Cybersecurity Laws and Regulations to Know About (2024)

As businesses weave cloud computing, edge computing, internet-of-things (IoT), artificial intelligence (AI), machine learning (ML), and myriad other digital innovations into their information technology infrastructure, one thing is for certain: digital is the future. 

Digital technologies bring companies unbelievable benefits. However, digital realms are also rife with dangers. Data breaches, regulatory compliance oversight, data privacy failures, malware, ransomware, phishing, identity theft, and numerous other cyberattacks are the tip of the iceberg when it comes to cybersecurity challenges. 

According to McKinsey, these cyberattacks will cause damages worth $10.5 trillion by 2025. Furthermore, businesses must know and abide by a long list of cybersecurity laws and regulations. These cybersecurity regulations include federal laws, state laws, and laws specific to certain private sectors. The overseers of these cybersecurity regulations include federal agencies, various other government agencies, law enforcement organizations, and financial institutions. 

This post will focus on the most important cybersecurity laws and regulations in 2024. We will explore general regulations, sector-specific laws, state laws, and a few international cybersecurity regulations. 

General Cybersecurity Laws and Regulations

Before we delve into private sector regulations, state laws, and international regulations, let's explore some general, overarching cybersecurity regulations that businesses must follow. 

Payment Card Industry Data Security Standard (PCI DSS)

The Payment Card Industry Data Security Standard (PCI DSS) is a compliance standard overseen by the Payment Card Industry Security Standards Council. Any organization that collects credit card details for payments must abide by PCI DSS. PCI DSS compromises 12 rules that relate to the protection of cardholder information. For example, the first rule in PCI DSS is to establish firewalls to safeguard cardholders’ personal data. Other rules include encrypting ported cardholder data and limiting physical access to cardholder data. Non-compliance with PCI DSS can result in between $5000-$10000 per month, but these figures significantly increase for extended periods of non-compliance. 

The Gramm-Leach-Bliley Act of 1999 (GLBA)

The 106th United States Congress enacted the Gramm-Leach-Bliley Act of 1999 (GLBA). The act, previously called the Financial Modernization Act of 1999, protects customers’ financial information that financial services organizations steward. These financial organizations include banks and insurance agencies. The privacy laws of GLBA are threefold: it includes a Financial Privacy Rule to give customers information and agency over their financial data, a Safeguards Rule to ensure financial services organizations have guardrails to protect sensitive data, and pretexting protection to mitigate the possibility of social engineering attacks. 

Homeland Security Act

The Homeland Security Act of 2002 was enacted in response to the 9/11 terrorist attacks. This pivotal legislation helped establish the Department of Homeland Security (DHS). For over two decades, the DHS has been a cabinet-level department responsible for coordinating and strengthening the nation's defenses. Although the Homeland Security Act does not directly impose regulations on various businesses, different agencies overseen by the DHS can impact various businesses—for example, critical infrastructure protection, import and export security, and employment eligibility verification.

The Sarbanes-Oxley Act (SOX)

The Sarbanes-Oxley Act (SOX) is an American federal law enacted by the 107th US Congress and overseen by the Securities and Exchange Commission (SEC). Comprising 11 sections, SOX applies to American public enterprises and focuses on audit obligations and financial records management to protect shareholders and the larger public. SOX emphasizes the protection of access to physical and virtual information systems, information security, backing up financial data, and the standardization of processes in case of any data management-related changes.   

Children’s Online Privacy Protection Act (COPPA)

In recent years, there have been numerous instances of businesses paying millions of dollars in fines for non-compliance with children’s protection laws. The Children’s Online Privacy Protection Act (COPPA) focuses on keeping the data of children under 13 safe. COPPA establishes rules that companies must follow on their online services and websites if they want to collect any sensitive data related to children. These rules include the language of privacy policies as well as when and how to involve a child’s parent for permission. Fundamentally, COPPA allows parents to control and know about what happens to their children’s data. 

Cybersecurity Information Sharing Act

Introduced in 2015, The Cybersecurity Information Sharing Act is a federal law that aims to boost cybersecurity across the US via strong threat intelligence sharing. Specifically, this act champions and facilitates sharing threat information between government agencies and private corporations. Businesses can strengthen their security posture by engaging in vibrant threat information-sharing ecosystems without investing too much. While the Cybersecurity Information Sharing Act has its fair share of critics, it’s still an important cybersecurity law to know about. Another important thing for businesses to remember is to not confuse the Cybersecurity Information Sharing Act with another CISA - the Cybersecurity and Infrastructure Security Agency.

