To whom it applies: Any Europe-based organization that processes credit card transactions and European banks and financial institutions.
Key points for CISOs: PSD2 requires multi-factor authentication for European payment card transactions. It also requires banks and other financial institutions to give third-party payment service providers access to consumer bank accounts if account holders give consent.
More about PSD2
The Gramm-Leach-Bliley Act of 1999 (GLBA)
Purpose: Also known as the Financial Modernization Act of 1999, the GLB Act includes provisions to protect consumers’ personal financial information held by financial institutions. Its three principal parts to the privacy requirements are: the Financial Privacy Rule, the Safeguards Rule and pretexting provisions.
To whom it applies: Financial institutions (banks, securities firms, insurance companies) and companies providing financial products and services to consumers (including lending, brokering or servicing any type of consumer loan; transferring or safeguarding money; preparing individual tax returns; providing financial advice or credit counseling; providing residential real estate settlement services; collecting consumer debts).
Key points for CISOs: The privacy requirements of GLB include three principal parts:
- The Financial Privacy Rule: Requires financial institutions to give customers privacy notices that explain its information collection and sharing practices. In turn, customers have the right to limit some sharing of their information. Financial institutions and other companies that receive personal financial information from a financial institution may be limited in their ability to use that information.
- The Safeguards Rule: Requires all financial institutions to design, implement and maintain safeguards to protect the confidentiality and integrity of personal consumer information.
- Pretexting provisions: Protect consumers from individuals and companies that obtain their personal financial information under false pretenses, including fraudulent statements and impersonation.
More on GLBA:
Customs-Trade Partnership Against Terrorism (C-TPAT)
Purpose: C-TPAT is a worldwide supply chain security initiative established in 2004. It is a voluntary initiative run by US Customs and Border Protection, with the goals of preventing terrorists and terrorist weapons from entering the US. It is designed to build cooperative government-business relationships that strengthen and improve the overall international supply chain and US border security. Businesses are asked to ensure the integrity of their security practices and communicate and verify the security guidelines of their business partners within the supply chain.
Benefits for participating in C-TPAT include a reduced number of CBP inspections, priority processing for CBP inspections, assignment of a C-TPAT supply chain security specialist to validate security throughout the company’s supply chain and more.
To whom it applies: Trade-related businesses, such as importers, carriers, consolidators, logistics providers, licensed customs brokers and manufacturers.
Key points for CISOs: C-TPAT relies on a multi-layered approach consisting of the following five goals:
- Ensure that C-TPAT partners improve the security of their supply chains pursuant to C-TPAT security criteria.
- Provide incentives and benefits to include expedited processing of C-TPAT shipments to C-TPAT partners.
- Internationalize the core principals of C-TPAT.
- Support other CBP initiatives, such as Free and Secure Trade, Secure Freight Initiative, Container Security Initiative.
- Improve administration of the C-TPAT program.
C-TPAT security criteria encompass:
- Business partners
- Conveyance security
- Physical access control
- Personnel security
- Procedural security
- Physical security
- Security training/threat awareness
- Information technology security
Free and Secure Trade Program (FAST)
Purpose: FAST is a voluntary commercial clearance program run by US Customs and Border Protection for pre-approved, low-risk goods entering the US from Canada and Mexico. Initiated after 9/11, the program allows for expedited processing for commercial carriers who have completed background checks and fulfill certain eligibility requirements. Participation in FAST requires that every link in the supply chain — from manufacturer to carrier to driver to importer — is certified under the C-TPAT program (see above).
To whom it applies: Importers, carriers, consolidators, licensed customs brokers and manufacturers.
Key points for CISOs: Highway carriers authorized to use the FAST/C-TPAT program need to meet the following security-related requirements:
- A demonstrated history of complying with all relevant legislative and regulatory requirements.
- Have made a commitment to security-enhancing business practices, as required by the C-TPAT and Canada’s PIP program.
Children’s Online Privacy Protection Act (COPPA)
To whom it applies: Operators of commercial websites and online services directed to children under 13 that collect personal information from children, as well as general audience websites with knowledge they are collecting personal information from children.
