Though their exists various government agencies like FTC, FCC, CFTC and CFPB who have different sets of cyber security laws and guidelines, it is not yet in a commonly held standard form. For example, FTC may take several enforcement initiatives for ensuring that the companies are complying with the suggested guidelines. Here comes the concept of reasonable cybersecurity which is aimed to provide the business companies with a comprehensive guideline in regard to cyber security. FTC has mentioned several of those reasonable cyber security guidelines in its website which may help the companies to secure their data adequately. Most of these rules and guidelines stemmed from the customer cases over the course of past years. FTC may consider the company is not complying with its guidelines if the company is deceptive in its business operations. Other agencies also aimed to provide the business owners with their own sets of guidelines. For instance, FCC has the regulatory authority similar to FTC which include auditing the companies for their cyber security practices and enforcing various legal measures. CFPB had a monetary penalty of $100K against a well-known company for not complying with the PCI standard in their business with the customer.
Most of the states in the United Sates have cyber security laws which try to ensure the companies are complying with the best practices. The cyberbreach notification law ensures that the companies are notifying their customers within a certain period of time about any compromise of their sensitive data. The state of Florida has law that requires the company to notify the state attorney general of any data breach involving more than 500 customers, with the additional requirement of providing the attorney general the cyber security policies and forensic investigation reports in case he requests them. The company would be penalized unless it notifies the attorney general within 30 days of the data breach. Other states also have similar strict laws in regards to cyber breach. For instance, Tennessee requires the company to notify even if the data being compromised is encrypted, thus denying the safe harbor although the companies can still do a risk of harm analysis. Connecticut and California also hardened their existing notification laws to reflect the present demand of cybersecurity practices. Moreover, Florida has been proactive in formulating a reasonable cybersecurity standard and guidelines to secure electronic form of sensitive customer data.
In addition to the state laws, there exists some extra layers of security acts which further ensure the safety and protection of the customer data. For instance, Children’s Online Privacy Protection Act (COPPA) which is responsible to protect the data of the kids. This adds an extra layer of security on top of the other regulatory measures. Also, there is Family Educational Rights and Privacy Act (FERPA) which aims to regulate the data collected by the educational tech organizations. Moreover, the European Union General Data Protection Regulation (EUGDPR) aims to ensure the protection of the data of the European Union citizens. All of these measures are adding some extra protections for ensuring that data is collected and handled properly and with adequate security measures. Lately, there is a new law that has been passed by the Congress to establish a protocol to share cyber security data among the companies through a DHS portal. The law is named Cybersecurity Information Sharing Act (CISA).
There is a big difference between the proactive and reactive cyber security measures. Most of the companies today are prone to focus on reactive cybersecurity which may ensure the events after a cyber breach are handled properly, but fails to stop the cyber breach in the first place. Hence comes the concept of proactive cybersecurity practices which can help the business to protect against any potential cyber breach. The proactive cyber security practices may include creating a Written Information Security Plan (WISP). This plan will include the measures the company is willing to take during the collection of data, transmission of data, storage of data and access of data. The WISP should also be displayed in the company website in clear language so that any concerning entity including the customer can clearly understand the security measures taken by the company. WISP may also help the companies to clearly understand their security plans in accordance with their business goals. It also ensures that the companies are taking proper measures to update their IT system in case they are undergoing some outdated IT infrastructure.
The company should also be able to cope with the emerging threats and challenges and this should be a part of their business design as well. In order to effectively manage the handling of current and potential future threats, the company must incorporate security as part of their business plan. IT systems of the company must also ensure that the configuration, maintenance and operation of the technological products are undergoing proper vetting including up to date patching. To help the companies deal with this vast range of cybersecurity measures, National Institute of Science and Technology (NIST) has developed a framework that can be used by the companies as a template to implement cyber security practices. This cybersecurity framework has been developed to address a vast range of companies in various sectors. The data engineering department of a company must ensure that the data being collected from the customers are not unreasonable and does not pose a future security risk. The data being collected and stored must meet the business goals, no additional data should be collected and stored that has no direct application to the business operations leading to a minimalistic data collection approach. The business must clearly understand what data is being collected and why, or whether the risk of collecting that data is surpassing the business profit. This will ensure that the IT operations are not over gathering the data. The data designers in the company should also make sure that the data are not stored in a normalized fashion, just only because it makes the life of the IT operation easier.
There is also increased risk from the Internet of Things (IoT) devices since they collect and transmit a wide range of data including the biometric data of the user. The popular IoT devices include fitness bracelets, smart door locks, home climate control systems, pacemakers etc. They widely collect the biometric data like face, retina and fingerprints and quasi-biometric data like breathing, motion, pattern and heartrate. The dangerous part of transmitting these data is once they are compromised, they are compromised forever. Also, attacker has the ability to physically harm the user once the data is compromised by the attacker. However, the agencies are becoming more aware of the IoT devices now a days, which is reflected in the IoT privacy and security report generated by FTC.
Finally, the good cybersecurity practice can contribute towards the benefit of the company’s business. Every time there is any data breach, there is a huge loss of money and reputation for the company. Adequate and reasonable cybersecurity practices can minimize those risk substantially. Additionally, these measures will make sure that the customers and the business stakeholders are getting a sense of assurance and reliability that the company is doing its job properly. This will ultimately drive to a better business outcome.