Cybersecurity and privacy laws come to the US

Let us assume you work for a company based in the U.S. Maybe you’ve heard of the European GDPR (General Data Protection Regulation). Perhaps you even heard about its requirements for cybersecurity and protecting personal information.

Then you think to yourself: ‘Thankfully we live in America and don’t have to worry about this stuff.’

Wrong! You do.

Cybersecurity is a national issue

Organizations in every state face the threat of cyber attacks. Earlier this year, 22 Texas towns, most of them local governments, were hit by a coordinated ransomware attack.

Both Baltimore, MD, and Greenville, NC, were hit with ransomware attacks, as were New Bedford, MA, and Lake City and Riviera Beach in Florida.

Louisiana had to declare a state of emergency after numerous public schools were hit with ransomware. The Wolcott school district in Connecticut has been hit twice.

These are only some of the attacks we know about. There have been just as many attacks, if not more, in the private sector. It’s just that those organizations don’t want to report them.

But whether they know it or not, businesses in all 50 states are legally required to report cybersecurity breaches.

The details vary per state, but breaches generally need to be reported if payment card information, Social Security numbers, driver’s license information, and medical data are compromised.

But it’s not about just breach notification. Does your business have anything to do with the health care industry? If the answer is yes, then you are subject to the privacy and cyber security rules of the HIPAA (Health Insurance Portability and Accountability Act).

Does your business have anything to do with finance? They you have to comply with FINRA (Financial Industry Regulatory Authority) rules. Do you do business with the government? Then the FISMA (Federal Information Security Management Act) may apply to you. Work in education? Take a look at the FERPA (Federal Educational Rights and Privacy Act).

Organizations that are based in, or do business with, citizens of California, Nevada, or New York are all subject to new rules. And this isn’t just a state issue. There are at least 11 laws in Congress that concern either privacy or cybersecurity.

Mind Your Own Business

These laws might soon be joined by the Mind Your Own Business Act, which has the potential to redefine the way the U.S. looks at data privacy.

It requires corporations to give consumers access to their personal data, including information on how that data is used after it’s been collected. If organizations fail to do meet this requirement, they would face fines on the same scale as the GDPR – 4% of annual global turnover. For an idea of what a monumental sum that is, were one of the globe’s tech giants to fall foul of the law and receive the maximum fine, it would be paying almost $3 billion.

For senior officials, the consequences are worse. The bill proposes that executives who mislead the FTC (Federal Trade Commission) about their data processing practices could face 10–20 years of imprisonment.

In a statement, Rob Wyden, the bill’s author, said: “Mark Zuckerberg won’t take Americans’ privacy seriously unless he feels personal consequences. A slap on the wrist from the FTC won’t do the job, so under my bill he’d face jail time for lying to the government.”

Keep on top of your compliance requirements

If you weren’t already aware of the avalanche of privacy laws in the U.S. and across the globe, you are now. But what do you do?

Give us a call. IT Governance is here to help.

We have training courses on many of these laws. We also have consultants, some of whom are lawyers, who can help you implement privacy and cybersecurity management frameworks.

These are world-class solutions that have been used across the globe and under countless regulatory frameworks. We won’t simply help you comply – we can help you stay in business.

speak-to-a-consultant