In this episode of the SecurityANGLE, the discussion is all about the impact of cybersecurity regulation in 2024. Guest host Jo Peterson, analyst, engineer, and member of theCUBE Collective community of independent analysts, is joined by Chuck Brooks, president of Brooks Consulting International. In addition to his strategic consulting work, Chuck is also an adjunct professor at Georgetown University, where he teaches courses on risk management, homeland security, and cybersecurity. He also designed a certificate course on blockchain technologies for a conversation about cybersecurity regulation in 2024 and what’s happening in that realm.
Cybersecurity Regulation: The Current State of Regulation and What’s Ahead
The conversation on cybersecurity regulation began by reflecting on the events of 2023. While Congress didn’t pass a cybersecurity bill, the White House pushed to implement a national strategy on cybersecurity. At the state level on the cybersecurity regulation front\, we saw moves to tighten data protection, with much conversation around AI and its implications. As we move forward into 2024 and look through a legal security lens, we covered some of the legislative developments expected in a few areas. These include:
- The regulation of privacy and data security
- An increase in civil litigation around data privacy
- Trends that pertain to government data collection
Comparing the US and EU Regulations on AI
Jo and Chuck explored and compared the US-driven Executive Order on AI and compared it to the EU AI Act and opined whether the US Executive Order does enough to provide protection.
The Executive Order on AI came out in the US in October 2023. In the EU, the EU AI Act was also introduced this last year. There are some big differences between the two. One significant difference is that the Executive Order draws on the power of the Presidency to require primary executive departments to formulate consensus industry standards and regulations for AI usage, which creates a risk of divergent standards.
Just this last week, the EU approved what has been called the “world’s first major set of legislation to regulate the use of AI (the EU AI Act), setting the global standard for AI regulations with uncertainties around the US federal bill and the UK’s Artificial Intelligence (Regulation) Bill in its second reading.” The EU AI Act aims to establish a regulatory framework across the entire EU as a single regulation that would be directly applicable to member states.
Cybersecurity Regulation in the US: Do We Need National Regulation on Data Privacy?
The conversation on cybersecurity regulation evolved to a look at data privacy and discussion on whether we need regulation on data privacy in the US. Since about 2018, some 14 states have taken on the data privacy issue by enacting comprehensive data privacy legislation. Five states have legislation currently in effect, and the additional nine are set to go into effect between 2024 and 2026. Some other bills are being considered by state legislatures related to consumer data privacy but have yet to be enacted.
What Every CISO Needs to Know About Data Minimization
Jo and Chuck explored the topic of data minimization and some of the obligations comprehensive state privacy laws impose on data controllers, who are entities that determine the means and purposes of processing personal consumer data. These obligations include things like data minimization, setting purpose limitations, requiring the maintenance of privacy policies, the requirement of maintaining reasonable administration, having technical and physical data security controls in place, and contractually requiring processors of personal data or service providers to provide with the applicable law
Washington State’s My Health, My Data Act (MHMDA)
Jo and Chuck also touched briefly on Washington State’s My Health, My Data Act as cybersecurity regulation in the US that is probably important to be aware of. In April of 2023, Washington Governor Jay Inslee signed into law the “My Health, My Data Act” (MHMDA). This Act modified the legal landscape, creating data privacy requirements focused on personal health data for certain Washington-based entities. They explored what this means for healthcare CISOs, and shared thoughts on whether we’ll see more states follow suit on this front.
Cybersecurity Disclosure Rules for Public Companies
In July 2023, the SEC adopted new cybersecurity disclosure rules for public companies, which was big news. The final rule requires annual disclosures regarding an organization’s risk management, strategy, and governance and Form 8-K disclosure of material cybersecurity incidents within four business days of the company’s determination that a breach incident is material. We covered that in topic in some depth in an earlier episode of the SecurityANGLE, which you’ll find here: Protecting Critical Infrastructure, Cybersecurity is a Boardroom Issue, and Thoughts on the New SEC Regs on Security.
Watch the full episode of this week’s episode of the SecurityANGLE here, or stream it wherever you get your podcasts:
That’s a wrap for this episode of the SecurityANGLE. We appreciate you watching, listening, and/or reading. As always, if you have something you want us to cover or a unique or innovative security solution, we are always interested in hearing from you.
Find and connect with us on social media here:
Shelly Kramer on LinkedIn | Twitter/X
Jo Peterson on Linkedin | Twitter/X
Chuck Brooks on LinkedIn | Twitter/X
Image credit: Ezequiel Da Silva (Pexels)