Sector-Specific Cybersecurity Laws and Regulations

In the previous section, we highlighted some general overarching cybersecurity laws that businesses must be aware of. In this sector, we will shift focus to the private sector and explore what cybersecurity frameworks and regulations businesses in specific industries need to follow. 

Cyber Incident Reporting Critical Infrastructure Act (CIRCIA)

The Cyber Incident Reporting Critical Infrastructure Act (CIRCIA) is a law introduced by the federal government to optimize cybersecurity incident reporting for enterprises in critical infrastructure sectors. These sectors include energy, chemical, critical manufacturing, food and agriculture, information technology, and water and wastewater systems. CIRCIA’s reporting requirements include a 72-hour window within which businesses must report cybersecurity incidents. It’s important to remember that not all information and definitions that come under CIRCIA are new - CIRCIA references various other resources, including the Homeland Security Act of 2002 (created by the Department of Homeland Security) and NIST (National Institute of Standards and Technology) Special Publication 800-145. 

Health Insurance Portability and Accountability Act (HIPAA)

The healthcare industry is, unfortunately, one of the primary victims of cybercrime. The cyber threats faced by the healthcare industry are unique, often leading to disastrous cybersecurity incidents and non-compliance with regulations like HIPAA. HIPAA emphasizes the fortification and protection of health information. HIPAA demands the implementation and adoption of standards to protect health information transactions. It comprises three rules: the Privacy Rule that ensures that threat actors don’t weaponize personal health information (PHI) for identity theft, the Security Rule that defines guardrails to protect digital PHI, and the Breach Notification rule that outlines how businesses should proceed in the event of a data breach.  

Federal Information Security Management Act (FISMA)

The Federal Information Security Management Act (FISMA), enacted in 2002 by the 107th United States Congress, applies to federal agencies and their supply chain and service providers. FISMA guidelines focus on securing information systems to prevent cyber incidents and malicious or mismanaged information sharing. A FISMA-recommended security program will include regular risk assessments, playbooks, and processes to implement cybersecurity measures, robust incident response plans, incident reporting, and training and awareness programs so that key personnel follow strict security practices.

North American Electric Reliability Corp. (NERC) CIP Standards

The NERC standards aim to uphold the reliability of America's bulk electric systems (BES). Most importantly, these standards also focus on securing critical infrastructure from myriad potent cyber threats. There are 14 different NERC standards, but when it comes to cybersecurity risks, CIP (Cybersecurity Infrastructure Protection) standards are the most important. NERC’s CIP standards comprise 12 different components, including cyber system categorization, personnel, and training, physical security of BES cyber systems, recovery plans, information protection, and supply chain risk management. 

American State Laws and Cybersecurity Regulations

Now that we have covered some sector—and industry-specific cybersecurity laws and regulations like HIPAA, FISMA, and NERC’s CIP standards, it’s time to examine state laws in the United States. In this section, we’ll use three important American State Laws, New York, California, and Colorado, as examples. However, it’s important to remember that every state will have specific cybersecurity practices and initiatives to protect consumers and corporations from security breaches, cyber threats, and data misuse. 

New York SHIELD Act 

The New York Stop Hacks and Improve Electronic Data Security (SHIELD) Act applies to any individual or organization that holds sensitive and private information of New York residents. In addition to establishing cybersecurity mandates for individuals and organizations with New York resident data, the SHIELD Act also establishes additional data breach notification obligations. Under the SHIELD Act, data breach notifications must include security Q&As, biometric details, and email IDs. Furthermore, the SHIELD Act also redefines a data breach. From a widely accepted definition emphasizing an attack or exploit, the SHIELD Act’s definition of a data breach is as simple as unauthorized access to sensitive data. 

California Consumer Privacy Act (CCPA)

The California Consumer Privacy Act (CCPA) law applies to any organization providing products or services to California residents with an annual income of over $25 million. CCPA allows any California resident to inquire about what data a company has on them and how they leverage that data. This applies to companies that serve California residents as well as all third-party providers who may have this data. According to CCPA, California resident data may include names, addresses, social security numbers, biometrics, and multimedia data. It’s important to note that companies that fall under CCPA cybersecurity standards don’t have to operate out of California or even the United States.