Key points for CISOs: COPPA requires:
- Privacy notice with specifics on placement and content
- A direct notice to parents with specifics on content
- Verifiable parental consent, for internal use, public disclosure and third-party disclosure of information
- Verification that a parent requesting access to child’s information is the parent
- Ability for parents to revoke consent and delete information
- The ability for industry groups and others to create self-regulatory programs to govern compliance with COPPA
More on COPPA:
Fair and Accurate Credit Transaction Act (FACTA)
Purpose: Passed in December 2003, FACTA is an amendment to the Fair Credit Reporting Act that is intended to help consumers avoid identity theft. Accuracy, privacy, limits on information sharing, and new consumer rights to disclosure are included in the legislation. The Act also says businesses in possession of consumer information or information derived from consumer reports must properly dispose of the information.
The Red Flags Rule establishes new provisions within FACTA requiring financial institutions, creditors, etc. to develop and implement an identity theft prevention program.
To whom it applies: Credit bureaus, credit reporting agencies, financial institutions, any business that uses a consumer report and creditors. As defined by FACTA, a creditor is anyone who provides products or services and bill for payment.
Key points for CISOs: FACTA includes the following key provisions:
- Fraud alerts and active duty alerts. Individuals can place alerts on their credit histories if identity theft is suspected or if deploying overseas in the military, thereby making fraudulent applications for credit more difficult.
- Information available to victims. A business that provides credit or products and services to someone who fraudulently uses your identity must give you copies of the documents, such as credit applications.
- Collection agencies: If a victim of identity theft is contacted by a collection agency about a debt that resulted from the theft, the collector must inform the creditor of that. When creditors are notified that the debt is the work of an identity thief, they cannot sell the debt or place it for collection.
- Red Flags Rule: Several provisions within FACTA require financial institutions, creditors, etc. to develop and implement an identity theft prevention program, aimed at early detection and mitigation of fraud. The program must include provisions to identity relevant “red flags,” detect these early warning signs, respond appropriately and periodically update the program. Additional provisions include guidelines and requirements to assess the validity of a change of address request and procedures to reconcile different consumer addresses.
- Proper disposal of consumer reports. Consumer reporting agencies and any business that uses a consumer report must adopt procedures for proper document disposal to avoid “dumpster diving” by identity thieves. This includes lenders, insurers, employers, landlords, government agencies, mortgage brokers, automobile dealers, attorneys and private investigators, debt collectors, individuals who obtain a credit report on prospective nannies, contractors or tenants.
- Disputing inaccurate information. Consumers can dispute data included in reports directly with the company that furnished it.
Federal Rules of Civil Procedure (FRCP)
Purpose: In place since 1938, the FRCP discovery rules govern court procedures for civil lawsuits. The first major revisions, made in 2006, make clear that electronically stored information is discoverable, and they detail what, how and when electronic data must be produced. As a result, companies must know what data they are storing and where it is. They need policies in place to manage electronic data, and they need to be able to prove compliance with these policies to avoid unfavorable rulings resulting from failing to produce data that is relevant to a case.
Security professionals may be involved in proving to a court’s satisfaction that stored data has not been tampered with.
To whom it applies: Any company that is — or could be — involved in a civil lawsuit within the federal courts. Because states have adopted FRCP-like rules, companies involved in litigation within a state court system are also affected.
Key points for CISOs: Security professionals may be involved in proving to a court’s satisfaction that stored data has not been tampered with. There are 13 sections to the FCRP. Chapter 5, Rules 26-37 require a detailed understanding of electronic data retention policies and procedures, what data exists and where, as well as the ability to search for and produce this data within the timeframes stipulated. These rules:
- Make clear that electronically stored information is discoverable and that companies must be able to produce relevant data.
- Clarify limits on discoverable data; for instance, companies are not required to produce data that would prove to be excessively expensive or burdensome, such as from sources that aren’t reasonably accessible, like backup tapes used for disaster recovery and obsolete media.
- Stipulate that the parties involved need to discuss issues relating to the disclosure or discovery of electronic data before discovery begins.
- Establish that a reasonable opportunity is provided to examine and audit the data provided.
- Establish that electronic data is as important as paper documents, and that it must be produced in a reasonably usable format.
- Provide “safe harbor” when electronic data is lost or unrecoverable, as long as it can be proved that good-faith business operations were routinely followed.
Industry-specific regulations and guidelines
Federal Information Security Management Act (FISMA)
Purpose: Enacted in 2002, FISMA requires federal agencies to implement a program to provide security for their information and information systems, including those provided or managed by another agency or contractor. It is Title III of the E-Government Act of 2002.
To whom it applies: Federal agencies.
