Standard Office Systems Blog

Cyber Security Laws and Regulations Coming in 2020

Written by Erica Kastner | 12/6/19 5:00 PM

CYBER SECURITY | 4.5 MIN READ 

With 2020 around the corner, you're probably thinking about the approach of tax season or what gifts you'll be buying for the holidays. However, have you considered how you or your business will be affected by new cyber security laws that go into effect next year? Read more to find out what cyber security regulations are going into effect next year as well as the penalties for non-compliance.

Not enough time? Jump to:

California Consumer Privacy Act

New York's SHIELD (Stop Hacks and Improve Electronic Data Security) Act

Connecticut Insurance Data Security Law

How Else Can I Protect My Business?

California Consumer Privacy Act

Outcome

The California Consumer Privacy Act, which goes into effect in January 2020, requires that companies be transparent with California consumers on what personal information they use and how it is used/shared.

Penalties

Companies who do not comply leave themselves open to lawsuits in the case of a data breach. Additionally, California’s Attorney General has the authority to fine companies that don’t follow the new regulations.

For intentional violations, California's Attorney General can bring civil penalties of up to $7500 for each violation. For other violations, the maximum fine is $2500 per violation.

New York’s SHIELD (Stop Hacks and Improve Electronic Data Security) Act

Outcome

Effective on March 21, 2020, the SHIELD Act will require all businesses who hold private computerized data on any New York residents to maintain certain security standards for that information, such as notifying victims of data breaches or risk penalties.

Penalties

Though victims whose information is stolen cannot sue the companies who have been hacked, the Attorney General may take action against businesses who violate the law to obtain civil penalties.

For data breach notification violations that are not reckless or knowing, the court may award damages for actual costs or losses incurred by a person who was entitled to but did not receive a breach notice.

For knowing and reckless data breach notification violations, the court may impose penalties beginning at $5,000 dollars or up to $20 per violation with a cap of $250,000For data breach safeguard violations, the court may impose penalties of no more than $5,000 per violation.

Connecticut Insurance Data Security Law

This law, also known as Connecticut House Bill No. 7474, Section 230, is spawned from the National Associate of Insurance Commissioner's model insurance data security law.So far, six other states have passed versions of this law, as of October 2019, Connecticut has joined them. Though the law is technically already in effect, it includes a clause that gives companies until October 2020 to implement policies that bring them in line with this law.Mississippi enacted a similar law that gives licensees until July 2020 to implement certain data security policies. New Hampshire also enacted a similar law that goes into effect on January 1, 2020.This law applies to insurance licensees who are licensed to operate because of an adherence to Connecticut insurance laws. This law also applies to those who conduct business in Connecticut as well as those who own or license computerized data that includes personal information about Connecticut consumers. OutcomeEach licensee shall, no later than October 1, 2020, develop, implement and maintain a comprehensive written information security program that is based on the licensee's risk assessment and contains the administrative, technical and physical safeguards for the protection of non-public information as well as the licensee's information security system. The information security programs should be designed to protect non-public information, threats to override the security system, and protect against unauthorized access of the security system.In the event of a cyber security breach, affected companies must notify the Connecticut Attorney General and an Insurance Commissioner no later than three business days after a breach occurs, as well as follow certain protocol to notify any affected consumers.Additionally, for each Connecticut resident whose personal non-public information fell victim to a company's breach, the company must offer appropriate identity theft prevention services and, if applicable, identity theft mitigation services for free for no less than two years after said breach.For a full description of all the requirements for said information security system, start on page 288 of this official text.Penalties

 

For those who violate this law, the Insurance Commissioner can call a hearing for the licensee. If the accused has egregiously violated the law, the commissioner can revoke the accused's license, certificate of registration, or authorization to operate.

Additionally, the commissioner may impose a civil penalty of no more than $50,000 for each violation of the law as well as bring about a civil action to recover the amount of any civil penalty that the commissioner imposes on a licensee.

RELATED: Can Businesses Be Sued for Data Breaches?

How Else Can I Protect My Business?

While this list doesn't contain every single piece of cyber security legislation going into effect in 2020, they are a good measure of the direction that legislation surrounding cyber security is heading.

These laws are just some of the hundreds of proposed legislative pieces that are working their way through state and federal courts. As the world becomes more intertwined with the Internet, the government will increasingly pass more data security laws to protect its citizens. 

If you're a consumer, this means that you will have more regulations that protect your private data. However, if you're a business, these regulations mean increasing penalties for those who do not comply with the law. Knowing how to comply with these laws is only the first step in protecting your business' welfare.

Consider managed IT services if you want a partner who will protect your cyber security infrastructure while helping you implement policies that will keep your network in line with the law.