Over 70% of the cost of an incident is attributed to the legal and privacy aspects – not the security triage and response. To minimize financial and legal risk, companies should be taking a closer look at their incident response plans. Yet it’s a common refrain heard from outside counsel law firms specializing in incident response that these plans are never used during an incident. Why? Because they are not comprehensive and too generic for use.
Frequently, security teams champion the incident response process; however, incident response teams need to be cross-functional. They must go beyond security and IT defenses and processes into legal, risk, privacy, and compliance to examine the impact of cyber insurance requirements, contract terms, and privacy and cybersecurity rules and regulations on their organizations. After all, the costs are cross-functional, too.
The growth of new privacy and cybersecurity laws has not slowed down during the pandemic. In the United States, at both the federal and the state level, as well as internationally, new regulations are imposing stringent requirements for handling data for their clients and consumers on organizations worldwide. In fact, a new trend in which some of the most recent rules are now agnostic to personally identifiable information (PII), once an easy test for the applicability of these laws, has emerged. With the continued increase in cyber attacks over the past 12 months, particularly from ransomware, it’s only a matter of time before businesses will be facing regulators. Organizations should be preparing for the impending regulations facing their businesses, and yet, not all of them are well known or understood.
To that end, it seems everyone has at least heard of the European Union’s General Data Protection Regulation (GDPR) and the most recent California Consumer Privacy Act (CCPA) and California Privacy Rights Act (CPRA). Here are five other privacy laws that every organization should be tracking at the state, federal, and international levels.
First, at the state level, many are not aware of Virginia’s Consumer Data Protection Act (VCDPA) and the Colorado Privacy Act (CPA) – both of which apply to companies with data from residents of those states and which seem to be the model for regulations being legislated and passed by other states. Virginia’s law comes into effect on January 1, 2023, and Colorado’s law is effective on July 1, 2023. Both define various types of personal data that are covered, a series of rights for their respective residents pertaining to companies using their data, and “reasonable” security practices. Neither law has a minimum revenue threshold; instead, they generally define applicability thresholds for the data for a specific number of consumers and therefore are more broadly applicable to smaller businesses.
In addition, at the federal level in the United States, two key laws are on the books, with one in effect and the other coming soon. Late in 2021, the three US federal financial regulators teamed up to approve an interagency rule to define two distinct types of incidents, a “cyber-security incident” and a “notification incident.” Generally, the latter requires banks to notify their appropriate regulator within 36 hours, while the former may require a notification depending on the type of company and the degree and length of impact from the incident. While the threshold is higher than most regulations, the timeframe is one of the shortest on the books and PII is not the key factor for notification, making this a big shift for many financial services companies.
Internationally, India’s Computer Emergency Response Team (CERT-In) published a directive requiring reporting of cybersecurity incidents within six hours. The directive is broadly applicable to companies with a presence in India across a comprehensive list of types of incidents, from scanning to full scale attacks, for which it applies. With a 28-page frequently asked questions document on the notice, it’s clear that this directive shocked many throughout industry, and with such a short timeframe for notification, rightfully so. Unfortunately, many still have not heard about this ruling which is slated to come into force in the next thirty days.
The United States Cyber Incident Reporting for Critical Infrastructure Act of 2022 was signed into law in March and gives Cybersecurity and Infrastructure Security Agency (CISA) responsibility for defining specific rules and requirements over the next couple of years. Using the history of CISA and its parent DHS as a guide, it will likely require organizations across the broadly-defined 16 critical infrastructure sectors, including Communications, Energy, Financial Services, and Healthcare companies, to report a “substantial” cyber incident (the definition of which is yet to be further defined) to CISA within 72 hours from when they “reasonably” (also yet to be defined) believe an event has occurred. In addition, ransom payments must be reported to CISA within 24 hours. It’s unlikely PII will be a key factor for CISA, making this law impact a much wider range of incidents than other laws currently. Further, organizations that do not comply can be referred to the US Attorney General for civil or criminal prosecution, an outcome of increasing likelihood for companies, their executives, and board members globally.
How can businesses deal with the ever-growing morass that these and the other 180 regulations in 120 countries they’ll face? Invest in technology to scale up their processes, run quarterly exercises using different scenarios that include legal and privacy, and get requirements and obligations organized and broken down into discrete playbooks based on types of incidents. These actions will increase efficiency and reduce risk while setting the stage for businesses to recover faster from the incidents, large or small, that will inevitably occur.