Key points for CISOs: FISMA recommends that an effective security program include:
- Periodic risk assessments
- Policies and procedures based on these assessments that cost-effectively reduce information security risk and ensure security is addressed throughout the life cycle of each information system
- Subordinate plans for information security for networks, facilities, etc.
- Security awareness training for personnel
- Periodic testing and evaluation of the effectiveness of information security policies, procedures, practices and controls, at least on an annual basis
- A process to address deficiencies in information security policies
- Procedures for detecting, reporting and responding to security incidents
- Procedures and plans to ensure continuity of operations for information systems that support the organization’s operations and assets
North American Electric Reliability Corp. (NERC) standards
Purpose: The NERC standards were developed to establish and enforce reliability standards for the bulk electric systems (BES) of North America, as well as protect the industry’s critical infrastructure from physical and cyber threats. These overall standards became mandatory and enforceable in the US on June 18, 2007. Critical Infrastructure Protection (CIP) elements of the reliability standard have been subsequently updated, most recently in 2009. CIP standards include identification and protection of both physical assets and digital systems.
To whom it applies: North American electric utilities.
Key points for CISOs: NERC standards fall into 14 categories, but CIP is the most relevant to security. CIP has 12 sections:
- Cyber System Categorization
- Security Management Controls
- Personnel and Training
- Electronic Security Perimeters
- Physical Security of BES Cyber Systems
- System Security Management
- Incident Reporting and Response Planning
- Recovery Plans for BES Cyber Systems
- Configuration Change Management and Vulnerability Assessments
- Information Protection
- Supply Chain Risk Management
- Physical Security
More about the NERC standards
Title 21 of the Code of Federal Regulations (21 CFR Part 11) Electronic Records
Purpose: Part 11, as it is commonly called, was issued in 1997 and is monitored by the US Food and Drug Administration (FDA). It imposes guidelines on electronic records and electronic signatures to uphold their reliability and trustworthiness.
To whom it applies: All FDA-regulated industries that use computers for regulated activities, both in the US and outside the country.
Key points for CISOs: Part 11 has 19 requirements, the most important of which include:
- Use of validated existing and new computerized systems
- Secure retention of electronic records and instant retrieval
- User-independent, computer-generated, time-stamped audit trails
- System and data security, data integrity and confidentiality through limited authorized access to systems and records
- Use of secure electronic signatures for closed and open systems
- Use of digital signatures for open systems
- Use of operational checks
- Use of device checks
- Determination that the people who develop, maintain or use electronic systems have the education, training and experience to perform their assigned task
Health Insurance Portability and Accountability Act (HIPAA)
Purpose: Enacted in 1996, HIPAA is intended to improve the efficiency and effectiveness of the healthcare system. As such, it requires the adoption of national standards for electronic health care transactions and code sets, as well as unique health identifiers for providers, health insurance plans and employers. (HIPAA’s requirements are significantly updated by the HITECH Act — see next entry).
The complete suite of rules is known as the HIPAA Administrative Simplification Regulations. It is administered by The Centers for Medicare & Medicaid Services and The Office for Civil Rights.
To whom it applies: Healthcare providers, health plans, health clearinghouses and “business associates,” including people and organizations that perform claims processing, data analysis, quality assurance, billing, benefits management, etc.
Key points for CISOs: Recognizing that electronic technology could erode the privacy of health information, the law also incorporates provisions for guarding the security and privacy of personal health information. It does this by enforcing national standards to protect:
- Individually identifiable health information, known as the Privacy Rule
- The confidentiality, integrity and availability of electronic protected health information, known as the Security Rule
More about HIPAA
The Health Information Technology for Economic and Clinical Health Act (HITECH)
Purpose: Part of the American Recovery and Reinvestment Act of 2009, the HITECH Act adds to HIPAA new requirements concerning privacy and security for patient health information. It widens the scope of privacy and security protections available under HIPAA, increases the potential legal liability for non-compliance and provides for more enforcement.
To whom it applies: Healthcare providers, health plans, health clearinghouses and “business associates,” including people and organizations that perform claims processing, data analysis, quality assurance, billing, benefits management, etc.
Key points for CISOs: The HITECH Act:
- Expands HIPAA security standards to “business associates,” including people and organizations (typically subcontractors) that perform activities involving the use or disclosure of individually identifiable health information, such as claims processing, data analysis, quality assurance, billing, and benefit management, as well as those who provide legal, accounting, or administrative functions.
- Increases civil penalties for “willful neglect.”
