Laws and Regulations Which Involve Cybersecurity
Around the world, more and more countries are prioritizing citizens’ privacy and security online. These laws and regulations are designed to protect people’s fundamental right to privacy, and to give them control over their personal data.
Take a look at the laws and regulations which involve cybersecurity around the world, and find out how to make sure you’re compliant.
Why do we need cybersecurity legislation?
Approximately five billion people are online every day — almost two-thirds of the world’s population. And as this number grows, there’s more opportunity for cybercriminals to exploit user data for malicious purposes, such as identity theft, fraud, money laundering, and ransomware attacks.
Cybersecurity laws are designed to protect citizens and national security in the face of these growing threats. While they’re mainly created to protect individuals, businesses can also benefit from following these regulations.
Cybersecurity laws in the US
Federal government privacy regulations
There are three major federal cybersecurity laws in the US:
- Health Insurance Portability and Accountability Act (HIPAA) — establishes privacy and security standards around individuals’ health and medical conditions
- Cybersecurity Information Sharing Act (CISA) — allows certain personal information to be shared between businesses and the US government to set up cybersecurity defenses
- Homeland Security Act (HSA) — established in the wake of the September 11 attacks, the HSA includes a Cyber Security Enhancement Act, which gives the government greater powers when cybersecurity threats are deemed to be a matter of national security.
The role of the FTC
In addition to these laws, the Federal Trade Commission acts to protect people’s privacy as part of its commitment to protect consumers and businesses from “anticompetitive, deceptive, and unfair business practices.”
In 2019, the FTC levied its largest-ever privacy-related fine. Facebook was required to pay $5 billion and overhaul its privacy practices in response to its negligent and damaging privacy practices. This fine is almost 20 times greater than any previous data security penalty imposed worldwide.
California Consumer Privacy Act (CCPA)
In 2018, California became the first US state to legislate for consumer privacy. California is home to some of the world’s largest technology companies, so these measures are designed to restrict negligent and unethical data collection and sharing practices at these firms.
The CCPA enforces four clear privacy rights for individuals:
- The right to know about the data being collected, and how it’s being used
- The right to delete information (in most cases)
- The right to opt out of the sale or non-consensual use of their data
- The right to not be discriminated against for exercising these rights.
Under CCPA, businesses must be transparent about their data collection practices. They must also tell people how they can delete their data or opt out of certain data collection and sharing schemes.
Fines for CCPA non-compliance are:
- Up to $2,500 per individual instance of unintentional violation
- Up to $7,500 per individual instance of intentional violation.
There is no maximum penalty under CCPA.
Virginia Consumer Data Protection Act (VCDPA)
The VCDPA came into effect in March 2021. Like the CCPA, it protects individuals’ privacy rights, including the right to access, correct, and delete their personal data, as well as opting out of certain data sharing or sales practices. The penalty for VCDPA noncompliance is $7,500 per violation.
The VCDPA is only applicable to certain organizations:
- Companies that conduct business in Virginia
- Businesses that process data of at least 100,000 people each year
- Businesses that process data of at least 25,000 people each year, and derive 50% of their revenue from selling data.
Colorado Privacy Act (ColoPA)
ColoPA follows many of the same principles as the CCPA and VCDPA. It has the same applicability guidelines as the VCDPA, so not all businesses are affected. Businesses that are subject to this legislation must comply by July 2023. The penalty for noncompliance is $2,000 per violation, with a maximum fine of $500,000.
Other states
Utah is the most recent state to pass new cybersecurity laws. 17 other states have also tabled bills to legislate for consumer privacy protection, including Alaska, Iowa, New York, and Oklahoma.
Over the next few years, most US states will pass privacy protection laws to protect individuals, prevent data breaches, and minimize the risk of cyber attacks.
Cybersecurity laws in Europe
GDPR
In 2018, the EU and UK implemented the General Data Protection Regulation (GDPR). This comprehensive cybersecurity law affects all businesses in the EU and UK, as well as international companies that conduct business in these countries.
The rights stipulated by GDPR are similar to those in the CCPA:
- The right to be informed about data collection and use
- The right to access your personal data
- The right to rectify incorrect personal data
- The right to delete personal data
- The right to restrict processing of data (in most cases)
- The right to data portability.
Individual governments can levy fines of up to £17.5 million/€20 million or 4% of a company’s annual turnover for security breaches — whichever amount is greater.
How to comply with privacy laws and regulations
As more states and countries implement strict regulations, it’s essential that your business complies with them to protect you and your customers.
Here’s what you can do to ensure you’re compliant with privacy laws:
- Get certified to ISO27001 — the international standard for information security ensures you have optimal data and customer privacy protection in place
- Create a culture of cybersecurity at your organization — ensure your staff and suppliers know what’s expected when it comes to protecting customer data
- Appoint a CISO — appointing a chief information security officer improves accountability for data protection and privacy
- Update your privacy policy — ensure your customers have all the information they need about how you process and use their data
- Implement a robust security system — defending your customers against cyber threats is a huge part of protecting their data, so make sure you’re using a best-of-breed cybersecurity solution.
Find out how to protect customer privacy in a digital world.