Intensifying cyberattacks and heightened awareness of the risks they pose is driving the creation of new cybersecurity laws around the world, including in the U.S. at both the federal and state levels.
Some of these new measures are sector-specific, others apply more broadly, and all of them add to existing privacy and data protection regimes such as the Health Insurance Portability and Accountability Act (HIPAA) for healthcare, the Gramm-Leach-Bliley Act (GLBA) for financial services, and the European Union’s General Data Protection Regulation (GDPR), which covers any business with employees or customers in the EU.
To minimize complexity and maintain compliance, many organizations are taking a “highest bar” approach—conforming to the toughest relevant standards knowing that any lesser requirements will then also be covered, and that their cyber defenses will be as strong as possible.
In the U.S., that means taking a federal-first approach: conforming to the highest security requirements of the United States federal government. The logic of this is that the federal government is a prime target for today’s most advanced cyberattacks, so the measures it insists on for protection are, by necessity, the strongest possible.
Enterprises that adopt those same defenses should be both maximally secure and also better qualified to do business with the federal government because they are aligned.
The landscape of cybersecurity laws is getting more complex
A few major pieces of cybersecurity legislation have made headlines in recent years, including the 2021 Executive Order on Cybersecurity, the Strengthening American Cybersecurity
Read more