- Adds data breach notification requirements for unauthorized uses and disclosures of “unsecured PHI.” These notification requirements are similar to many state data breach laws related to personally identifiable financial information data.
- Provides stronger individual rights to access electronic medical records and restrict the disclosure of certain information.
- Places new limitations on the sale of protected health information, marketing and fundraising communications.
Patient Safety and Quality Improvement Act (PSQIA, Patient Safety Rule)
Purpose: Enacted on January 19, 2009, PSQIA establishes a voluntary reporting system to enhance the data available to assess and resolve patient safety and healthcare quality issues. To encourage the reporting and analysis of medical errors, PSQIA provides federal privilege and confidentiality protections for patient safety information, which includes information collected and created during the reporting and analysis of patient safety events.
These confidentiality provisions are intended to improve patient safety outcomes by creating an environment where providers may report and examine patient safety events without fear of increased liability risk. The Office of Civil Rights administers and enforces the confidentiality protections provided to PSWP. The Agency of Healthcare Research and Quality administers the provisions dealing with PSOs.
To whom it applies: Healthcare providers, patients and individuals/entities that report medical errors or other patient safety events.
Key points for CISOs:
- Subpart C describes the privilege and confidentiality protections that attach to patient safety work product and the exceptions to the protections.
- Subpart D establishes a framework to enable HHS to monitor and ensure compliance with the confidentiality provisions, a process for imposing a civil money penalty for breach of the confidentiality provisions, and hearing procedures.
H.R. 2868: The Chemical Facility Anti-Terrorism Standards Regulation (CFATS)
Purpose: The CFATS regulation went into effect in 2007 and was developed as part of the US Department of Homeland Security Appropriations Act. It imposes federal security regulations for high-risk chemical facilities, requiring covered chemical facilities to prepare security vulnerability assessments and to develop and implement site security plans that include measures to satisfy the identified risk-based performance standards.
To whom it applies: Chemical facilities, including manufacturing; storage and distribution; energy and utilities; agriculture and food; paints and coatings; explosives; mining; electronics; plastics; and healthcare.
Key requirements/provisions: CFATS uses risk-based performance standards rather than prescriptive standards. Security measures vary depending on each facility’s determined level of risk. DHS created a tiered system and assigned chemical facilities into one of four “risk” tiers, ranging from high (Tier 1) to low (Tier 4) risk. Tier assignment is based on an assessment of the potential consequences of a successful attack on assets associated with chemicals of interest. Once assigned a tier, facilities must comply with 18 categories of risk-based performance standards.
Key U.S. state regulations
California Consumer Privacy Act (CCPA)
Purpose: The California Consumer Privacy Act (CCPA) is a law that allows any California consumer to demand to see all the information a company has saved on them, as well as a full list of all the third parties that data is shared with. The CCPA also allows consumers to sue companies if the privacy guidelines are violated, even if there is no breach.
To whom it applies: All companies that serve California residents and have at least $25 million in annual revenue must comply with the law. In addition, companies of any size that have personal data on at least 50,000 people or that collect more than half of their revenues from the sale of personal data also fall under the law. Companies don’t have to be based in California or have a physical presence there to fall under the law. They don’t even have to be based in the United States. A later amendment exempts “insurance institutions, agents, and support organizations” as they are already subject to similar regulations under California’s Insurance Information and Privacy Protection Act (IIPPA).
Key points for CISOs: The CCPA defines personal data as:
- Identifiers such as a real name, alias, postal address, unique personal identifier, online identifier IP address, email address, account name, Social Security number, driver’s license number, passport number, or other similar identifiers
- Characteristics of protected classifications under California or federal law
- Commercial information including records of personal property, products or services purchased, obtained or considered, or other purchasing or consuming histories or tendencies
- Biometric information
- Internet or other electronic network activity information including, but not limited to, browsing history, search history and information regarding a consumer’s interaction with a website, application or advertisement
- Geolocation data
- Audio, electronic, visual, thermal, olfactory or similar information
- Professional or employment-related information
- Education information, defined as information that is not publicly available personally identifiable information (PII) as defined in the Family Educational Rights and Privacy Act (20 U.S.C. section 1232g, 34 C.F.R. Part 99)
- Inferences drawn from any of the information identified in this subdivision to create a profile about a consumer reflecting the consumer’s preferences, characteristics, psychological trends, preferences, predispositions, behavior, attitudes, intelligence, abilities and aptitudes
Businesses are not required to report breaches under AB 375, and consumers must file complaints before fines are possible. The best course of action for security, then, is to know what data AB 375 defines as private data and take steps to secure it.
