Welcome, and have no fear. If you’ve come to this article dreading that 2021 will bring even more data security protocols for your business to comply with, we’ve got great news. The pandemic – though obviously awful news in every other way – has meant that the rush to enact data privacy and security legislation has been put on hold for much of the last year.
The good news is that this year hasn’t brought new regulations for the majority of companies in the US. But there is some bad news as well. First, the world of cybersecurity continues to develop, and cyber threat trends in 2021 indicate that your data is now under bigger threat than ever before, and that the average cost of a data breach has risen to around $3.86 million. Then there’s the fact that plenty of firms are still struggling to reach and stay compliant with existing data security protocols.
And so, perhaps we can use the enforced break to get up to speed. Here are the top five data security protocols for US firms in 2021, and a little information about how you can stay compliant with them.
The General Data Protection Regulation (GDPR) or GDPR is, for most companies, by far the most stringent data security protocol. It was put into force back in 2018 by the European Union and was largely focused on giving European citizens increased privacy rights. However, alongside the right to know how their data was being used, the GDPR also puts in place an expectation that companies will protect the data they hold.
It might sound like a European directive has little to do with US companies, but it does. That’s because it applies to all European citizens – whether they are physically located in Europe or not, and whether they are looking at a US site or not. That means that, if your website is available outside the USA, you need to check the GDPR requirements. Thankfully, we’ve provided you with a handy guide to those here.
The Cybersecurity Maturity Model Certification (CMMC) is a much more limited data security protocol than the GDPR. It applies, in fact, “only” to those companies contracting for the US Department of Defense, which sounds like a small subset of companies until you realize just how large the DoD is, and how many companies it does business with. Want to know, for instance, why the recent LinkedIn data breach was such a big deal? It’s because LinkedIn is a DoD contractor.
If you want to contract for the DoD, this means that the first step you need to undertake is to check the CMMC and understand what “level” of “maturity” you’ll have to reach to put in a tender bid.
HIPAA, like the CMMC, only applies to a subset of US companies. In this case, though, it’s quite a large one. HIPAA is designed to protect the personal information collected by US healthcare providers. The law has emerged into greater prominence in recent years with the many health data breaches caused by cyber attacks and ransomware attacks on health insurers and providers.
HIPAA is the broadest data security protocol on this list, because it explicitly recognizes that data is now shared in many different ways. This means that in order to reach compliance, companies have to look at a wide range of systems, from their server databases to their email security best practices.
4. SEC Guidelines
The Securities and Exchange Commission (SEC) is the body that oversees financial markets and companies in the US, and like similar bodies in other sectors they publish their own guidance on data security.
Unfortunately, it’s difficult to give general advice on the SEC guidelines, for two reasons. One is that the range of firms they apply to is so diverse. The other is that they are constantly being updated. This makes it all the more important that you check which SEC guidance applies to you and, if necessary, get professional (and potentially legal) advice on reaching compliance.
5. State Regulations
Last but definitely not least, be aware that there will soon be a patchwork of state regulations that define and control the way that you collect, store, and process data. Firms in California are already aware of this due to the CCPA, but companies in other states are about to join them. That’s because there are a number of laws currently passing through state legislatures that are modeled after California’s rules.
The California Consumer Privacy Act (CCPA) is a law that allows any California consumer to demand to see all the information a company has saved on them, as well as a full list of all the third parties that data is shared with. In addition, the California law allows consumers to sue companies if the privacy guidelines are violated, even if there is no breach.
In order to stay on top of these rules, you should read your state press, and make sure you are engaged with the local business community, which will allow you to have prior warning of the new data security protocols that might be passed in your state.
With the legislative process stalled across the US, this year has brought respite to firms who may be struggling to reach compliance with existing data security protocols. It’s of paramount importance, however, that we don’t waste this chance. Abiding by the data security protocols in this list not only protects you from legal challenge, but as we point out in our Data Breach Investigations Report, it can also mean you are far less likely to be the victim of a cyberattack.