How U.S. Cybersecurity Regulation Reform Will Affect Your Organization

The U.S. has had an uneasy relationship with cybersecurity regulation. Its rules are largely governed on a state level, creating a patchwork of overlapping requirements that makes it a nightmare for organizations that operate across state lines.

Depending on the state you’re based in, your obligations will vary greatly, with different rules for everything from the security measures you implement to the rules for responding to a data breach.

Decision makers in the U.S. must look across the pond and view the EU GDPR (General Data Protection Regulation) with equal parts envy and relief.

There is no doubt that the GDPR’s strict framework is complex to implement and maintain.

Its framework contains instructions on the use of technologies and processes, provides rules on how to educate and manage staff, and introduces tough deadlines for incident reporting.

But with that comes consistency and universality. Every organization that processes EU residents’ personal data must comply with its requirements, which, in its own way, simplifies things.

More to the point, it ensures that every organization has a baseline of effective data protection, mitigating the risk of data breaches and making it easier for security-conscious organizations to work with third parties.

Although it’s unlikely that the U.S. will ever adopt something so overarching, the country has taken major steps to bolster cybersecurity legislation.

In addition to new rules from the Cybersecurity and Infrastructure Security Agency, there are currently plans to create new information security laws at the Federal Trade Commission, the Food and Drug Administration, the Department of Transportation, and the Department of Energy.

Federal laws

Cybersecurity has been a top priority of the Biden administration. In March, the Cyber Security Reporting for Critical Infrastructure Bill was passed as part of the Consolidated Appropriations Act of 2022.

Its rules require organizations in the critical infrastructure sector to report cyber attacks within 72 hours of discovering the incident (mirroring the GDPR’s notification requirements), and to disclose whether a ransom payment was made.

Two further bills were passed in June. The Federal Rotational Cyber Workforce Program Act of 2021 establishes a system of responsibility within the Federal Cyber Workforce.

The law establishes that “certain federal employees may be detailed among rotational cyber workforce positions at other agencies”. It also authorizes agencies to determine which employees are eligible for the program. 

Meanwhile, the State and Local Government Cybersecurity Act of 2021 introduces new rules requiring the Department of Homeland Security to increase its collaboration with state, local, tribal, and territorial entities when addressing cybersecurity threats.

The department must also work with corporations, associations, and the general public to identify and mitigate risks.

Additionally, the law requires the National Cybersecurity and Communications Integration Center to provide training, conduct exercises, and promote cybersecurity education and awareness across all lower levels of government.

Data breach reporting requirements must be reformed

In addition to the patchwork nature of U.S. data protection regulation, another issue is what these laws actually focus on. Most address data privacy rather than cybersecurity, meaning a significant number of data breaches aren’t within their scope.

Existing laws generally cover only incidents in which unauthorized individuals access people’s personal data. Examples of these sorts of incidents include cyber criminals breaking into an organization’s systems and stealing customers’ names and addresses, or employees accidentally throwing away physical documents.

But this only addresses a small fraction of cybersecurity threats that organizations face. What about incidents in which systems are rendered inaccessible, such as DDoS (distributed denial-of-service) attacks? Or when essential infrastructure is knocked offline but personal data isn’t directly affected?

The fact that organizations can no longer access their systems is, for the GDPR, a security incident, because access to information is as important as ensuring its confidentiality.

But that’s not always the case in the U.S. For instance, the ransomware attack against Colonial Pipeline last year did not meet any incident notification requirements because no personal information was compromised.

Yet, the criminal hackers crippled the fuel supplier’s systems and created widespread disruption for organizations and individuals across the east coast.

If an incident as destructive as this doesn’t need to be reported, how many other cybersecurity incidents are also going unacknowledged?

Some experts believe that only 25% of incidents are reported, while others put the figure as low as 18% or even 10%.

Despite this, the U.S. has been hesitant to strengthen its data breach notification requirements.

Tatyana Bolton, a former official with the Cybersecurity and Infrastructure Agency, bemoaned the lack of action, saying: “We have tried for years to do reporting voluntarily. For all those years, voluntary reporting has failed.”

Jeff Moss, the founder of the Black Hat cybersecurity conference, added: “How can you regulate a sector if you don’t know how big the problem is?”

Despite the lack of action, there were more than 1,200 publicly disclosed cybersecurity incidents in 2021 – demonstrating how large the problem is.

What should organizations do?

While organizations in the U.S. wait for tough new cybersecurity laws, they should remember that they don’t have to stick to only their legal requirements. There are several frameworks organizations can use to bolster their information security practices – and none more proven than ISO 27001.

It’s the international standard that describes best practices for information security management, and contains a comprehensive guide to embed effective defenses within your systems.

ISO 27001 compliance is centered on a risk assessment, ensuring that organizations identify the risks relevant to their organization.

From there, they must select an appropriate way to deal with those risks, which might mean implemented a set of security controls outlined in the complementary standard, ISO 27002.

ISO 27001 also helps organizations identify and comply with relevant laws, including data notification requirements.

IT Governance USA offers a range of solutions to help organizations learn more about ISO 27001 and implement its requirements.

Those seeking a quick, reliable way to certify to the Standard should take a look at our ISO 27001 FastTrack™ 500 service.

This consultancy package is designed to help organizations with 20–500 employees reach ISO 27001 certification readiness in just three months.

IT Governance USA also offers the service for organizations with 20 or fewer employees.

Both packages include all the consultancy support you need to help you implement an ISMS quickly and cost-effectively.

An experienced consultant will design, develop, and establish your ISMS, working with you to undertake all the key activities of setting up an ISMS.