More about the CCPA
California Privacy Rights Act (CPRA)
Purpose: The CPRA, which will go into effect on January 1, 2023, revises the CCPA and creates a new consumer privacy agency. The act toughens some aspects of the CCPA while removing some smaller companies from its requirements.
To whom it applies: All companies that serve California residents and have at least $25 million in annual revenue must comply with the law. In addition, companies of any size that have personal data on at least 100,000 residents or households or that collect more than half of their revenues from the sale of personal data also fall under the law.
Key points for CISOs: The CPRA:
- Raises the size limit on companies to those that have data on 100,000 California residents or households, removing the CCPA’s inclusion of device data.
- Requires any third party a business uses to be CPRA compliant.
- Removes responsibility for CPRA violations committed by third parties if certain agreements are in place and the business partner is in compliance with CPRA.
- Creates new data minimization rules that prohibit business from retaining consumer information longer than absolutely necessary.
- Gives consumers more opt-out rights.
- Increases liability for breaches in some cases–for example, if the breach involves data on minors.
More about the CPRA
Colorado Privacy Act
Purpose: Signed into law on June 8, 2021, the Colorado law gives consumers residing in Colorado more power to control their PII held by commercial entities, much like the California Consumer Privacy Act.
To whom it applies: Any entity that conducts business in Colorado or produces or delivers commercial products and services to the state’s residents and meets these criteria:
- Controls or processes PII of 100,000 Colorado residents annually
- Realizes revenue or discounts on goods or services from the sale of PII and processes or controls the data of at least 25,000 consumers.
Key points for CISOs: Like other privacy regulations the Colorado law distinguishes between processors and controllers. However, it requires processors to assist controllers with compliance, including having technical and organizational means to:
- Help controllers respond to consumer requests
- Assist with the security of processing PII and breach notifications
- Allow controllers to conduct and document data protection assessments
- Allow controllers to conduct audits
Connecticut Data Privacy Act (CTDPA)
Purpose: The Connecticut law goes into effect on July 1, 2023. It gives the state’s residents the right to confirm whether an entity is processing their personal data, to have access to that data in a portable and usable format, and to correct inaccuracies or delete data.
To whom it applies: Persons who conduct business in Connecticut or produce products or services that targeted the state’s residents, and that control or process the personal data of 100,000 or more Connecticut residents or 25,000 or more residents if the business derives more than 25% of its gross revenue from the sale of personal data. The law excludes residents whose personal data is controlled or processed only to complete a payment transaction
Key points for CISOs: Organizations must also provide a “secure and reliable” means for consumers to exercise their rights under the law, though the law does not provide guidance on those means. The law also requires data controllers to document its data protection assessments for each processing activity that presents a heightened risk of harm to the consumer.
Maine Act to Protect the Privacy of Online Consumer Information
Purpose: The Maine law, which went into effect on July 1, 2020, bars broadband internet access providers from “using, disclosing, selling or permitting access to customer personal information unless the customer expressly consents to that use, disclosure, sale or access,” with some exceptions. The bill further requires providers to take reasonable measures to protect customer personal information from unauthorized use, disclosure, sale or access.
To whom it applies: Broadband internet access providers
Key points for CISOs: The law defines personal information is defined as “personally identifiable customer information” about the customer and information derived from the customer’s use of broadband internet access services such as web browsing history, geolocation data, device identifiers and a number of other technical data points that can be used to identify individuals.
Maryland Personal Information Protection Act – Security Breach Notification Requirements – Modifications (House Bill 1154)
Purpose: Approved by Governor Larry Hogan on April 30, 2019 and effective as of October 1, 2019, the law extends the state’s existing data breach requirements to personal information maintained by a business in addition to personal information owned or licensed by a business.
To whom it applies: Any business that own licenses or maintain personal information on Maryland residents.
Key points for CISOs: Businesses are also now required to conduct in good faith a reasonable and prompt investigation to determine the likelihood that personal information of the individual has been or will be misused as a result of the breach. Businesses that simply maintain personal data may not charge the owner or licensee a fee for providing the information needed to notify Maryland residents. The law also places certain limitations on information relative to the breach.
