While I often talk about data privacy on this blog, something that has become a bigger focus in the content I read for the past few months has been the inclusion of increasingly rigorous security requirements when it comes to collection and processing of personal data. This is notable because much like data protection law is applying to entire new industries as these laws enter enforcement – these requirements are often paired with the need to hire a security service, or hire computer security specialists – sometimes both. Let’s take a look at how this is playing out with a glance at a few of the laws and proposed regulations.
Safeguard Rule
This past June the FTC began enforcement of the updated Safeguard Rule. These additional requirements require organizations subject to the rule to:
- designate a qualified person to oversee their information security program,
- develop a written risk assessment,
- limit and monitor who can access sensitive customer information,
- encrypt all sensitive information,
- train security personnel,
- develop an incident response plan,
- periodically assess the security practices of service providers, and
- implement multi-factor authentication or another method with equivalent protection for anyone accessing customer information.
Not only that, but the Rule was expanded to include more industries – so now the above requirements apply to industries typically exempt, such as Car Dealerships. In their own words:
Rather, the FTC Safeguards Rule covers businesses like mortgage lenders, mortgage brokers, motor vehicle dealers, payday lenders, finance companies, account servicers, check cashing companies, wire transferors, collection agencies, credit counselors and other financial advisors, tax preparation firms, non-federally insured credit unions, and investment advisors that aren’t required to register with the SEC. That’s not an exhaustive list, so if you aren’t sure if you’re covered, now’s the time to nail that down.
https://www.ftc.gov/business-guidance/blog/2022/11/compliance-deadline-certain-revised-ftc-safeguards-rule-provisions-extended-june-2023
This was paired with a notice from the Department of Education, which spelled out new enforcement requirements when it came to Student Information regarding financial aid. The key takeaway here – is that having a working Security program is now a requirement for many industries that had no such requirements prior to June, 2023.
SEC requires Cybersecurity Disclosures
While the Safeguard Rule didn’t apply to companies required to register with the SEC, the Securities and Exchange Commission had their own requirements which were finalized and will become required with annual reporting for fiscal years ending on or after December 15, 2023.
Under these new rules companies will be required to disclose any material cyber security incidents in 4 days (in most cases) on a Form 8-K and to describe their processes, if any, for processing, identifying and managing material risks from cybersecurity threats in Form 10-K.
These requirements will bring increased transparency regarding cybersecurity risks to publicly traded companies. It’s not hard to imagine that this may result in legal action, stock declines or bad press for companies found to be lacking in the cybersecurity realm.
California Enters the Ring
While the final regulations for the California Consumer Privacy Act were approved earlier this year, the Cybersecurity requirements were not among them. Over the past week we’ve seen the direction the California Privacy Protection Agency wishes to go with draft regulations (which may or may not become final). These nearly six pages of requirements are extensive, and would require companies subject to the CCPA to build and maintain a cyber security program and conduct audits by an external auditor, at least annually. These audit results(pass or fail) must be signed by a member of the board, or highest ranking executive with authority to bind the business.
A full review of the Cybersecurity draft can be found here.
Demand for Skills
All of these laws (and more not mentioned here) will need staff to implement and run their computer security program. According to NIST, there is a 3.4 million person global shortage of cyber security professionals. It seems likely that for the foreseeable future that demand for cyber security professionals will excessively outpace ability to fill roles. With all these new industries facing building out their programs at the same time, many may face delays due to lack of skilled staff.
All of this should be considered when grappling how to deal with the new reality of the pairing of robust security programs and data privacy programs which we will find ourselves in as these requirements spread across industries and geographical boundaries.