Make Things Happen
CYBERSECURITY
Regulation of Cyber Security
Data breach and cybersecurity are part of global corporate compliance with its many world's laws and regulations on anti-bribery, -corruption, and -terrorism programs, which utilize the same liability principles.
The current legal environment does not present an overarching federal cyber law, and the traditional two main federal cybersecurity regulations that relate to financial sector require only a “reasonable” level of security, with the vague language of these regulations leaving much room for interpretation.
The Gramm-Leach-Bliley Act (GLBA) of 1999 was passed in order to modernize the financial sector, recognizing that mergers between different sectors of the financial industry would result in consolidated institutions with unprecedented access to consumers’ private data.
The 2002 Homeland Security Act, which included the Federal Information Security Management Act (FISMA), mandates that financial institutions protect their systems and information.
For example, FISMA “requires the development and implementation of mandatory policies, principles, standards, and guidelines on information security.” These regulations do not address computer-related industries, such as internet service providers and software companies.
In a more recent effort, several new cyber security laws, as well as amending the older ones, were introduced for a better security ecosystem. A few of them are Cybersecurity Information Sharing Act (CISA), enhancing sharing of information about cybersecurity threats, and Cybersecurity Act of 2015, providing voluntary public-private partnership to improve cybersecurity research and development.
The Department of Commerce’s National Institute of Standards and Technology (NIST) has provided a voluntary risk-based Cybersecurity Framework, a set of industry standards, best practices, and guidelines that have been developed by organizations like NIST and the International Standardization Organization (ISO).
The Framework terms this compilation as the “Core,” composed of five concurrent functions— Identify, Protect, Detect, Respond, and Recover—a lifecycle of an organization’s management of cybersecurity risk.
Each function is divided into categories correlative to programmatic needs and particular actions, each category is broken down into subcategories that point to informative support, citing specific sections of standards and guidelines.
For most geeks in finance, the NIST framework might be too basic, where banks’ own programs are far more ingenious, but it still makes sense for a legal team in a merger to compare notes with these guidelines, for a sheer comfort of assurance that nothing is wanted from their precocious cutting-edge client.
In 2018, California jumped ahead of other states with a bang, catching up and even surpassing the promulgated by the New York Department of Financial Services 23 NYCRR Part 500 (a New York regulation establishing cybersecurity requirements for financial services companies).
The California Consumer Privacy Act of 2018 (CCPA) largely follows the footsteps of the most stringed to date General Data Protection Regulation (GDPR), which affects data of any individual from the European Union.
Like California’s regulation for Internet-of-things (IoT), the CCPA became operative January 1, 2020. To comply with the CCPA, businesses will need to, among other things, disclose to consumers details of their data collection.