Massachusetts 201 CMR 17 (aka Mass Data Protection Law)
What it covers: This Massachusetts law, which went into effect March 2010, works to protect the state’s residents against fraud and identity theft. It requires that any business that stores or uses personally identifiable information about a Massachusetts resident develop a written, regularly audited plan to protect this information. It takes a risk-based approach rather than a prescriptive one. It directs businesses to establish a security program that takes into account the business size, scope, resources, nature and quantity of data collected or stored and the need for security rather than requiring the adoption of every component of a stated program.
To whom it applies: Businesses that collect and retain personal information of Massachusetts residents in connection with the provision of goods and services or for the purpose of employment.
Key points for CISOs: Key requirements include:
- A documented information security program, detailing technical, physical and administrative measures taken to safeguard personal information
- Encryption of personally identifiable information — a combination of a name, Social Security number, bank account number or credit card number — when stored on portable devices, such as laptops, PDAs and flash drives, or transmitted wirelessly or on public networks
- Selection of third-party service providers that can properly safeguard personal information
- Designated employees charged with overseeing and managing security procedures in the workplace, as well as continuously monitoring and addressing security hazards
- Limits on the collection of data to the minimum required for the intended purpose
- Computer system security requirements, including secure user authentication protocols, access control measures, system monitoring, firewall protection, updated security patches and security agent software and employee education and training
Massachusetts Bill H.4806 — An Act relative to consumer protection from security breaches
To whom it applies: Any company that does business in Massachusetts
Key points for CISOs: The law:
- Amends the content requirements for breach notifications to state residents by requiring disclosure of the parent company of the entity breached.
- Places new content requirements for breach notifications, including the disclosure of the person responsible for the breach in breach notifications, the contact information of the entity that experienced the breach and the person who reported the breach, the type of personal information compromised, whether the breached entity maintains a written information security program, and a sample copy of the notice sent to state residents.
- Stipulates that breach notification may not be delayed on grounds that the total number of residents affected is not yet ascertained.
Nevada Personal Information Data Privacy Encryption Law NRS 603A
Purpose: Nevada enacted NRS 603A in January 2010, making it the first state with a data security law that mandates encryption for customers’ stored and transported personal information.
To whom it applies: Businesses that collect and retain personal information of Nevada residents.
Key points for CISOs: The law contains these requirements:
- Data collectors that accept payment cards must comply with PCI DSS (see above).
- Businesses must encrypt any personal information that is electronically transmitted outside the business’s secure system.
- Business must encrypt any personal information stored on a device (computer, phone, magnetic tape, flash drive, etc.) moved beyond the logical or physical controls of the data collector or data storage contractor.
- Businesses are not liable for damages of a security breach if they comply with the law and the breach was not caused by gross negligence or intentional misconduct.
New Jersey — An ACT concerning disclosure of breaches of security and amending P.L.2005, c.226 (S. 51)
Purpose: Effective as of September 1, 2019, the bill treats credentials for any online account, including a personal account, as personal information subject to state breach notification laws.
To whom it applies: Any company that does business in New Jersey.
Key points for CISOs: The bill considers the following personal information:
- Social Security number
- Driver’s license number or state identification card number
- Account number or credit or debit card number, in combination with any required security code, access code, or password that would permit access to an individual’s financial account
- Username, email address, or any other account holder identifying information, in combination with any password or security question and answer that would permit access to an online account
- Dissociated data that, if linked, would constitute personal information if the means to link the dissociated data were accessed in connection with access to the dissociated data
The law also clarifies that any relevant entity may not provide data breach notifications through email accounts that have been affected by a security breach and must find some other notification method.
New York State Department of Financial Services, Cybersecurity Requirements for Financial Services Companies (23 NYCRR 500)
Purpose: The new rules in 23 NYCRR 500, adopted on February 16, 2017, place minimum cybersecurity requirements on covered financial institutions. Each company must assess its risk profile and design a program that addresses its risks.
To whom it applies: Any DFS-regulated entity doing business in New York that has more than 10 employees, more than $5 million a year in revenue, and year-end assets exceeding $10 million
Key points for CISOs: Companies that fall under the regulation must establish an internal cybersecurity program to protect information assets under their control. Smaller entities must meet other obligations, including limiting access to information, assessing their risk, implementing policies related to third-party data control, and their own data disposition. All regulated entities must report data breaches, regardless of size, designate a CISO and maintain audit trails.
More on 23 NYCRR 500
New York Stop Hacks and Improve Electronic Data Security (SHIELD) Act
Purpose: The Stop Hacks and Improve Electronic Data Security Act (Senate Bill S5575B), signed into law on July 25, 2019, expands the state’s current data breach law and imposes cybersecurity obligations on covered entities.
