Over the last three to five years, there has been a steady increase in the number of legislative and regulatory rules in the cybersecurity and data privacy domains. These range from presidential executive orders and memoranda to new legislation at the federal and state level as well as new rules and guidance from governing bodies such as the Federal Trade Commission (FTC) and the Securities and Exchange Commission (SEC).
The goal of this blog is to alert our readers to these legislative changes and their possible impacts on corporations and organizations. Over the coming weeks, we will supplement this information with specific reviews of key pieces of new legislation.
Simply put, this uptick in “regulation” is a direct result of the rising tide of cybersecurity-related events and the impact on the U.S. people and economy. As the President stated in Executive Order 14028, “The cybersecurity threats… are among the most significant and growing issues confronting our Nation…[and] could cause significant harm to the national and economic security of the United States.” In other words, there is a real and present danger in the areas of cybersecurity and data privacy that could affect the economic health of the country.
These threats to cybersecurity and data privacy have touched all of us in some way. Bad actors have targeted or randomly taken down critical infrastructure systems such as the Colonial Pipeline and numerous hospitals and schools. The scientific evidence is very clear: the vast majority of these incidents would not have occurred if the impacted entities had basic and functional information security management programs in place. Effective IT hygiene—like regular, systematic patching of computer systems—can mitigate the risk significantly. The current legislative agenda clearly recognizes the fact that voluntary implementation of leading security practices has not been sufficient, and these new rules are starting to address that shortfall.
While much of the cybersecurity legislative activity is focused on protecting critical national infrastructure, these new regulations concern the energy sector; financial, food, telecommunications, and agricultural services; critical manufacturing; government facilities; the defense industrial base; and commercial facilities, including shopping, entertainment, and lodging. In our experience, few businesses are not part of the critical national infrastructure in some form or another. Likewise, few businesses are not concerned about cybersecurity and data privacy.
In May of 2021, the President signed Executive Order 1428, Improving the Nation’s Cybersecurity, and it is noteworthy in that it requires specific actions from federal agencies. The most striking include the insertion of specific clauses in federal acquisition regulations that require the inclusion of cyber event reporting, and the provision of a software bill of materials (SBOMs) to reduce the risk of a compromise through the software supply chain. The order also requires the Cybersecurity and Infrastructure Security Agency (CISA) to define a zero trust architecture for use by federal agencies and sub-contractors. These measures are significant, as they will establish a new baseline minimum bar for cybersecurity and data privacy, which we expect to permeate outwards from federal business to general industry and other entities.
The Department of Defense released its Cybersecurity Maturity Model Certification 2.0 (CMMC) in November 2021 as part of its DFARS 252.204-7019 and NIST SP800-171 rev2 requirements. The goal with CMMC 2.0 is to regulate data security practices through an assessment-based mechanism for the defense industry that processes or handles controlled unclassified information (CUI).
In July 2022, the TSA Pipeline Security Guidelines came into force. These require a risk-based security program for corporate information technology (IT) and operational technology (OT) networks—including supervisory control and data acquisition (SCADA) systems—that sets minimum standards for segregation of IT and OT systems as well as the ability to restore from backups or snapshots.
In 2021, the FTC finalized a new set of Safeguards Rules required under the Gramm-Leach-Bliley Act (GLBA). These rules outline steps that organizations in the financial sector must take to reduce cyber security risk and come into effect in June 2023. They will require the appointment to the board of a qualified individual who has cybersecurity experience, the implementation of an information security management program, and, at a minimum, an annual presentation of risk and issues to the board. The range of enterprises providing financial services is larger than first apparent and includes car dealers offering financing and higher education establishments participating in federal student loans programs.
In March 2022, the SEC proposed new cybersecurity rules that will apply to all publicly traded companies. These rules, which are still under consultation, could become binding by as soon as May 2023 and will require reporting material cybersecurity incidents, an annual description of cybersecurity risk management strategy, policies, systems, and known cybersecurity risks. Notably, it could require disclosure of cybersecurity expertise on the corporate board, which would drive the appointment of cybersecurity expertise to all boards, similar to how Sarbanes-Oxley required all corporate boards to have financial expertise. In addition to these proposed rules, the SEC also released rules to govern all private and publicly traded investment and advisory companies to reduce market risk relating to cyber events within financial institutions.
In the area data of privacy legislation, the California Privacy Rights Act (CPRA) became effective this January. Soon to come are the Virginia Consumer Data Privacy Act in June, and Colorado’s and Connecticut’s Privacy Acts in July. Even as these data and privacy legislations become effective, work continues on Senate Bill 3600, which aims to create new data privacy law at the federal level. Many more states, including Ohio, have legislative work in flight in this area.
In the coming months we will analyze key legislative changes in the cybersecurity and data privacy legislation space and provide a more detailed view on what they contain, and what actions you should consider taking as a result of the legislative actions.
Alternatively, we would be happy to discuss these actions with you in person, either informally or as part of a tailored security assessment and roadmap generation. Contact us today.
This blog offers a personal opinion and is not intended as legal advice.