As the Cybersecurity landscape is now targeting small- to medium-sized businesses (SMBs), there will soon be far greater pressure on SMBs to become compliant with every piece of data privacy legislation in force.
This article summarizes the key privacy laws that SMB owners need to be aware of.
The top data privacy laws
Here is an overview of the major data privacy laws that are in effect today:
- The Payment Card Industry Data Security Standard: This is also known as the PCI-DSS for short. This legislation primarily deals with the safety and security surrounding not only the usage of credit cards by customers, but also the data that is collected, processed, and stored. The compliance requirements are quite detailed, and more information about it can be found here. Every SMB that allows credit card transactions are bound by this law, which was created and enacted back in 2006 by a consortium of the major credit carriers, including:
- American Express
- Japan Credit Bureau (JCB)
- The Sarbanes Oxley Act: This is also referred to as “SOX,” though some regulators also call it “SAR-BOX.” This is a key piece of legislation which regulates how the financial records of publicly traded companies are to be stored and archived, as well as how specific types of financial transactions are to be logged and recorded, as well as monitored on a real time basis. It was passed and enacted in 2002. More detailed information about this can be found here.
- The Gramm-Leach-Bliley Act: This is also commonly known as the “GLBA”. This relates to how Personal Identifiable Information (PII) datasets are to be stored, processed, and protected. The Act applies to both private and public SMBs, which is based upon the “Safeguards Rule” in this Act. A very important aspect of the GLBA is that it mandates a transparent process as to how the PII datasets are to be shared with other entities, and the customer must be notified when such information sharing takes place. Also, customers must be given the right to opt out if they do not want their confidential data to be shared with other third-party entities. Much more detailed information on the GLBA can be found here.
- The 23 NYCRR 500 Cybersecurity: This is a regulatory act that was passed by the New York State Department of Financial Services, also known as the “NYDFS.” It deals specifically with business entities located in New York. Although it also deals with the protection of the PII datasets, it applies specifically to the issue of data privacy, especially when it comes the provisions of the GDPR and the CCPA. There are 23 specific tenets in this law that address how New York-based entities must come into Cybersecurity compliance, with a very strong emphasis on risk reduction to mitigate the chances of data leakage, whether intentional or not.
- The European Union Data Protection Directive: This is commonly referred to as the “EUDPD,” and in some ways, it can be considered the predecessor to the GDPR. However, it does not have “teeth” like the GDPR does, as this law only deals with business entities that are based in the European Union. But it is important to keep in mind that if you are a US-based entity and have offices in the EU, you will also be bound by this regulation.
As this article makes clear, trying to keep track of all these regulations and laws can be a nightmare, especially when it comes to the compliance aspect. It is always wise for an SMB to consult a Cybersecurity company that specializes in this area to further assist you.
Future articles will look at some of the pitfalls SMBs fall into when they try to come into compliance, as well as tips to help them to achieve it.
Ravi Das is a Cybersecurity Consultant and Business Development Specialist. He also does Cybersecurity Consulting through his private practice, RaviDas Tech, Inc. He also possesses the Certified in Cybersecurity (CC) cert from the ISC2.