To whom it applies: Any person or entity with private information of a New York resident, not just to those that conduct business in New York State
Key points for CISOs: The bill:
- Expands the scope of information subject to the current data breach notification law to include biometric information and email addresses and their corresponding passwords or security questions and answers.
- Broadens the definition of a data breach to include unauthorized access to private information.
- Updates the notification procedures companies and state entities must follow when there has been a breach of private information.
- Creates data security requirements tailored to the size of a business.
Oregon Consumer Information Protection Act (OCIPA) SB 684
Purpose: Effective as of October 1, 2019, the legislation amends state law by expanding the definition of personal information under the statute to include online account credentials.
To whom it applies: Any company that does business in Oregon
Key points for CISOs: The bill creates, with some exceptions, additional notification obligations for “vendors” that maintain or process personal information on behalf of other businesses, who will also be required to notify the Oregon attorney general if the personal information of more than 250 residents (or an indeterminate number of residents) is involved. All vendors must notify the relevant business, and a sub-vendor must notify the relevant vendor, within 10 days of discovering or having reason to believe a security breach occurred.
Texas – An Act relating to the privacy of personal identifying information and the creation of the Texas Privacy Protection Advisory Council
Purpose: Effective as of January 1, 2020, the legislation amends state law to change the time period for breach notification.
To whom it applies: Any business that owns or process personal information on Texas residents.
Key points for CISOs: The breach notification timeframe changes from “as quickly as possible” to “without unreasonable delay and in each case not later than the 60th day after the date on which the person determines that the breach occurred.” If the breach affects more than 250 residents of the state, a person who is required to disclose or provide notification of a breach of system security under this section shall notify the attorney general of that breach not later than the 60th day after the date on which the person determines that the breach occurred.
The notification must also contain a detailed description of the breach, the number of affected Texas residents, the measures taken by the breached entity in response to the incident and whether law enforcement has been engaged.
Utah Consumer Privacy Act
Purpose: The Utah Consumer Privacy Act goes into effect December 31, 2023. It gives consumers more control over the data businesses control and process, including opting out of data collection. It also places requirements on safeguarding consumer data.
To whom it applies: Any organization that conducts business in Utah or produces products or services that target Utah residents, has annual revenues of $25 million or more, and either processes personal data of 100,000 or more Utah residents or derives more than 50% of its gross revenue from the sale of personal data and controls or processes the personal data of 25,000 or more Utah consumers.
Key points for CISOs: The Utah law is unusual in that it requires no data protection or risk assessments or cybersecurity audits.
Virginia — Consumer Data Protection Act (CDPA)
Purpose: Effective January 1, 2023, the CDPA presents a framework for how companies that do business in Virginia control or process personal data.
To whom it applies: The bill’s provisions apply only to businesses that control or process personal information of at least 100,000 consumers, defined as Virginia residents, or companies that control or process the data of at least 25,000 Virginia residents that also derive 50% or more of their gross revenue from the sale of personal data.
Key points for CISOs: The CDPA gives Virginia consumers the right to access, correct, delete, and obtain a copy of the personal information that covered businesses hold about them. Businesses, referred to as controllers, must perform impact assessments to ensure they are not infringing on consumers’ rights when processing their data. Controllers must implement appropriate technical and security controls and have appropriate agreements in place with vendors, referred to as processors. The bill also places conditions on controllers that make de-identification of data more difficult.
Washington – An Act Relating to breach of security systems protecting personal information (SHB 1071)
Purpose: Effective as of March 1, 2020, the law expands the scope of Washington’s existing data breach law by revising the statutory definition of personal information.
To whom it applies: Any company that does business in Washington State.
Key points for CISOs: The definition of personal information now includes an individual’s first name or initial and last name in combination with other data elements such as full date of birth, student ID number, passport number, health insurance policy or identification number, private key that is unique to an individual and that is used to authenticate or sign an electronic record, medical information and biometric information.
Businesses now only have 30 days, rather than 45 days, to deliver the required notifications. Notifications must include a timeframe of exposure, if known, including the date of the breach and the date of the discovery of the breach, the types of personal information affected, a summary of steps taken to contain the breach, and a sample copy of the breach notification sent to Washington residents. A business must update the attorney general if all this information is unknown at the time of the breach.
