7 Cyber Regulations Your Business Don’t Prepare For (But Should Be)

The last five years have been monumental for cybersecurity. Between data breaches that have affected the world’s biggest corporations and new laws passed worldwide to ensure better data security, the increased focus on securing data is a welcome one.

However, the number of cybersecurity threats is going. According to a UK-based firm, Hiscox, 50% of surveyed firms experiences an attack, up from 40% over the same period during the past year.

Larger businesses are more likely to experience attacks, but they are also more likely to have the expertise to avoid common cloud security mistakes and the manpower to avert attacks.

In the eyes of the consumer and the law, there are no criteria to set SMEs and corporations apart. They are supposed to protect user data in any way they can. Failure to do so may get businesses on the wrong side of both local and international regulations.

Common threats

Attackers are constantly developing new vectors of initiating cybersecurity attacks, but most methods are common enough that they can be detected before they happen. Business owners should at least be aware of what the most common types of attacks are and how they happen.

Malware: This is a general term used to describe any software that has been designed to cause damage to computers, servers, or any device connected to the network. Malware may come in the form of viruses, trojans, or ransomware.

Ransomware: This is a kind of malware that restricts access to your files until a ransom is paid. These normally encrypt all the information on a hard drive or server to make sure everything is inaccessible.

Viruses: Viruses are a special kind of malware that is designed to spread from one computer to any connected device. These are intended to give hackers remote control over your system.

What are regulations meant for?

Certain kinds of user data are protected by laws to make sure they do not fall into the wrong hands. These laws are enacted and enforced differently depending on where they were written and passed and what jurisdiction they apply to.

Unlike the EU, the United States does not have a single all-encompassing data protection law. Rather, it’s composed of a mixture of state laws that impose restrictions and obligations on businesses. These restrictions relate to the collection, use, retention and disclosure of different kinds of user information. Data that is commonly protected includes social security numbers, driver IDs, zip codes and email addresses.

Each state also has unique data breach notification legislation. Businesses are expected to publicize the existence of data breaches. Even if a business does not physically operate within a state, it must typically comply with that state’s law as long as it conducts business with that state’s residents.

Besides, some states are a lot more active than others when it comes to passing data protection laws. New York and Massachusetts are known to have the most stringent data protection regulations in the US. Companies that do not have an internal legal team might benefit from reading an review or outsourcing to legal firms.

7 cyber regulations your business isn’t prepared for

One of the most monumental cybersecurity laws passed in recent times has been Europe’s General Data Protection Regulation. The law was enacted in 2018 with the purpose of holding companies accountable for data breaches and the lack of effective measures in place for protecting user data.

The presence of these laws highlights the importance of modern cybersecurity regulations and why businesses that handle consumer data – large and small – should be informed about them.


The GDPR was passed in mid-2018 and fundamentally morphed how businesses that serve data to customers from the EU are expected to handle data. The most important parts to remember about this law are:

  • Every public company is expected to hire a data protection officer (DPO). DPOs help your firm to monitor internal compliance, advise you on your obligations towards data protection and provides information about Data Protection Impact Assessments. They can be an existing employee or externally hired, but must also be independent and an expert in data protection.
  • Each company should have in place reasonable technical and administrative measures to protect user data. They should also expect to be held accountable in the event of a data preach.
  • Any security breach is to be reported to authorities within 72 hours. Individuals whose data has been affected should also be contacted and made aware of the risks that they now face.

The penalties for failing to comply with the GDPR can be quite damaging to a business. In the worst-case scenario, you’ll be expected to pay a fine that amounts to up to 4% of annual global sales.

Children’s Online Privacy Protection Act (COPPA)

The Children’s Online Privacy Protection Act (COPPA) is a law that was created to safeguard the privacy of children under 13. It was originally designed to address growing concerns of websites collecting children’s personal information without their parents’ consent during the late 90s.