Robust frameworks and standards are essential for customers to inquire about how businesses use their data. According to Gartner, penalties from poor management of data subject rights and subject rights requests (which is when an individual requests visibility into how a commercial entity manages their data) will exceed $1 billion by 2026. 

Colorado Privacy Act

Much like the California Consumer Privacy Act (CCPA), the Colorado Privacy Act empowers residents of Colorado by giving them more agency over how various enterprises collect, store, manage, and utilize their personal data and information. The Colorado Privacy Act applies to any commercial entity that holds information of more than 100,000 Colorado residents per year or generates revenue based on selling PII of more than 25,000 residents. Any commercial entity that falls under the jurisdiction of the Colorado Privacy Act must implement guardrails to ensure cybersecurity best practices, establish processes that enable customers to ask and receive information about PII and introduce strict consent agreements before collecting sensitive data. 

International Cybersecurity Laws and Regulations 

In the last section, we used the New York SHIELD ACT, CCPA, and the Colorado Privacy Act as examples of important state laws that enterprises and customers must be aware of. Enterprises also must know the cybersecurity, compliance, and legal implications of conducting business in other countries. This section focuses on some of the most important international cybersecurity laws and regulations. 

General Data Protection Regulation (GDPR)

The General Data Protection Regulation (GDPR) is one of the most spoken-about cybersecurity regulations in the world. However, businesses often find themselves paying hefty GDPR fines, which shows that critical details about this regulation might be slipping under the radar. GDPR applies in the European Union and focuses on how enterprises leverage the data of EU citizens and residents. Companies that come under the jurisdiction of GDPR are of two types: the first type are organizations based in the EU, and the second involves organizations in other regions that manage the data of EU residents. The type of PII that GDPR covers includes names, addresses, website data, biometrics, health information, sexual orientation, and information about ethnicity and race. 

Canada's PIPED Act

Canada’s PIPED (Personal Information Protection and Electronic Documents) Act focuses on how public and private institutions manage and utilize personal data during business transactions. The PIPED Act applies to any enterprise conducting any form of commercial activity in Canada. The PIPED Act comprises ten key principles integral to cybersecurity: accountability, identifying purposes, consent, limiting collection, limiting use, accuracy, safeguards, openness, individual access, and challenging compliance. 

India’s Digital Personal Data Protection Act

The Digital Personal Data Protection Act recognizes both the need for customers to have visibility and agency over how various organizations leverage their data but also the necessity for businesses to legally, ethically, and responsibly use personal data for relevant purposes. This Act applies to any organization conducting commercial activities in India as well as organizations outside India that sell in India and manage and process the digital information of Indians. If hackers manage to facilitate a data breach, the Digital Personal Data Protection Act takes into account numerous factors before calculating penalties and fines. Those factors include the scale and scope of the data breach, financial repercussions, the quality of remediation and incident response, and the nature of PII that might have been compromised during the breach.   

Conclusion

Cybersecurity can be relentlessly complex to navigate. Threat actors deploy cyberattacks at high speeds, which constantly challenges a business’s cybersecurity posture, data management practices, and disaster recovery capabilities. In addition to these challenges, businesses must also abide by numerous federal, sector, industry, and international cybersecurity laws. Rather than looking at these cybersecurity laws and regulations as a chore, businesses must remember that knowing about and abiding by these regulations can strengthen numerous pillars of their digital operations. In this scenario, partnering with an established Managed Security Services (MSS) provider can help.

Businesses who should know about general cybersecurity laws such as PCI DSS, GLBA, SOX, COPPA, and CISA. However, businesses in specific sectors must follow cybersecurity laws to protect them from unique industry-specific cyber threats they face. Sector-specific laws include CIRCIA, HIPAA, FISMA, and NERC CIP. Businesses in the US or serving US customers must follow state cybersecurity laws, such as the New York SHIELD Act, CCPA, and the Colorado Privacy Act. Lastly, international cybersecurity laws are equally, if not more, important. This is because, when it comes to business, we live in a borderless world. It’s vital to know about laws and regulations like GDPR, PIPED, and India’s Digital Personal Data Protection Act. 

It’s impossible to do business globally without knowing all these critical cybersecurity laws and regulations. With awareness and adherence to these laws, businesses are sure to ward off cyber threats, navigate the complexities of digital realms, and dominate saturated markets.