International security and privacy laws
Personal Information Protection and Electronic Documents Act (PIPED Act, or PIPEDA) — Canada
Purpose: PIPEDA governs how public and private organizations collect, use and disclose personal information in the course of business. It went into effect in January 2001 for federally regulated organizations and in January 2004 for all others. In May 2010, Bill C-29 introduced amendments to PIPEDA, involving exceptions for the use and disclosure of personal information without consent and further requirements for business transactions.
To whom it applies: All private-sector companies doing business in Canada.
Key points for CISOs: PIPEDA establishes ten principles to govern the collection, use and disclosure of personal information:
- Identifying purposes
- Limiting collection
- Limiting use, disclosure and retention
- Individual access
- Challenging compliance
Personal Information Protection Law (PIPL) — China
Purpose: Effective November 1, 2021, PIPL serves the dual purpose of protecting individual’s privacy and ensuring China’s national security. It regulates how data on Chinese citizens is stored and processed in the country with the intent to preserve China’s digital sovereignty.
To whom it applies: Any organization that collects and processes information of Chinese citizens.
Key points for CISOs: The law is vague on how the specifics of the regulation and how it will be enforced as regulatory proceedings to define compliance have not yet taken place. What CISOs need to be most concerned about is how they handle cross-border information flows. For example, if an entity outside of China processes data that falls under this law, then that entity might need to set up a presence within China.
Digital Personal Data Protection Act — India
Purpose: The Digital Personal Data Protection Act governs the processing of digital personal data “in a manner that recognizes both the right of individuals to protect their personal data and the need to process such personal data for lawful purposes and for matters connected therewith or incidental thereto.” It was signed into law by India’s president on August 11, 2023.
To whom it applies: Any organization processing digital data or non-digital data of India’s citizens that is later digitized within the country. It also applies to organizations that process the digital data of India’s citizens outside of the country if the organization offers goods or services within the country.
Key points for CISOs: The Digital Personal Data Protection Act allows for penalties in the case of a data breach. The amount of the penalty depends on these factors:
- The nature, gravity, and duration of the breach
- The type and nature of the personal data affected by the breach
- Whether the breach recurs
- Whether the organization, as a result of the breach, has realized a gain or avoided any loss
- Whether the organization took any action to mitigate the effects and consequences of the breach and the timeliness and effectiveness of such action
- Whether the monetary penalty to be imposed is proportionate and effective, having regard to the need to secure observance of and deter breach of the act’s provisions
- The likely impact of the imposition of the monetary penalty on the organization.
Law on the Protection of Personal Data Held by Private Parties — Mexico
Purpose: Published in July 2010, this Mexican law requires organizations to have a lawful basis — such as consent or legal obligation — for collecting, processing, using and disclosing personally identifiable information. While there is no requirement to notify processing activities to a government body, as in many European countries, companies handling personal data must furnish notice to the affected persons. Individuals must also be notified in the event of a security breach.
To whom it applies: Mexican businesses, as well as any company that operates or advertises in Mexico or uses Spanish-language call centers and other support services located in Mexico.
Key points for CISOs: In addition to addressing data retention, the law also incorporates eight general principles that data controllers must follow in handling personal data:
- Purpose limitation
General Data Protection Regulation (GDPR)
Purpose: The European Parliament adopted the GDPR in April 2016, replacing an outdated data protection directive from 1995. Its provisions require businesses to protect the personal data and privacy of EU citizens for transactions that occur within EU member states. The GDPR also regulates the exportation of personal data outside the EU. The provisions are consistent across all EU member states, so companies have just one standard to meet within the EU. However, that standard is high and requires most companies to make a large investment to meet and administer.
To whom it applies: Any company that stores or processes personal information about EU citizens within EU states, even if they do not have a business presence within the EU. Criteria for companies required to comply are:
- A presence in an EU country.
- No presence in the EU, but it processes personal data of European residents.
- More than 250 employees.
- Fewer than 250 employees but its data-processing impacts the rights and freedoms of data subjects, is not occasional, or includes certain types of sensitive personal data. That effectively means almost all companies.
Key points for CISOs: The GDPR requires the protection of the following personal data:
- Basic identity information such as name, address and ID numbers
- Web data such as location, IP address, cookie data and RFID tags
- Health and genetic data
- Biometric data
- Racial or ethnic data
- Political opinions
- Sexual orientation
The GDPR places equal liability on organizations that own the data and third-party data processors. That means both are subject to fines in case of a breach or complaint. Organizations are responsible to ensure that their third-party data processors are GDPR compliant.
More on the GDPR