This article originally appeared in Cybersecurity Law & Strategy. © ALM Media LLC. Reprinted with permission.
The federal government is trying to find as many ways as possible to handle the cybersecurity crisis facing the United States. While it is unlikely that Congress will pass a comprehensive federal cybersecurity law for the private sector, the Executive Branch, and its many agencies, they are issuing directives and guidelines with far-reaching impacts. Additionally, states across the nation are passing their own data protection and cybersecurity laws with whiplash speed. The U.S. doesn’t have a federal cybersecurity law, but the new regulatory and state landscape is changing the way companies do business. This basket weave of new laws provides a boost to existing cybersecurity guidelines. However, the industry standard for almost all organizations is the National Institutes of Standard and Technology (NIST) Cybersecurity Framework and NIST Privacy Framework.
There are new federal regulations, directives, and guidelines as well as new case law, industry-specific guidelines, and new state laws that, when taken together, form an industry standard applicable to almost all business sectors. And the end result is if you receive, collect or hold data in an enumerated industry or sector, or collect client data, your business must have an information security program in place.
Many of the existing laws protect publicly traded companies and the banking, health care, financial, educational and insurance sectors. Third-party vendors, including law firms, are specifically enumerated in many state statutes. Nevada even has a relatively new statute that protects casinos. The combination of these new state statutes and federal guidelines provide the new landscape for compliance. The message is clear: cybersecurity compliance is for everyone.
There are several federal laws, regulations and even legal opinions that have cybersecurity and data privacy implications for publicly traded companies and specific sectors. Regulations like Sarbanes-Oxley, the Privacy of Consumer Financial Information and Safeguarding Personal Information Regulation, the Gramm-Leach-Bliley Security Rule and Privacy Rule, the Health Insurance Portability and Accountability Act, the Children’s Online Privacy Protection Act (COPPA), the FTC Act, the NIST Cybersecurity Framework, the NIST Privacy Framework, the new Cybersecurity Maturity Model Certification program for defense industry contractors, the Department of Justices’ New Civil Cyber-Fraud Initiative and the Wyndham cases are many of the strands of the federal government’s net of cybersecurity guidance.
While this federal oversight is growing, holes exist in the coverage. Therefore, it may be difficult to piece together a compliance program from these federal regulations for your organization. Industries not specifically covered by a federal law should look to state laws and NIST’s Cybersecurity Framework and Privacy Framework for guidance.
The National Institute for Standards and Technology issued the first federal guidelines for privacy in 2020: the NIST Privacy Framework. The new framework is a voluntary tool designed to improve privacy through enterprise-wide risk management. It overlaps and works in tandem with the NIST Cybersecurity Framework, and together these risk management frameworks are effectively the equivalent of an industry standard for data protection and information security. However, because they are only guidelines, states are stepping into the role of enforcer.
New State Statutes and Regulations
In 2017, the National Association of Insurance Commissioners (NAIC) finalized its Insurance Data Security Model Law. The NAIC’s Model Law is effectively a comprehensive data protection and cybersecurity law. It requires licensed entities to certify their cybersecurity program’s compliance on an annual basis. Certifications are due in February, March, or April of each year, depending on the state. A sample of the language in the Virginia Insurance Data Security Act—Virginia H.B. 1334, 2020—reads as follows:
“§ 38.2-623. Information security program.
Commensurate with the size and complexity of the licensee; the nature and scope of the licensee’s activities, including its use of third-party service providers; and the sensitivity of the nonpublic information used by the licensee or in the licensee’s possession, custody, or control, each licensee shall develop, implement, and maintain a comprehensive written information security program based on the licensee’s assessment of the licensee’s risk and that contains administrative, technical, and physical safeguards for the protection of nonpublic information and the licensee’s information system. . . .”
These acts often mandate information security training, safe disposition of data, written incident response plans and/or breach notification requirements.
Since 2019, 24 states have passed a statute or regulation pertaining to information security or data protection. Many of these new laws are being passed in the name of data protection or data security, as opposed to cybersecurity. Therefore, it is important to recognize that when a statute or regulation mandates the creation of an information security program, information security training, breach notification requirements and/or lays out information security requirements for third-party service providers, it is effectively a cybersecurity law.
The sector that has been most successful at getting such laws passed is insurance. Eighteen states thus far have enacted some version of this law, including Alabama, Connecticut, Delaware, Louisiana, Michigan, Mississippi, New Hampshire, Ohio, South Carolina, and Virginia. Expect more to be passed in the next 24 months. New York State passed the SHIELD Act, which went into effect in March 2020. Additionally, New York’s Department of Financial Services has rolled out a cybersecurity regulation (23 CRR-NY 500.1) for the banking, financial services, and insurance sectors. The insurance industry was also front and center at the White House Cybersecurity Summit in August of this year.
By now, most data protection, privacy and cybersecurity experts are aware of the proliferation of California’s laws in this area. Since 2018, California has passed six data protection laws: the California Consumer Privacy Act of 2018 and three amendments (AB-874 [personal information definition], AB-1355 [technical amendments] and AB-1564 [toll-free number alternative]), the Data Broker Registration Statute (which regulates the sale of personal information) and the California Privacy Rights Act of 2020 (which added third-party service provider requirements). This web of laws and regulations applies to so many businesses that they are essentially applicable to businesses across the nation.
By now, you can see the difficulty with 50 states, plus territories, adopting different cybersecurity and data protection laws. This process is effective, but not efficient. Companies are finding it hard to map all the controls to meet each jurisdiction’s requirements.
FEDRAMP AND STATERAMP
Traditionally, state and local governments have had a lower security threshold for cybersecurity and a greater risk tolerance. For example, the federal government has the Federal Risk and Authorization Management Program, or FedRAMP, for cloud providers. Cloud service providers must meet the controls and document them in a Security Assessment Package (SAR) for review by the FedRAMP Program Office to receive an Authority to Operate. A third-party assessor (3PAO) conducts the assessment to determine if the controls are in place and submits the package to the FedRAMP PMO. The requirements are based on NIST 800-53 controls and divided into high, moderate, and low risk assessments. The program has been a huge success for the federal government and has made federal agencies safer. States had no such program in place – until now.
In early 2020, several states including Arizona, Maine, Mississippi, Indiana, and Texas, began discussing a process that could be used by states and local governments across the country. The idea was to verify security controls once and allow that security package/authorization to be used by many states and local governments, particularly with regard to cloud services in the higher education space. Additionally, state and local governments could use this assessment to secure their own environments and regulate third-party service providers. The process would work similarly to the way FedRAMP works. They referred to the process as “StateRAMP.”
Out of those meetings, StateRamp.org, a 501(c)(6) (a membership not-for-profit), was created. StateRAMP.org rolled out this year, and like FedRAMP, it relies on NIST 800-53 controls (StateRAMP maps to NIST 800-53 ver. 4; NIST has released 800-53 ver. 5) and is also to be used by state and local governments. Individual states can elect to participate in StateRAMP by choosing to accept StateRAMP authorizations. The membership is free for state and local governments and five hundred dollars ($500) for vendors. Arizona and Texas immediately adopted StateRAMP.
Texas passed its legislation this past summer and all SaaS, IaaS and PaaS vendors must be TexRAMP authorized by January 2022. That is an extremely short deadline. Texas justifies the short time frame by accepting a FedRAMP ATO or a StateRAMP authorization to satisfy its legislative mandate.
Likewise, Arizona passed AzRAMP in 2021. It requires cloud vendors to show documentation proving that they have:
- Met 35 basic controls to continue to bid on Arizona state projects or protect their data.
- Met 125 basic controls to protect public data.
- Met 325 basic controls to protect sensitive data.
AzRAMP controls are based on NIST 800-53, as well.
Arizona and Texas jumped on StateRAMP quickly. Additional states are expected to adopt the StateRAMP process because it is efficient and mirrors the successfully tested FedRAMP program.
StateRAMP also requires continuous monitoring. Information security continuous monitoring (ISCM) is covered in NIST SP 800-137 and calls for an ongoing level of due diligence that is not found in snapshot certifications and assessments. There is no way to meet this requirement without hiring information security professionals within your organization or outsourcing your monitoring to an information security firm. This requirement alone changes the cybersecurity landscape for organizations.
While most of these state laws and regulations require businesses to have information security programs, the standard for what those programs should entail is outlined in the NIST Cybersecurity Framework and the NIST Privacy Framework. Those frameworks together make up the industry standard for data protection, cybersecurity and risk management. NIST is very good about creating easy to understand guides like its Special Publication 1271: Getting Started with the NIST Cybersecurity Framework: A Quick Start Guide. An easier way to meet these risk management and compliance requirements is to hire a cybersecurity expert to help you build an information security program that follows the recommended guidelines.