Keeping Up with Cybersecurity Compliance: Deadlines and Examples
With the ever-increasing cybersecurity threats present in the digital world, companies and organizations must stay abreast of the latest cybersecurity mandates.
Whether your company is big or small, compliance with these mandates is a must for protection against cyberattacks and data theft.
Stay ahead of the curve and learn the necessary steps all organizations need to take to remain compliant with current and upcoming legislation regarding cybersecurity mandates.
Key cybersecurity compliance, mandates, and legislation
Cybersecurity compliance is constantly evolving and includes several important mandates and legislation like GDPR, SHIELD, and COPPA.
- GDPR (General Data Protection Regulation)
- CCPA (California Consumer Privacy Act)
- SHIELD Act (Stop Hacks and Improve Electronic Data Security Act)
- NIST Cybersecurity Framework
- CPRA (California Privacy Rights Act)
- COPPA (Children’s Online Privacy Protection Act)
GDPR (General Data Protection Regulation)
The General Data Protection Regulation (GDPR) was designed to provide individuals with more control over their personal data and strengthen the security of businesses that process it.
GDPR applies to all companies that process personal data of European citizens, regardless of where they are located.
Key GDPR requirements and obligations for companies:
- Implement appropriate technical and organizational measures to protect personal data.
- Appoint a Data Protection Officer (DPO).
- Comply with data subjects’ rights.
- Report data breaches to the authorities and affected individuals.
- Carry out data protection impact assessments.
- Notify individuals of personal data processing activities.
The GDPR was enforced on May 25th, 2018. Companies that fail to comply with the GDPR could be subject to fines of up to 20 million Euros or 4% of the company’s global annual revenue.
CCPA (California Consumer Privacy Act)
The California Consumer Privacy Act (CCPA) is a comprehensive consumer privacy law that affects businesses operating in the state of California.
It grants consumers new rights and protections over their personal data, including the right to know what information is being collected about them, the right to opt out of having their data sold, and the right to sue companies for data breaches.
Key CCPA provisions and compliance requirements:
- Businesses must provide a conspicuous link labeled “Do Not Sell My Personal Information” on their website homepage.
- Companies must provide a designated method for consumers to request their personal data be deleted.
- Businesses must track the sources from which they obtained consumer data and must provide this information when requested.
The CCPA is set to be fully enforced in July 2020. Failure to comply with the CCPA could result in penalties of up to $7,500 per violation and class action lawsuits from affected consumers.
SHIELD Act (Stop Hacks and Improve Electronic Data Security Act)
The Stop Hacks and Improve Electronic Data Security Act (SHIELD Act) was signed into law in July 2019. It is an amendment to New York’s existing data breach law and is designed to protect consumers from data breaches.
The SHIELD Act requires companies to implement “reasonable” security measures to protect consumer data, have an incident response plan in place for handling data breaches, and provide notification of a breach to those affected by it.
Key provisions and compliance requirements:
- Businesses must take reasonable measures to protect consumer data from unauthorized access, disclosure, or destruction.
- Businesses must notify consumers of a data breach within 72 hours of discovery.
- Businesses must also provide notification to the state attorney general and credit reporting agencies if the breach affects more than 500 people.
- Businesses must have an incident response plan in place.
The SHIELD Act is set to be enforced on October 23rd, 2019. Companies that fail to comply with the SHIELD Act could be subject to fines of up to $250,000 and class action lawsuits from affected consumers.
NIST Cybersecurity Framework
The NIST Cybersecurity Framework (NCSF) is a voluntary framework that provides guidance for organizations to manage their cybersecurity risks.
It was developed by the National Institute of Standards and Technology (NIST) in collaboration with industry, academic, and government stakeholders.
The framework provides a structure for organizations to assess and manage their cybersecurity risks and aligns with existing laws, regulations, and industry standards.
Key components of the NIST framework:
- Identify: This function covers an organization’s ability to identify and manage assets, threats, vulnerabilities, and controls.
