Cybersecurity compliance isn’t easy. There are dozens of acronyms, hundreds of controls, and many small business owners find themselves completely overwhelmed. Compliance requirements vary and can be imposed by law, regulatory bodies, and even private industry groups such as the Payment Card Industry. In this Dark Cubed explainer, we will cover each of the major cybersecurity compliance requirements, describe what they require, and provide pertinent advice on how you can begin working towards a culture of compliance. Let’s start off with the basics.
Cybersecurity Compliance involves meeting various controls (usually enacted by a regulatory authority, law, or industry group) to protect the confidentiality, integrity, and availability of data. Compliance requirements vary by industry and sector, but typically involve using an array of specific organizational processes and technologies to safeguard data. Controls come from a variety of sources including CIS, the NIST Cybersecurity Framework, and ISO 27001. To read more about Cybersecurity Frameworks, check out our comprehensive guide. If you’re interested in specific niches, it’s worth taking a look at our post on healthcare cybersecurity.
HIPAA stands for the Health Insurance Portability and Accountability Act. This law was passed by Congress in 1996 and specifically includes regulations designed to ensure the confidentiality, integrity, and availability of Personal Health Information (PHI). HIPAA applies to healthcare providers, health clearinghouses, healthcare plans, and business associates handling PHI. If you are unsure if HIPAA applies to you, we recommend that you consult with a licensed attorney with experience in regulatory compliance.
In 2017 the NY Department of Financial Services released the NYDFS Cybersecurity Regulation (23 NYCRR 500). The NYDFS Cybersecurity Regulation includes 23 sections that outline requirements for developing and implementing an effective cybersecurity program, requiring covered institutions to assess their cybersecurity risks and develop plans to proactively address these risks. The NYDFS Cybersecurity Regulation has requirements for basic principles of data security such as risk assessments, documentation of security policies, and assigning a chief information officer (CIO) to manage the program and remain responsible for it. The NYDFS Cybersecurity Regulations align with the industry best practices and ISO/IEC 27001 standards.
The NYDFS Cybersecurity Regulation applies to all entities operating or required to obtain DFS licensure, registration or charter, or which are otherwise regulated by the DFS and all unregulated third party service providers to regulated entities. As you can imagine, the NYDFS Cybersecurity Regulation covers a wide range of businesses and organizations who may or may not reside in NY.
Foreign banks licensed to operate in New York
State Chartered Banks
Life Insurance Companies
The NYDFS Cybersecurity Regulation does have some exceptions, however. Organizations that employ less than 10 people, produced less than $5 million in gross annual revenue from New York Operations in each of the past three years, or hold less than $10 million in year-end total assets are excluded from certain requirements of the NYDFS Cybersecurity Regulation. If you are unsure if the NYDFS Cybersecurity Regulation applies to you, we recommend that you consult with a licensed attorney with experience in regulatory compliance.
GDPR stands for General Data Protection Regulation and is a set of data privacy regulations enacted by the EU in 2018 to “harmonize data privacy laws across Europe.” The GDPR addresses EU member states, the European Economic Area (EEA) and also addresses the transfer of personal data outside of the EU and EEA areas. This means the obligations of GDPR apply to any organization that collects data or targets individuals in the EU, even if the business or organization is based elsewhere. The primary goal of the GDPR is to give individuals greater control over their personal data and to simplify the regulatory environment for international businesses by unifying regulations within the EU. The GDPR contains regulations relating to personal data privacy, data minimization and security.
Fairness and transparency
Integrity and confidentiality (Security)
The right to be informed
The right of access
The right to rectification
The right to erasure
The right to restrict processing
The right to data portability
The right to object
Rights around automated decision making and profiling
GDPR says their regulation is purposely large, far-reaching and light on specifics. The GDPR can levy harsh penalties and fines against offenders and can charge penalties into the tens of millions of euros. This makes GDPR compliance a daunting project for small and medium-sized businesses operating under GDPR. If you are unsure if the GDPR applies to you, or need help to implement GDPR regulations, we recommend that you consult with a licensed attorney or cybersecurity professional with experience in regulatory compliance.
FERPA stands for the Family Educational Rights and Privacy Act, a federal law that protects the privacy of student educational records. This regulation applies to all schools that receive funding from the U.S. Department of Education. FERPA gives parents, or students above the age of 18, or those who attend college, university or trade school, certain rights and protections with respect to their educational records.
Inspect and review the student’s education records maintained by the school
Request the school correct records which they believe to be inaccurate or misleading
Schools are not required to provide copies of records unless it is impossible for eligible students or parents to review the records at the school. Schools may charge a fee for copies. Schools may decide to not amend records which eligible students or parents believe to be inaccurate or misleading. The parent or eligible student has the right to a formal hearing at that time. After the hearing, if the school still decides to not amend the record, the parent or eligible student has the right to place a statement within the record with their view of the contested information.
