The Changing Landscape of Cybersecurity: Navigating New State Laws and Regulations

The Changing Landscape of Cybersecurity: Navigating New State Laws and Regulations

In this post, we're going to delve into a topic that has been creating ripples in the cybersecurity industry, government bodies, and various industries: new state laws concerning cybersecurity.

The landscape is evolving, and businesses of all sizes, as well as individuals, will need to adapt and adopt more stringent cybersecurity measures. These sweeping changes across the United States challenge the traditional mindset that allowed businesses to choose the extent of their cybersecurity efforts.

Let's face it: the stakes are too high, and the threats have become increasingly severe.

The shift toward regulatory involvement was inevitable. We're not just talking about one or two states; at least 23 states have now implemented stringent cybersecurity laws. A notable example is Pennsylvania, which recently passed the Insurance Data Security Act. This law aims to enhance security within the insurance sector.

Why is this significant?

The insurance sector handles sensitive data on a daily basis, including personal information, financial details, and health records, making it a prime target for cybercriminals. Under this new law, insurance companies are obligated to implement a comprehensive cybersecurity program that safeguards their sensitive data. Furthermore, they must be capable of detecting, responding to, and recovering from cybersecurity incidents. Pennsylvania's initiative is just one example of the many cybersecurity laws being introduced nationwide.

Additionally, organizations must evaluate their specific risk profiles and design cybersecurity programs tailored to their needs. Notably, the law mandates that they assess the cybersecurity preparedness of their third-party service providers. This step represents a significant stride in the right direction, bringing accountability and enforcement to the cybersecurity conversation. It establishes a standard of due diligence and emphasizes proactive defense rather than reactive measures.

This development is part of a broader trend in which state governments are taking the lead in defining cybersecurity standards across the United States. It's not limited to the insurance industry; other sectors are also witnessing similar legislative measures. The momentum will continue, impacting businesses of all kinds in the near future.

So, what does this mean for businesses and individuals?

The laissez-faire approach to cybersecurity is no longer sufficient. While implementing a comprehensive cybersecurity program may be challenging and costly, it is an essential investment. Waiting any longer is not an option. Businesses must strategically and proactively align their cybersecurity practices with these new regulations and standards to safeguard their sensitive data.

Remember, compliance is not the sole objective here. The ultimate goal is to establish a robust defense against cyber threats such as cybercriminals and ransomware. By doing so, you create an environment of trust and safety for your customers, stakeholders, supply chain, and the overall economy.

Key Takeaways from the Insurance Data Security Act of Pennsylvania
  1. Differentiation between types of information: Companies must assess whether the information is publicly available or if consumers have requested to keep it private to determine its security requirements.
  2. Risk assessment: Companies need to evaluate potential internal and external threats, assess the likelihood and potential damage of these threats, review existing safeguards, and implement additional measures to manage identified risks.
  3. Information security program: A comprehensive written program is required, including administrative, technical, and physical safeguards based on the company's risk assessment. Factors like company size, activities, and information sensitivity should be considered.
  4. Corporate oversight: Boards of directors have specific responsibilities related to information security, ensuring executive management develops and maintains the program, and providing annual reports on its status and compliance.
  5. Oversight of third-party service providers: Due diligence is necessary when selecting providers, and they must implement appropriate measures to protect the company's information systems and nonpublic information.
  6. Certification: Insurers must annually submit a written statement certifying compliance with specific requirements related to risk assessment, information security programs, corporate oversight, and oversight of third-party service providers.
  7. Investigation of cybersecurity events: Prompt investigation is required to determine the nature, scope, and compromised information of any cybersecurity event. Reasonable measures should be taken to restore security and prevent further unauthorized access or use.
  8. Notification of cybersecurity event: Companies must notify the regulatory commissioner within five business days of an event involving nonpublic information that may harm consumers or affect normal operations. Relevant information about the event and steps taken to address it should be included.

Find a Cybersecurity Service Near You

At Xact Cybersecurity, we have always advocated for strong cybersecurity practices. As these new laws take effect, it's time for everyone to step up their game. Feel free to reach out to us if you need assistance in securing your business or understanding the implications of these changes.