Cybersecurity is a prevalent, growing concern across all sectors – government, non-profit, and private. Organizations of all sizes face increasing cyber threats from around the globe. Russia and North Korea are considered the biggest threats, using sophisticated tactics to target victims.
Presently, there is no unified federal law or legislation governing cybersecurity practices. Instead, each state has its own set of rules. The landscape for cybersecurity regulation is intricate – a regulatory patchwork filled with inconsistent standards, some outdated, which vary from state to state. Visit Data Breach Notification Laws by State to learn about each of the 48 state data breach notification laws as of August 2017.
Further complicating cybersecurity matters is the fact that individual states that process data outside of their borders must adhere to the cybersecurity policies and regulations imposed by neighboring states. Cybersecurity compliance is a complicated matter yet organizations must comply with state privacy laws or face repercussions.
Cybersecurity is a growing concern threatening critical infrastructure
According to the National Conference of State Legislatures Cybersecurity Legislation 2017, cyber threats are an increasing concern for government security, economic prosperity, and public safety. States are addressing cybersecurity initiatives, including:
- Increased cybersecurity funding
- Mandates to implement specific information security management
- Added penalties for data breaches
- Critical infrastructure threats and vulnerabilities, etc.
According to Cybersecurity Legislation 2017, “At least 42 states have introduced more than 240 bills or resolutions related to cybersecurity.” Some of the key legislative movements include:
- “Improving government security practices: 42 bills in 20 states, Puerto Rico
- Commissions, task forces and studies: 29 bills in 16 states, Puerto Rico
- Funding for cybersecurity programs and initiatives: 27 bills in 14 states
- Targeting computer crimes: 20 bills in 11 states
- Restricting public disclosure of sensitive security information: 19 bills in 11 states
- Promoting workforce, training, economic development: 13 bills in 10 states”
Government admits its lack of a solid federal cybersecurity policy
The government admits that it is failing to effectively defend itself from cybersecurity attacks. The Equifax data breach is a perfect example of a wide-reaching, global data breach that will have damaging repercussions for years to come – a resonating alarm call for a unified law to govern privacy.
At a Senate Armed Services Committee hearing on cybersecurity on October 20, 2017, key personnel went MIA, setting a tone and overall sentiment that the US is still unprepared to respond to cyber attacks.
Top cybersecurity officials from the Pentagon, the FBI and the Department of Homeland Security (DHS) assembled before the committee to expand on how they will respond to US critical infrastructure harm coming from nation states. Russia and North Korea were included in this discussion.
Officials stated that, although they have made some progress in reducing cyber threats and responding to them, the government still has work to do. “This is a battle that is going to be going on for many years,” said Christopher Krebs, a DHS national protection and programs directorate official. “We’re still trying to get our arms around it.”
The hearing raised issues of undecided roles and responsibilities throughout government agencies and ended with subpoena threats – but still no strategy.
Map your way through federal cybersecurity and privacy laws
Navigating the US cybersecurity landscape and understanding each of the regulations can be a challenge. View our Federal Cybersecurity and Privacy Laws Directory to learn more about applicability, penalties, and compliance requirements that pertain to key federal laws, which concern cybersecurity and privacy professionals.