- Protect: This function covers an organization’s ability to secure assets and reduce risks.
- Detect: This function covers an organization’s ability to detect anomalous activity and respond appropriately.
- Respond: This function covers an organization’s ability to respond quickly and effectively to security incidents.
- Recover: This function covers an organization’s ability to recover from security incidents and restore normal operations.
Organizations are encouraged to use the framework as soon as possible, but there is no official compliance deadline. Consequences for non-compliance vary by organization and could include reputational damage, financial losses, and legal action.
CPRA (California Privacy Rights Act)
The California Privacy Rights Act (CPRA) is set to take effect on January 1, 2020.
It expands upon the existing California Consumer Privacy Act (CCPA), providing consumers with more control and visibility into how their personal data is collected, used, and shared.
The CPRA grants consumers the right to:
- Access what personal data companies have collected about them.
- Correct inaccurate information.
- Delete their personal data.
- Opt-out of the sale, or sharing, of their personal data.
Organizations that do business in California are required to comply with the CPRA by January 1, 2021, or immediately upon legal registration. Failing to do so could result in hefty fines and other penalties.
COPPA (Children’s Online Privacy Protection Act)
The Children’s Online Privacy Protection Act (COPPA) is a federal law that was passed in 1998 to protect the online privacy of children under the age of 13.
It requires websites and online services to obtain parental consent before collecting, using, or disclosing personal information from children.
Key provisions and security requirements for businesses:
- Businesses must obtain parent or guardian consent before collecting, using, or disclosing any personal information from children.
- Businesses must delete or de-identify collected data upon request.
- Businesses must obtain annual verifiable parental consent for any new collection or use of a child’s personal information.
- Businesses must designate an employee to act as a privacy contact for any complaints or questions.
- Businesses are required to comply with COPPA immediately upon registration.
The FTC is responsible for enforcing COPPA, and can impose civil penalties up to $42,530 for violations.
Businesses can also face legal action from individuals or organizations if they are found to be in violation of COPPA.
Steps for ensuring cybersecurity compliance
- Conduct a comprehensive cybersecurity risk assessment
- Implement appropriate security measures and controls
- Establish data breach response plans and incident management procedures
- Train employees on cybersecurity best practices and awareness
- Hire any new cybersecurity professionals needed to manage cybersecurity compliance
- Engage with legal and compliance experts for guidance and advice
- Monitor updates in cybersecurity mandates and legislation
Keeping up with cybersecurity compliance
Staying up-to-date with the latest cybersecurity compliance laws and regulations is essential for organizations of any size.
By taking proactive steps to assess, mitigate, and respond to cyber risks, businesses can ensure that their digital assets are secure and protected.
Organizations should consider implementing specific policies, procedures, and technologies to help them meet their legal obligations and protect against threats.
Once your organization has taken the necessary steps, be sure to regularly review and update your cybersecurity policies and procedures to keep up with the ever-changing cyber landscape.
*The specific details, deadlines, and legislation mentioned in this article are not an exhaustive list and are meant to be a high-level guide and may need to be tailored based on the latest cybersecurity mandates and legislation applicable to specific audiences and jurisdictions. It is important to stay up-to-date on the latest cybersecurity compliance mandates and legislation as they are subject to change.*
Looking to hire top-tier Cybersecurity Talent? We can help.
Every year, Mondo helps to fill over 2,000 open Tech, Digital Marketing & Creative positions nationwide.
More articles about hiring and industry trends:
- Everything You Need to Know About SAP HANA Migration
- How Digital Transformation Is Changing the Way Companies Market
- How Cloud Computing Solutions Provide Scalable IT Infrastructure
- How AI is Driving Change and Innovation In Key Industries
- Google Analytics 4: What Your Organization Needs To Prepare
- Challenges Faced by the Banking Industry in the Digital Age
- Salesforce Admin Jobs to Hire to Get the Most Out of Your Investment
- Benefits of Digital Transformation in Healthcare with Examples
- HR Technology in Hiring: Streamlining Your Recruitment & Onboarding