Institute of Standards and Technology (NIST) with creating guidelines for internet of things devices that would regulate what IoT products federal agencies could and could not purchase. Though the law does not immediately benefit general consumers, the law will allow security-conscious consumers to know a product is meeting a general security standard if it is used by the federal government. Although it is speculation at this point, the hope is that IoT manufacturers will advertise the meeting of such standards as a way to separate themselves from the competition.
Next year consumers and corporations should expect more cybersecurity initiatives, at least at the federal level. The Biden administration has already committed to improving cybersecurity at every level of government. Although it is unclear what that will mean, the SolarWinds hack has experts calling for reform.
Across the ocean, the European Union recently unveiled a revamp of the cybersecurity rules in the wake of coronavirus related hacking. The reforms include an “EU-wide Cyber Shield” linking national security authorities with artificial intelligence to detect the early signs of attacks, a cyber unit to respond to incidents and threats, and beefing up the cooperation between the EU and organizations like NATO. The revamp also emphasizes the protection of essential infrastructures like heating systems, electricity grids, and transportation systems. This emphasis on infrastructure protection may be, in part, a response to the 2017 WannaCry and NotPetya cyber attacks as well as the late-2020 ransomware attack on a Dusseldorf hospital that potentially contributed to the death of an inbound patient.
The revamp must now be debated by the European Parliament and EU member states and may change substantially between now and final approval. That being said, the macro-level goals of the legislation are unlikely to change and represent a continued commitment to cybersecurity in Europe. Vice President of the European Commission, Margaritas Schinas told reporters “The time of innocence is over. We know we are a target… We need to modernize, reinforce and adapt.”
Elsewhere, privacy-focused laws are beginning to take shop. In Brazil, Lei Geral de Proteção de Dados took effect this past September. The law imposes privacy and data protection requirements similar to Europe’s GDPR. Canada introduced the Digital Charter Implementation Act, which if passed, will include a consumer privacy protection act, a new private sector privacy law, and establish a Personal Information and Data Protection Tribunal. Broadly, the act will give consumers rights to plain language disclosures, data mobility control, and compel businesses to be transparent in how their algorithms use their data. The law would also force businesses to meet certain privacy standards that are similar to those in the GDPR.
China too is implementing a personal privacy law. The Personal Information Protection Law aims to provide comprehensive protection of personal data for residents of mainland China, and draws substantially from the GDPR. It is worth noting that the law would not only apply to organizations based in China but organizations located outside of China that process the personal data of Chinese residents. It is unclear yet how China plans to interpret the scope of the law, and how they will use it to govern data use of foreign corporations, but given their past history of censoring or manipulating foreign corporations who plan to do business in China, this will be a story to watch over the next year.
Finally in New Zealand, which faced a major hack on their star market, NZX, this year, released an updated version of their 1993 privacy act this year. The act restricts the transfer of personal information outside of New Zealand unless the receiving organization is subject to the Privacy Act, or subject to a specific binding scheme or privacy law that is comparable to the Privacy Act.
Corporations should be ready to improve and adjust their cybersecurity to meet upcoming global standards. Though many of these laws are vague or are a ways off from enforcement, firms should keep an eye on global regulations in order to stay ahead of their competition and not be locked out of potential business due to a failure to meet standards.