Significant increases in the exposure of personal information has led the U.S. government to introduce legislation to protect consumer data. These bills focus on creating a culture of security within public companies and requiring disclosure when personal information has been compromised.
Learn how these new laws could change your strategies for hiring leaders and training employees in security matters.
The Cybersecurity Disclosure Act of 2017
Cybersecurity isn’t something that should only be a concern for your IT team. When it comes to protecting data, your entire company must share in the commitment.
The Cybersecurity Disclosure Act of 2017 moves this responsibility to your boardroom. The bill requires publicly traded companies to:
1. Disclose whether any member of the governing body, such as board members, have expertise in cybersecurity
2. Describe what measures the company is taking to find board members who have cybersecurity experience (if there are none who currently meet this requirement)
The bill states that the U.S. Securities and Exchange Commission, together with the National Institute of Standards and Technology, will define “expertise or experience in cybersecurity.” This bill, and others like it on the state level, emphasize the government’s commitment to holding corporations responsible for making cybersecurity a priority.
Data Security and Breach Notification Act
No one wants to tell customers that their data was compromised. But the risks of not coming clean can compound the problem.
Uber waited more than a year before telling the public that data on 57 million drivers and riders had been breached. Instead, the company paid the hackers a ransom of $100,000 to keep quiet and supposedly delete the data. The fallout from this cover-up resulted in a public relations crisis for the company. Several of Uber’s security executives were fired, and the company is now under criminal investigation.
U.S. senators mentioned Uber when they introduced new legislation that would criminalize the failure to report on data breaches within 30 days. Under the proposed legislation, people who knowingly conceal a breach can face fines and up to five years in jail.
The Data Security and Breach Notification Act would also create federal standards around how companies manage consumer data. The legislation would require companies to assess their systems for vulnerabilities and destroy sensitive consumer data that they no longer use. The Federal Trade Commission would also offer incentives to businesses that adopt technology that makes consumer data unusable or unreadable if stolen during a breach.
Your State’s Cybersecurity Legislation
The Cybersecurity Disclosure Act and Data Security & Breach Notification Act address cybercrime on a federal level. However, individual states are also ramping up cybersecurity laws that impact businesses. Twenty-eight states enacted new cybersecurity legislation in 2017, and 42 states introduced bills or resolutions that could soon become law.
According to the National Conference of State Legislators, states are addressing the need for better cybersecurity by providing more funding for improved security measures. States are also demanding that businesses and government agencies implement security practices, forcing organizations to share in the commitment to keep personal data safe.
What Should You Do Next?
1. If you are a public company, identify cybersecurity experts within your executive team or board of directors. While the definition of this expertise has not been finalized, it’s worth proactively identifying possible cybersecurity experts within or outside of your team. Visit the Congress website to monitor the progression and evolving requirements for the Cybersecurity Disclosure Act of 2017.
2. Visit the National Conference of State Legislators website to learn if your state enacted or introduced cybersecurity legislation in 2017. This can help you prepare to comply with state regulations.
3. Work on creating a culture of security and transparency. Every member of your organization should understand the importance of security in their daily jobs. Employees must also feel comfortable keeping management informed of vulnerabilities or exposure of sensitive data.