The past couple of years have seen significant changes for the cybersecurity sector. Recent and proposed rules will affect everyone from small businesses to national institutions.
Cyber legislation is racing to keep up with ever-increasing rates of cybercrime. Small businesses are particularly vulnerable to the potentially crippling expense of a data breach, and the public is no less at risk. Check out three of the most significant recent developments designed to protect data and spur wider privacy.
The NIST Small Business Cybersecurity Act
NIST (the National Institute of Standards and Technology) is a division of the U.S Department of Commerce and provider of the handbook Small Business Information Security: The Fundamentals. That guide serves as an important risk-management resource for small- to medium-sized businesses. And in 2018, the NIST Small Business Cybersecurity Act (NIST SBCA) was passed to ensure that businesses continue to reduce risk and receive ongoing guidance in security best practices.
The act set a one-year limit on NIST that requires them to do the following by August 2019:
- Provide small businesses with concise resources to help them reduce, identify, assess, and manage cybersecurity risks. These should promote a workplace cybersecurity culture, strengthen basic controls, and clarify relationships with third-party stakeholders.
- These resources also must be generally usable and apply to a wide range of security concerns and …
- … be specific to the size and nature of each small business, and to the type and sensitivity of the data they collect on any device.
Simplicity and practicality are the core of this act, which is required to provide case studies on applying its guidance. The NIST SBCA’s advice must also be “technology-neutral,” meaning small businesses can implement all necessary steps using off-the-shelf commercial tech.
The output from the act is expected to comply as much as possible with international cybersecurity standards and be consistent with the U.S. national cybersecurity awareness and education program under the Cybersecurity Enhancement Act of 2014.
NIST resources receive regular updates and expansions and are free on the NIST Small Business Cybersecurity Corner website launched in March 2019.
The National Breach Notification Law
Businesses that realize customer data has been compromised may decide to cover up the breach out of embarrassment, fear for their reputation, or a belief that law enforcement won’t help. Those three reasons were cited by the unit chief of the FBI’s Internet Crime Complaint Center. The agency estimates that its reports reflect only 10 to 12 percent of the cybercrime which really occurs in a year.
Breach notification laws are designed to ensure businesses don’t cover one up for any reason—they must inform the public as soon as they become aware of it. Varying laws were enacted in 2018 across all 50 states and Puerto Rico, Guam, the District of Columbia, and the Virgin Islands.
Each state’s notification law has been subject to ongoing amendment and revision, but the general effect as of 2019 is that all states require residents to be immediately notified of compromised data caused by a breach and the extent to which that breach may impact them. Many states also require that state agencies be notified along with major national credit-reporting agencies.
This is a good requirement since the credit of breach victims can be seriously damaged when hackers steal their personal data. Some states also provide free credit monitoring for victims who’ve had their Social Security number stolen. And no matter where a compromised company is located, they’ll be expected to comply with the laws of the state in which the victim lives.
Some in the cybersecurity sector see these varying state laws as a patchwork solution which would benefit from a national breach notification law, however. This type of bill has been proposed and, if passed into law, will ensure every state reports a breach using the same standards.
The ENCRYPT Act
The perennial debate over freedom versus order—you can’t increase one without decreasing the other—defines the conflict behind the ENCRYPT Act. Presented to Congress in July 2018, ENCRYPT (Ensuring National Constitutional Rights for Your Private Telecommunications) took a controversial step toward defending the right of businesses and the public to encrypt communications. It was controversial because it was directly opposed by law enforcement.
Encryption is a valuable tool in the cybersecurity arsenal. It allows businesses to encode their data so that only the desired parties can access it. Agencies like the FBI and the Department of Justice have always pushed to be able to access any kind of data whenever they see fit, and they’ve vocally opposed any measures which would close this “back door” to them.
Businesses, the public, and privacy rights groups may sympathize with this view but generally oppose it. The fact remains that a back door for one party swings both ways, enabling cybercriminals to potentially find a way in. The ENCRYPT Act is designed to stop local and state governments from leaning on companies to get them to weaken their encryption in order to comply with demands from law enforcement.
The act applies to hardware, software, online services (emails, texts, photos, audio, and video) and any device capable of supporting encrypted communications. It also aims to prevent states prohibiting the offer/sale of services and devices based on their encryption capabilities alone.
The Internet Association and the IT Technology Council are just two of the bill’s supporters. If ENCRYPT moves into law in 2019, it will give federal powers the final word and put reliable, truly private encryption into the hands of every business and individual in America.
Other cyber bills working their way through Congress
The legislation and laws we’ve highlighted are just the tip of the iceberg. More than 260 pieces of legislation have been presented in 2019 addressing election practices, cyber terrorism, and more. Some of these are still being argued in Congress but there’s no debating that data has become the currency of modern life and must be protected to the fullest extent possible.
Connect with CyberGuard360 for a full evaluation of your cybersecurity and discover how well your business is complying with current data laws.
At CyberGuard 360, our clients are guided safely through the threat landscape. Our wide array of services includes system security suites, risk assessment, education, training and disaster recovery. Call 844-315-9882 or complete our contact form.