The act stipulates that:

  • Sites collecting information on users under 13 must require parental consent
  • Sites must state the kind of data collected in their privacy policy, how the data is collected, what it’s used for and be posted anywhere data is collected.
  • It also outlines the legal responsibilities of website owners and operators concerning children’s privacy online. This includes a limit on the kinds of advertisements that are allowed for targeting young children.

Lastly, site owners are expected to give parents access to any information collected from their children. In accessing it, parents should also be allowed the data if they see it fit, but they are not allowed to alter it.

California Consumer Privacy Act (CCPA)

This is the first U.S. law that comes closest to mimicking what the GDPR has been able to achieve. The act was passed to provide California residents with the right to access their personal data, say no to the sale of their data and know what personal data is being collected about them.

It applies to any business that collects personal data from consumers and satisfies at least one of the following requirements:

  • The company earns more than half of its revenue from selling personal data.
  • The company’s gross annual revenues exceed $25 million.
  • The company stores the personal information of more than 50,000 consumers, households, or devices.

Companies will be expected to implement reasonable security measures to prevent the leakage of consumer data. The failure to do so means the company can be ordered to pay between $100 and $750 per resident affected by the incident or any other relief that is deemed proper by a court. A maximum fine of $7,500 for each intentional violation may also be ordered.

The New York State Department of Financial Services Cybersecurity Regulations (23 NYCRR 500)

The NYCRR 500 is a set of guides that requires financial institutions to implement effective measures to safeguard consumer data.

Types of companies required to comply with the law include:

  • Trust companies
  • Insurance companies operating in NY
  • Non-U.S. banks operating in NY
  • Private bankers
  • Mortgage companies… etc.

It requires companies to:

  • Conduct regular risk assessment exercises.
  • Have an incident response plan
  • Develop detailed cybersecurity policies and procedures
  • Have responsible measures preventing unauthorized access
  • Maintain an audit of asset use.

Companies exempt from complying from this law should meet the following requirements:

  • Has 10 or fewer employees.
  • Makes less than $5 million in gross annual revenue, or
  • Has less than $10 million in assets

Fair Credit Reporting Act (FCRA)

The FCRA restricts the use of information on various aspects of an individual’s personal information, including their credit standing, creditworthiness, mode of living and general reputation as qualifications for employment or insurance. In addition, companies are expected to:

  • Truncate credit card numbers on any printed receipts
  • Securely destroy certain kinds of personal information
  • Stray away from using certain kinds of information for marketing purposes.
  • Enact programs that detect and respond to instances of identity theft.

Michael Clinton, a legal adviser at, calls it ‘one of the most important consumer protection laws we have to date.’ This is in addition to the fact that credit card companies are expected to comply with the PCI-DSS.

Family Educational Rights and Privacy Act (FERPA)

Under this act, students are granted the right to access and adjust any aspects of their student data for accuracy. It also prohibits disclosing such information to other parties without the student’s consent.

Health Information Portability and Accountability Act

Under HIPAA, entities that hold information on the health status or details on the payment for healthcare services of an individual are expected to implement measures to protect that information. Such information cannot be transmitted or disclosed to third parties.


Small businesses are the most likely to be affected by data breaches and other cybersecurity threats. Unlike large companies, they are less likely to have enough manpower to mitigate and prevent future threats.

Lastly, if affected, small companies will have a harder time recovering from the potential financial and legal implications of a data breach. SMEs should be at the forefront of privacy advocation and data protection to build trust in the customer and avoid getting into legal and financial trouble.

Scott Mathews

Author Bio: Scott Matthews is a highly-experienced thesis, dissertation and essay writer working with online academic writing services for university students. His current assignment is with and His latest published work is on superior papers reviews. When he’s not busy with work, likes to practice yoga, and learn carving stone.

Scott Matthews is a guest blogger. All opinions are his own.

The post 7 Cyber Regulations Your Business Don’t Prepare For (But Should Be) appeared first on CCSI.

*** This is a Security Bloggers Network syndicated blog from CCSI authored by Guest Author. Read the original post at: