Trustwave Unveils New Offerings to Maximize Value of Microsoft Security Investments. Learn More

Trustwave Unveils New Offerings to Maximize Value of Microsoft Security Investments. Learn More

Managed Detection & Response

Eliminate active threats with 24/7 threat detection, investigation, and response.

Co-Managed SOC (SIEM)

Maximize your SIEM investment, stop alert fatigue, and enhance your team with hybrid security operations support.

Advisory & Diagnostics

Advance your cybersecurity program and get expert guidance where you need it most.

Penetration Testing

Test your physical locations and IT infrastructure to shore up weaknesses before exploitation.

Database Security

Prevent unauthorized access and exceed compliance requirements.

Email Security

Stop email threats others miss and secure your organization against the #1 ransomware attack vector.

Digital Forensics & Incident Response

Prepare for the inevitable with 24/7 global breach response in-region and available on-site.

Firewall & Technology Management

Mitigate risk of a cyberattack with 24/7 incident and health monitoring and the latest threat intelligence.

Offensive Security
Solutions to maximize your security ROI
Microsoft Exchange Server Attacks
Stay protected against emerging threats
Rapidly Secure New Environments
Security for rapid response situations
Securing the Cloud
Safely navigate and stay protected
Securing the IoT Landscape
Test, monitor and secure network objects
Why Trustwave
About Us
Awards and Accolades
Trustwave SpiderLabs Team
Trustwave Fusion Security Operations Platform
Trustwave Security Colony
Technology Alliance Partners
Key alliances who align and support our ecosystem of security offerings
Trustwave PartnerOne Program
Join forces with Trustwave to protect against the most advance cybersecurity threats

Get Wise to These 5 New Cybersecurity Laws

Laws are often passed when a situation becomes so dire that legislators feel the need to step in and apply some teeth. And when it comes to combating cybersecurity incidents, there seems to be no shortage of global legislative and regulatory reaction to the ongoing procession of headline-grabbing data breaches and attacks affecting organizations around the world. Major security events have been occurring for more than a decade, but as global connectivity and reliance on IT systems rises, the perilous consequences of these incidents continue to expand.

Here is a breakdown of five measures - two in the United States, one in the European Union, one in Australia and one in China - that are likely to impact you in the not-too-distant future, if they haven't already. Get your compliance and legal teams ready.

1) New York State Department of Financial Services Regulation (23 NYCRR 500) 

Current status: Effective as of March 1, but full compliance not required for 18 months

What's it all about? New York state enacted a prescriptive law affecting banks and insurers (with greater than 10 employees) doing business within its borders. With New York serving as a primary hub for global finance, the requirements are certain to have ripple effects around the world.

In addition, the regulation is expected to serve as a model for other states, much like California's trailblazing S.B. 1386 did data for data breach notifications. Among other provisions, the New York state law requires that "covered entities": 

  • Designate a CISO (who can be employed by an affiliate or third-party provider).
  • Conduct a periodic risk assessment, including of outside vendors, which are the sources of a growing number of breaches. For example,  law firms
  • Detect security events.
  • Perform annual penetration testing and bi-annual vulnerability assessments of information systems.
  • Ensure secure development practices for application development.
  • Restrict and review user access privileges to only those systems that access non-public information.
  • Limit data retention.  
  • Establish a written incident response plan. 
  • Use "qualified" security personnel, which can include third-party providers, to manage risks and core security functions.

What's next? Covered entities also are required to attest to annual compliance. More details can be found  here (PDF).

2) The European Union General Data Protection Regulation (GDPR) (Regulation (EU) 2016/679)

Current status: Becomes law May 2018

What's it all about? The goal of the regulation, which affects all businesses operating in the EU, is to harmonize data protection laws across the 28 member states and "make Europe fit for the digital age." The GDPR aims to "give citizens back control over of their personal data, and to simplify the regulatory environment for business." The regulation will place a clear onus on businesses that collect and manage the personal information of EU citizens to protect that information from misuse.

What's next? Businesses are racing to comply with the new regulation - or risk being sued.

>>Learn how Trustwave Risk Assessment Services can guide you toward the best business decisions that balance both security and compliance.

3) The Cybersecurity Disclosure Act of 2017 (S. 536)

Current status: Introduced in the U.S. Senate

What's it all about? We all know the security skills shortage is an issue for IT departments. But did you know the conundrum also extends to boards of directors? New proposed legislation from Democratic Sen. Mark Warner of Virginia would require boards of directors at public firms to disclose to the Securities and Exchange Commission if one of their members has security expertise. If they are unable to disclose that, they must explain how they are compensating for this shortcoming. Consumer advocates have reportedly voiced support for the measure as calls for boardroom accountability on security issues grows.

What's next? This one has far less certainty than the others included in this list. The bill is expected to come up for a vote at an undetermined date.

4) Privacy Amendment (Notifiable Data Breaches) Bill 2016

Current status: Passed both houses of the Parliament of Australia in February, expected to take effect in February 2018

What's it all about? Organizations will be required to notify the Australian privacy and information commissioner if they experience a breach and affected individuals are at "risk of serious harm" due to the disclosure of sensitive data.

What's next? This bill has been many years in the works, but now organizations must study the measure and prepare for what, when and how they would disclose in the event of a breach. More details can be found here.

5) The People's Republic of China Cybersecurity Law

Current status: Adopted last year, expected to take effect June 1

What's it all about? All eyes are on this measure, as many governments and corporations don't quite know what to expect when it takes hold. Specifically the law calls for critical infrastructure protection under the guise of national security, but it has been met with strong foreign opposition and confusion from companies and human rights groups - mainly over fears of further internet regulation and concerns that businesses that operate in the country will be forced to turn over sensitive information for storage in mainland China. The law is unofficially translated to English here.

What's next? The compliance groups at global companies are diligently working to determine how they can meet the new law.

Dan Kaplan is manager of online content at Trustwave and a former IT security reporter and editor.  

Latest Trustwave Blogs

Trustwave Named in 2024 Gartner® Market Guide for Managed Detection and Response (MDR)

For the second consecutive year, Trustwave has been named a Representative Vendor in the 2024 Gartner® Market Guide for Managed Detection and Response.

Read More

6 Steps on How to Respond to a Data Breach Before it Ruins Your Business

Too many consumers have awoken one morning to find messages from a retailer or their bank detailing purchases made through their account of which they were unaware. While the realization that they...

Read More

Understanding the Impact of AI on Data Privacy

The world is just beginning to understand how the intersection of artificial intelligence (AI) and data privacy will impact organizations, their employees, and those who use their services. As of...

Read More