In general, schools must have written permission from the parent or eligible student to release any information in the students record. However, FERPA also allows schools to disclose those records, without consent, to the following parties or conditions:
School officials with legitimate educational interest
Other schools to which a student is transferring
Specified officials for audit or evaluation purposes
Organizations conducting certain studies for or on behalf of the school
Appropriate parties in connection with financial aid to a student
To comply with a judicial order or lawfully issued subpoena
Appropriate officials in case of health and safety emergencies
State and local authorities, within a juvenile justice system, pursuant to specific state law
Date and place of birth
Honors and awards
Dates of attendance
However, schools must tell parents and eligible students about directory information and allow them a reasonable opportunity to request the school not disclose information about them. Schools must also annually notify parents and eligible students of their rights under FERPA.
CCPA stands for the California Consumer Privacy Act. This is a state statute enacted to enhance the privacy rights and consumer protections for the residents of the state of California. This bill was signed into law in 2018 and became effective on January 1, 2020. This is the first law in the U.S. to create comprehensive rules regarding consumer data, similar to the EU’s GDPR. The CCPA applies to any company that operates in California and either makes at least $25 million in annual revenue, makes more than half of its money from collecting user data, or gathers data on more than 50,000 users. This includes any business that collects or sells personal information from users in California, regardless of where the company is based.
Broadly, the CCPA aims to provide California residents with “the right to know” and “the right to say no.” This means that users have the opportunity to see what information data companies have gathered about them, have that data deleted or otherwise opt out of the ability for companies to sell their data to third parties from now on. The CCPA obviously has far reaching consequences given that some of the world's largest tech companies are based in California. This includes not only Google, Facebook and Apple, but also numerous smaller organizations that do business with Californians or are based in California.
Real name or alias
Unique Personal Identifier
Social security number
Driver’s license number
The CCPA does not consider “publicly available information” to be personal information. Publicly available information includes data available and maintained by government records. Although the CCPA was created with tech giants in mind, it also impacts small businesses that operate in California or collect data from Californians. Penalties for CCPA violation can be severe. Companies that fall victim to data theft or other forms of data security breaches can be ordered to pay between $100 to $750 per California resident and incident, or actual damages, whichever is greater, and any other relief a court deems proper. Companies can also face fines of up to $7,500 for each intentional violation and $2,500 for each unintentional violation. Companies do have 30 days to comply with CCPA after regulators notify them of a violation. Depending on the number of records impacted in a breach, this could amount to millions of dollars in fines for some. Because of the far reaching nature of CCPA and the detrimental financial consequences of a CCPA violation, we recommend that you consult with a licensed attorney or cybersecurity professional with experience in regulatory compliance if you have questions about CCPA compliance.
The Cybersecurity Maturity Model Certification 2.0 (CMMC 2.0) is a framework developed by the US Department of Defense (DoD) to safeguard federal contract information (FCI) and controlled unclassified information (CUI) processed by the DIB https://dodcio.defense.gov/CMMC/about/ . DIB contractors that handle CUI will be required, with minimal exception, to pass a formal third-party assessment of their cybersecurity practices. To ensure that appropriate security requirements are met across DIB supply chains, prime contractors will be held accountable for the CMMC 2.0 compliance of their subcontractors.
Specifically, The CMMC 2.0 framework covers the basic safeguarding requirements for FCI specified in Federal Acquisition Regulation (FAR) Clause 52.204-21 and the security requirements for CUI specified in National Institute of Standards and Technology (NIST) Special Publication (SP) 800-171 Revision (Rev) 2 per Defense Federal Acquisition Regulation Supplement (DFARS) Clause 252.204-7012. DFARS clause 252.204-7012 specifies additional requirements beyond the NIST SP 800-171 security requirements, such as incident reporting. In summary, CMMC 2.0 is designed to provide assurance to the DoD that a DIB contractor can adequately protect CUI at a level commensurate with the risk, accounting for information flow down to its subcontractors in a multi-tier supply chain.
Your regulatory responsibilities are highly contingent upon the type of data you handle, your industry, your regulatory body, and the geographic confines in which you operate. For instance, any financial business that operates in New York State is theoretically bound to abide by the New York Department of Financial Services Cybersecurity Regulation. Likewise any company which handles the personal data of a California resident is operating under the California Consumer Privacy Act. We recommend that you consult with a compliance specialist or attorney in order to ascertain the precise requirements that apply to your business.
We hope this page has been helpful to you and your organization. If you or your organization needs help or advice dealing with cybersecurity compliance requirements please contact firstname.lastname@example.org and we will be happy to have our senior level CISO answer any questions you may have.
If you'd like additional information on how to meet these frameworks, take a look at our cybersecurity resources page here: 50+ Cybersecurity Resources
The headline and subheader tells us what you're offering, and the form header closes the deal. Over here you can explain why your offer is so great it's worth filling out a form for.