Trustwave's 2024 Retail Report Series Highlights Alarming E-Commerce Threats and Growing Fraud Against Retailers. Learn More
Get access to immediate incident response assistance.
Get access to immediate incident response assistance.
Trustwave's 2024 Retail Report Series Highlights Alarming E-Commerce Threats and Growing Fraud Against Retailers. Learn More
Laws are often passed when a situation becomes so dire that legislators feel the need to step in and apply some teeth. And when it comes to combating cybersecurity incidents, there seems to be no shortage of global legislative and regulatory reaction to the ongoing procession of headline-grabbing data breaches and attacks affecting organizations around the world. Major security events have been occurring for more than a decade, but as global connectivity and reliance on IT systems rises, the perilous consequences of these incidents continue to expand.
Here is a breakdown of five measures - two in the United States, one in the European Union, one in Australia and one in China - that are likely to impact you in the not-too-distant future, if they haven't already. Get your compliance and legal teams ready.
Current status: Effective as of March 1, but full compliance not required for 18 months
What's it all about? New York state enacted a prescriptive law affecting banks and insurers (with greater than 10 employees) doing business within its borders. With New York serving as a primary hub for global finance, the requirements are certain to have ripple effects around the world.
In addition, the regulation is expected to serve as a model for other states, much like California's trailblazing S.B. 1386 did data for data breach notifications. Among other provisions, the New York state law requires that "covered entities":
What's next? Covered entities also are required to attest to annual compliance. More details can be found here (PDF).
Current status: Becomes law May 2018
What's it all about? The goal of the regulation, which affects all businesses operating in the EU, is to harmonize data protection laws across the 28 member states and "make Europe fit for the digital age." The GDPR aims to "give citizens back control over of their personal data, and to simplify the regulatory environment for business." The regulation will place a clear onus on businesses that collect and manage the personal information of EU citizens to protect that information from misuse.
What's next? Businesses are racing to comply with the new regulation - or risk being sued.
Current status: Introduced in the U.S. Senate
What's it all about? We all know the security skills shortage is an issue for IT departments. But did you know the conundrum also extends to boards of directors? New proposed legislation from Democratic Sen. Mark Warner of Virginia would require boards of directors at public firms to disclose to the Securities and Exchange Commission if one of their members has security expertise. If they are unable to disclose that, they must explain how they are compensating for this shortcoming. Consumer advocates have reportedly voiced support for the measure as calls for boardroom accountability on security issues grows.
What's next? This one has far less certainty than the others included in this list. The bill is expected to come up for a vote at an undetermined date.
Current status: Passed both houses of the Parliament of Australia in February, expected to take effect in February 2018
What's it all about? Organizations will be required to notify the Australian privacy and information commissioner if they experience a breach and affected individuals are at "risk of serious harm" due to the disclosure of sensitive data.
What's next? This bill has been many years in the works, but now organizations must study the measure and prepare for what, when and how they would disclose in the event of a breach. More details can be found here.
Current status: Adopted last year, expected to take effect June 1
What's it all about? All eyes are on this measure, as many governments and corporations don't quite know what to expect when it takes hold. Specifically the law calls for critical infrastructure protection under the guise of national security, but it has been met with strong foreign opposition and confusion from companies and human rights groups - mainly over fears of further internet regulation and concerns that businesses that operate in the country will be forced to turn over sensitive information for storage in mainland China. The law is unofficially translated to English here.
What's next? The compliance groups at global companies are diligently working to determine how they can meet the new law.
Dan Kaplan is manager of online content at Trustwave and a former IT security reporter and editor.
Trustwave is a globally recognized cybersecurity leader that reduces cyber risk and fortifies organizations against disruptive and damaging cyber threats. Our comprehensive offensive and defensive cybersecurity portfolio detects what others cannot, responds with greater speed and effectiveness, optimizes client investment, and improves security resilience. Learn more about us.
Copyright © 2024 Trustwave Holdings, Inc. All rights reserved.