Just a few years back, cybersecurity was not a major issue for small and medium-sized businesses. But at the moment, everyone is concerned about it, from the smallest startup to previously indomitable giants.

Obviously, when giants like Facebook or Adidas fall victim to a breach, it is sure to make headlines. However, the world doesn’t care much when it happens to your small, relatively unknown startup.

Statistics paint a grim reality as according to the Breach Level Index, over 3 billion data records got compromised during the first half of 2018. That marked a 72% increment compared to the same period in 2017.

Whatever the size of your business is, a breach can serve a devastating blow, both in terms of finances and reputational damage. With the aim of protecting both businesses and consumers, governments have put in place a number of legislative measures over the years.

Understanding these laws is crucial both for protecting your business and ensuring you do not get subjected to massive fines for non-compliance. So without much further ado, let’s familiarize ourselves with four important business-related cybersecurity laws.

1. GDPR Regulations

Thanks to the General Data Protection Regulation (GDPR) and its complementary Data Protection Act 2018 (the “2018 Act”), entities that process personal data faced significant changes. Both of these sets of regulations require that businesses put in place adequate measures to protect personal data in their possession.

These rules also limit the level of access that third parties can get to personal data and their processing capabilities. As such, any third parties that collect data from a primary source have to offer sufficient guarantees about the security of their processing actions.

Businesses have to implement technical security measures like anti-virus programs and firewalls. And at the same time, they have to implement organizational procedures that personnel have to follow with regard to cybersecurity.

By doing so, they would be in a position to protect against the unlawful use of personal data as well as destruction, loss and damage of the data.

While these regulations apply to members of the European Union only, many aspects of it are present in California’s regulations as well.

2. The California Bill for IoT Security and Consumer Privacy Act

Both of these cybersecurity laws will take effect in January 2020. The latter has been described as the most stringent law of its kind in the US. With the passing of this law, it manifests the fact that privacy is among the top priorities of policymakers on a global scale.

Every business has the obligation to get acquainted with the state-specific regulations related to cybersecurity. Most of these relate to data collection practices and the need to notify customers within set timeframes when a compromise occurs.

On the other hand, California’s SB-327 bill for the Internet of Things security covers internet-connected devices. Many have criticized the manufacturers of those devices for their apparent lack of concern about cybersecurity.

The bill highlights security standards for such devices, for instance, making each one come up with unique passwords. Additionally, users will need to create passwords during setup as opposed to the current state of affairs that makes it optional. Generic passwords that hackers can guess are out of the question.

Also many cybersecurity experts recommend storing your credentials in password managers. You might have heard of LastPass or DashLane or the new player in the market which is already reviewed NordPass. But like mentioned, first of all, passwords themselves should be safe. However, this is just a recommendation for higher level security.

Though the regulation only applies to California, its effects should be felt way beyond. After all, it would not make sense to make devices specifically for California in compliance with the law and make others that don’t comply.

Outside California, there have been a number of other bills proposed. But none of this made it to the voting stage. However, the fact that federal legislators seem to have an interest in cybersecurity matters implies that it may only be a matter of time.

3. The Cybersecurity Information Sharing Act (CISA)

CISA serves to improve the exchange of information related to cybersecurity threats. Doing so makes it easier to pre-empt incidents and protect users. Under CISA regulations, technology and manufacturing companies share their internet traffic data with the US government.

In view of the scope of cyber-attacks, CISA plays an integral role in preserving privacy for a huge number of people.

4. Network and Information Systems (NIS) Regulations

While the GDPR and the 2018 Act have their focus on personal data, the Network and Information Systems Regulations 2018 (the “NIS Regulations”) focus on the security of information systems.

These regulations primarily apply to providers of “essential services” like the health sector, energy and transport. They also apply to “digital service providers” like providers of online marketplaces and cloud services.

Businesses under these categories need to implement proportionate and appropriate measures to manage risks related to network and information systems. They should not only prevent incidents but also minimize the impact in case an incident takes place.

Just like with the GDPR, the NIS rules allow businesses the freedom of determining what’s appropriate or proportionate. The only condition is that they need to understand the risks posed.

Are there federal cybersecurity laws?

You might find it surprising that there is no overarching federal law on cybersecurity in the US. But this does not imply that businesses are free to function as they wish without adherence to any standards. It is noteworthy that some establishments and industries which offer specific services are subject to specific laws.

One such group is that of the contractors who work for the Department of Defence (DoD). They have to abide by the regulations set in place or risk losing contracts.

Note that criminal violations for data privacy laws, in particular, could lead to 10-year prison sentences. However, there are still challenges relating to uniformity of cybersecurity guidance across various sectors and government agencies.

Another common criticism is that in some cases, the fines and penalties for non-compliance are yet to be defined. But it is for your business’ benefit to comply with those regulations. After all, who couldn’t use an extra point of credibility from customers?

So, make cybersecurity a top priority for your business and strive to comply with existing rules.