Cyberlaws for Businesses – Jan 2025 Edition

Corporations should be particularly aware of several key cyber laws and regulations that govern data protection, privacy, and cybersecurity practices. Here are some of the most significant ones:

1. General Data Protection Regulation (GDPR):

• Applicability: Applies to all companies processing the data of EU citizens, regardless of where the company is based.
• Key Features: Includes rights for individuals over their data (right to access, right to be forgotten), stringent consent requirements, mandatory breach notifications within 72 hours, and significant penalties for non-compliance (up to 4% of annual global turnover or €20 million, whichever is higher).
• Importance: It has set a global benchmark for data protection, influencing similar laws worldwide.

1. California Consumer Privacy Act (CCPA):

• Applicability: Applies to businesses operating in California or handling personal information of California residents, with certain thresholds regarding revenue or data volume.
• Key Features: Grants consumers rights like the right to know what personal data is collected, the right to delete personal information, and the right to opt-out of data sales. Also, it allows for private lawsuits in case of data breaches.
• Importance: It’s one of the first comprehensive data privacy laws in the U.S., influencing other states to follow suit.

1. Health Insurance Portability and Accountability Act (HIPAA):

• Applicability: Primarily for healthcare providers, health plans, and healthcare clearinghouses in the U.S., plus their business associates.
• Key Features: Requires safeguards for protecting personal health information, including administrative, physical, and technical protections. Breach notifications are mandatory.
• Importance: Critical for any corporation dealing with health data to ensure compliance to avoid legal and financial repercussions.

1. Payment Card Industry Data Security Standard (PCI DSS):

• Applicability: Applies to any organization that accepts, processes, stores, or transmits credit card information.
• Key Features: A set of requirements for enhancing payment account data security, including network security, access controls, data encryption, and regular testing of security systems.
• Importance: Non-compliance can lead to fines, loss of the ability to accept card payments, or even expulsion from the payment card industry.

1. Federal Information Security Modernization Act (FISMA):

• Applicability: Applies to federal agencies but also impacts private sector partners through contracts.
• Key Features: Mandates a risk-based policy for cost-effective security, regular security assessments, and incident response planning.
• Importance: Essential for corporations working with or within the federal government to ensure information systems are secure.

1. New York SHIELD Act:

• Applicability: Applies to businesses that handle private information of New York residents.
• Key Features: Requires businesses to implement reasonable security measures to protect personal data, with specific provisions for data breach notifications.
• Importance: Enhances data protection requirements, particularly for businesses operating in or serving New York.

1. Digital Operational Resilience Act (DORA):

• Applicability: Targets financial entities within the EU, including banks, insurance companies, and investment firms.
• Key Features: Focuses on ICT risk management, incident reporting, and operational resilience testing. It also includes rules on third-party ICT providers.
• Importance: Aimed at strengthening the financial sector’s resilience against cyber threats, which can have ripple effects on businesses dealing with finance.

Corporations must also be aware of sector-specific laws like those from the National Institute of Standards and Technology (NIST) for cybersecurity frameworks or the North American Electric Reliability Corporation (NERC) standards for energy sector cybersecurity, depending on their industry. Compliance with these laws not only helps in avoiding legal penalties but also in building trust with customers and stakeholders by securing their data and systems.