Two Cyber Laws Go Into Effect Over US Labor Day Weekend
On September 1, the Colorado breach notification statute update became effective, the first of two developments that occurred over the weekend. Complicating the challenges of complying with GDPR and the new CA data privacy law, two additional state cybersecurity laws in NY and CO went into effect over Labor Day weekend. In particular, the NY State 23 NYCRR 500 Law now requires companies to encrypt non-public info at both rest and in transit.
According to Pravin Kothari, CEO of cloud security vendor CipherCloud, “The trend in data privacy and cyber related compliance is not your friend right now or anytime soon. The web of cyber data privacy laws continues to grow both in volume and complexity. Two new laws are now effective as of the Labor Day holiday this month. Colorado expanded a statute on data privacy to add definitions about the type of data to be protected, and a 30 day breach notification starting from the time that the company determined that a breach occurred. New York’s department of financial services revised its cyber security regulation to require risk assessments by application, policies that limit the retention of data, to monitor access to information, and to encrypt all nonpublic (private) information at rest and in transit.
Consider all of this comes in the large wake of the newly enacted General Data Protection Regulation in the European Union that just went into effect in May, and in the shadow of the pending U.S. Cloud Act, the U.S. Encrypt Act, and California’s new Consumer Privacy Act (effective 2020). All of this new regulation sets the bar higher than ever before for U.S. companies.
Conclusions? It is a mess. These sort of regulations will need to be handled by Federal omnibus. The expense and risk to businesses in attempting to implement a rolling thunder of different regional and/or state data privacy laws will be overpowering. Companies doing business in the U.S. will require the same data privacy controls and capabilities that multinationals doing business in the European Union require today.
As always, “failure to protect the data” signals clearly the same need GDPR has for end-to-end encryption, tokenization, and data residency. You need the tools to gain visibility to your data, provide the data and threat protection you need, and to enable the strong controls required to meet and manage your compliance requirements.”