For small businesses, cybersecurity is a growing, evolving challenge. It’s not only the need to protect assets and resources that are difficult. The expanding regulatory environment is also something small businesses have to contend with.
Of course, larger organizations do as well, but for small businesses, it can require a greater proportion of resources to keep up with a changing regulatory environment.
Being prepared and proactive is critical for small businesses that are regulated by federal and state cybersecurity guidelines.
The following are key things to know right now.
NewLaw Requires Cyber-Incident Reporting
Following the growing number of ransomware attacks, a newly enacted law requires covered entities to report data breaches to regulators at the federal level. The law is called the “Strengthening American Cybersecurity Act.”
The law was unanimously passed on March 1, but currently, this legislation applies only to critical infrastructure companies. Covered organizations are legally required to report significant incidents and ransom payments to the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency or CISA.
The legislation as part of the 2022 omnibus spending bill signed into law by President Biden on March 15.
CISA has the power to dictate which entities are subject to the reporting obligations. CISA can use rulemaking power to cover entities that own and operate infrastructure critical to the nation.
An incident must be reported if it causes a substantial loss, disruption of a business, or involves access to industrial or business operations.
There are a lot of ways businesses across many industries are going to be affected by this legislation.
The implications for businesses mean that they’re going to have to determine what a substantial cyberattack is with regard to what’s outlined in the act.
SEC Regulations
Early in April, Gary Gensler, U.S. Securities and Exchange Commission (SEC) chair, outlined new cybersecurity regulations the staff is considering. The remarks were before a joint meeting of the Financial Services Sector Coordinating Council and the Financial and Banking Information Infrastructure Committee.
Chair Gensler expressed that he believes the SEC plays a pivotal role in the cybersecurity of the nation and the ongoing efforts of the Biden administration in this area.
There are several outstanding proposed cybersecurity rules. For example, similar to what was talked about above, the SEC is proposing that public companies disclose their data breaches, cybersecurity policies, and procedures.
The SEC is also working to broaden the 2014 rule on Regulation Systems Compliance and Integrity or Reg SCI.
Currently, this puts certain requirements for continuity on covered entities. With an expansion, it would mean more entities would fall under the scope of the regulation.
Chair Gensler went on to reiterate his belief that service providers to registrants in the financial sector, whether or not they’re based in the cloud, are a critical part of the financial sector. He said he’s asking the SEC staff to consider recommendations about further addressing the cybersecurity risks coming from service providers.
For example, specifically mentioned by Gensler earlier in the year was the potential to require registered entities to identify the service providers that could potentially pose a risk. He also mentioned accountability for registrants for the cybersecurity measures of their service providers.
State Laws
Many states are taking steps or have already implemented their own cybersecurity regulatory laws that are impacting businesses.
California has led in this area.
For example, in 2019, the state enacted Senate Bill 327. Under the law, companies making IoT devices have to incorporate minimum security features for each device. At the time, the federal government also signaled it would be ramping up the regulation of IoT security. The U.S. Senate, the FTC, and the Commerce Department all got involved.
Larger companies, even at the time the law was passed, tended to already have privacy and security protocols in place, but the burden really fell on startups, entrepreneurs, and smaller companies.
The law is vague and requires manufacturers of any device that can connect directly or indirectly to the internet to connect. It further stipulates this applies to devices assigned an IP address or Bluetooth address.
A group of U.S. Senators also started to work on a version of the legislation for IoT security standards.
California Privacy Rights Act
The California Privacy Rights Act or CPRA was approved by California voters in November 2020, and its implications are being broadly seen currently. The law was the first legislation comprehensively covering consumer privacy in the U.S.
Many believe it will be a model for other states, which will change how companies operate and do business.
Prior to the CPRA, the California Consumer Privacy Act (CCPA) was signed into law in 2018, which created a number of business obligations relating to the privacy rights of consumers, particularly pertaining to collecting and selling personal information. That law was effective on January 1, 2020.
CPRA is often described as an amendment to CCPA.
Enforcement of CPRA doesn’t begin until July 1, 2023. Enforcement at that time will apply only to violations that occurred on or after that date, but the CCPA’s provisions are enforceable and in effect until that date.
The CCPA creates six specific consumer rights.
These include:
- The right to know personal information collected by a business about a consumer, who it was collected from, why, and if it was sold, who it was sold to.
- The right to delete information collected from a consumer.
- Opt-out rights for the sale of personal information if it applies.
- A right to opt-in to the sale of personal information for people under the age of 16.
- Non-discriminatory treatment for exercising rights.
- The right to start a private cause of action if there’s a data breach.
With the CPRA, there are two additional rights which are the right to correct personal information that’s not correct and the right to limit the use and disclosure of personally sensitive information.
Overall, businesses of all sizes have a lot on their plate when it comes to monitoring changes in data privacy and cybersecurity laws and regulations and making sure they’re responding accordingly. This is only likely to continue increasing in the future.