Unlock the Secrets to Cyber Security: Protect Yourself Now!
By Tom Seest
At BestCybersecurityNews, we help young learners and seniors learn more about cybersecurity.
Cyber security laws and regulations are essential components for safeguarding information technology and computer systems. They safeguard sensitive data, protect critical infrastructure, hold companies accountable for cyber incidents, and offer legal recourse to victims of cybercrime.
Cybersecurity laws and regulations are constantly being updated, making it essential for businesses to stay abreast of all relevant changes.
Table Of Contents
In 2002, The Sarbanes Oxley Act (SOX) was passed to enhance financial reporting quality and transparency at public companies. This initiative was spurred on by numerous corporate scandals, such as those at Enron and WorldCom, that caused millions of dollars in losses for investors and the general public alike.
SOX requires publicly traded companies to have effective internal controls over their data and financial reporting processes. Furthermore, it imposes penalties on those who fail to adhere to its mandates.
Fortunately, most of the Sarbanes Oxley Act’s requirements are easy to comprehend and implement. However, some sections require extra effort, such as cybersecurity obligations and breach notification obligations.
Section 404 of SOX requires CEOs and CFOs to sign attestations confirming the accuracy of their organizations’ periodic reports containing financial statements. This attestation requires confidence in both the company’s accounting procedures and control objectives, as well as IT systems and databases.
Another SOX section that CISOs should be aware of is Section 302, which deals with corporate responsibility for financial reports and data. This provision lays out how a company must prepare its financials and how they should be audited.
This section requires the CEO or CFO of a publicly traded company to review and assess the reliability of its financial reports, as well as ensure they meet certain standards for preparation and reporting them. This can be an overwhelming task that necessitates considerable investment in internal controls across finance, IT, human resources, and legal departments.
Though SOX compliance may not seem particularly relevant to cyber security, it can be an essential consideration for any organization. For instance, if a company wants more access to capital through cross-listing in the United States, it must meet SOX requirements in order to do so.
The Sarbanes Oxley Act can have a major impact on firms from countries with less developed or regulated economies, as these firms often lack experience with corporate governance and internal controls, leaving them more vulnerable to non-compliance consequences.
The Gramm-Leach-Bliley Act (GLBA), commonly referred to as the Gramm-Leach Act, is one of the United States’ primary financial laws. Passed in 1999, it repealed the Glass-Steagall Act that prohibited banks from engaging in insurance or securities activities. Furthermore, GLBA allowed mergers between banks and other financial institutions.
The GLBA is a complex law that may be challenging to comprehend. However, it’s essential for business owners to comprehend its implications.
In order to comply with the GLBA, your company must have an effective information security program. This implies putting policies in place that safeguard sensitive personal data from unauthorized access and use, as well as notifying customers of any breaches.
Another aspect of the GLBA that applies to your business is the Privacy Rule. Financial institutions must explain how they collect and use customers’ private information, inform them about how it’s shared with third parties, and give customers the option not to have this data shared with anyone.
This rule was put in place to safeguard consumers and guarantee financial institutions are adhering to best practices for handling customer data. Furthermore, it includes a pretexting provision that prevents the use of false information to gain access to private financial data.
Although this law is complex, it’s an integral component of cyber security. It requires all financial institutions to have a written information security plan in place at all times.
Under GLBA’s privacy rule, financial institutions must provide their customers with written policy notices outlining their information-sharing practices. These notices must also state that customers have the right to opt out of having their personal data shared with third parties and can request that their private data be removed from the institution’s systems.
These requirements are put in place to safeguard people’s privacy, particularly younger generations, who may not be as aware of how their personal information is used or shared. For instance, the GLBA requires students’ names, addresses, phone numbers, dates of birth, Social Security Numbers, and student loan info to be safeguarded against misuse or unauthorized access.
In May 2018, the European Union (EU) implemented the General Data Protection Regulation (GDPR), replacing their 1995 Data Protection Directive. This new regulation seeks to revolutionize how organizations across Europe approach data security and privacy practices.
GDPR mandates companies to take a more in-depth look at how they collect, store, and transfer personal information. Furthermore, it demands businesses have an effective system in place to guarantee this data is secure.
Data subjects now have more control over their personal information and a shared responsibility for its security. For instance, when someone requests that their data be removed from a company’s database, the business must respond promptly to fulfill that request.
Additionally, the regulation identifies certain “special categories” of personal data that require higher protection. This includes information regarding a data subject’s race or ethnic origin, religious beliefs, health information, genetic information, sex life, political opinions, and trade union membership.
The GDPR will make it much harder for businesses to process sensitive information, necessitating them to put in place specific procedures to protect the data and keep it secure. This includes employing encryption technology as well as other safeguards.
Businesses must appoint data protection officers to monitor their adherence to the GDPR. These individuals will provide advice on the requirements of the regulation and serve as a point person for communication with Supervisory Authorities.
Another key aspect of the GDPR is that it empowers Supervisory Authorities to issue fines when businesses fail to abide by GDPR requirements. These penalties can range anywhere from 2% or 4% of a company’s global annual turnover up to EUR10m or EUR20m, depending on the severity of the violation.
Additionally, the GDPR grants data subjects the right to be forgotten. This provision gives customers a chance to request that their personal information be removed from a business’s databases, likely leading many companies to implement this practice in order to safeguard customers’ private information.
The California Consumer Privacy Act (CCPA) is the first state-wide law to give consumers a comprehensive set of privacy rights. Passed in June 2018, it went into effect on January 1, 2020.
Although not a direct cyber security law, the California Consumer Privacy Act (CCPA) has major ramifications for businesses that collect, store, or utilize personal information about residents of the state. As a result, many firms, both within and outside California, must update their policies, procedures, and websites in order to abide by the new regulations.
One of the most significant aspects of the CCPA is its power to give consumers a private right of action against businesses that break the law. Furthermore, it imposes heavy fines for any violation, as well as data erasure requirements similar to those in Europe’s GDPR.
In addition to the CCPA’s requirements, other laws and regulations in California already address data privacy and cybersecurity. For instance, California’s data breach notification laws mandate websites provide consumers with a way to report a breach. The CCPA builds upon these existing requirements by requiring websites to grant customers the right to request their personal information be provided in an easily readable format.
Another key provision of the CCPA is its requirement that businesses give consumers notice if they plan to share or sell their personal information. Furthermore, the CCPA informs individuals of their right to access and correct or delete their own personal data.
Businesses must disclose what information they maintain and who may have it. This is an essential step toward increasing transparency around how companies utilize and store personal data.
However, the CCPA contains some restrictive provisions that could adversely impact businesses. For instance, businesses aren’t permitted to offer discounts or loyalty programs without getting consent from a customer’s parent or guardian, and businesses also cannot disclose personal information about customers unless required by law.
Please share this post with your friends, family, or business associates who may encounter cybersecurity attacks.