Federal and state governments are responding to the increase in cyber attacks through new legislation.
At the federal level, the House Financial Services Committee introduced a bill, “The Consumer Data
Security and Notification Act,” to amend the Gramm-Leach-Bliley Act to include a national breach
notification law for the financial industry which would supersede state laws. The states are also rapidly
introducing cyber security legislation. In 2019, 45 states and Puerto Rico introduced over 260 different
bills or resolutions to address cyber security and specifically matters relating to the security of connected
devices, election security, industry data security and the establishment of cyber security task forces. New
York State, for example, issued its New York State Cybersecurity Mandate, which was the nation’s first
cyber security regulation. It requires regulated financial institutions to establish and maintain cyber
security programs to include penetrate testing, vulnerability scanning, and education for all employees,
design to protect consumers and the industry. In that regulation was a strong emphasis on establishing
a compliance culture at the top levels of these institutions. Europe too has acted to help institutionalize a
culture of cyber security with its “General Data Protection Regulation (GDPR) designed to strengthen
and unify data protection for individuals in the European Union (EU) and address the export of personal
data outside of the EU.
Consumers too are taking their cyber security more seriously than ever, fighting back with increased
litigation. Over recent years, we’ve seen a federal judge in California rule that a consolidated class-action
lawsuit filed by those affect by three Yahoo data breaches can proceed; Nationwide Insurance was
ordered to pay a $5.5 million settlement, Cottage Health System ordered to pay a $2 million settlement,
and Home Depot agreed to settlements totaling $44.5 million stemming from class-action lawsuits related
to data breaches affecting 50 million customers. For the 143 million Americans affected by the Equifax
data breach, there is a $70 billion class-action lawsuit underway. These lawsuits and the countless others
in courts nationwide should give businesses pause to recognize their due diligence, fiduciary and data
protection responsibilities which require they implement and uphold best cyber security practices.
“Best Practices for Optimum Cyber Security”
The Information Systems Audit and Control Association’s (ISACA) “2019 State of Cybersecurity” research
reported that:
69% of companies stated that their cyber security teams are understaffed,
58% of companies said they have unfilled cyber security positions, and
Many companies have difficulty retaining cyber security professionals even when they offer
training and certification programs.