Compliance Updates and New Laws: A Look Forward to 2017

As the cybersecurity landscape evolves, so do compliance standards. The new year brought new conversations about compliance, new regulations and new considerations for IT teams. Regardless of your industry, compliance is a fundamental component of any IT strategy. At the close of 2016, CIOs and IT specialists were preparing for changes that would impact both how they transmit and store sensitive data. We’ve outlined some of those changes below to help your team stay ahead of the curve.

IoT device security is a top priority.

Last fall, a massive DDoS attack caused large-scale disruption across the internet. According to The Guardian, the attack was the largest in history and involved 100,000 malicious endpoints. Not only was this attack unique in its scale, it was also different because of how the hackers utilized botnets to breach the system. Rather than computers, the botnets were created using digital devices that make up the Internet of Things. This cyberattack drew attention to weaknesses in IoT security strategy.

Regulatory agencies like the Federal Trade Commission are cracking down on device security rel="noopener noreferrer" protocols. According to Quartz.com, the FTC put IoT manufacturers “on notice” when they filed a federal lawsuit against a router manufacturer amid security concerns associated with how these routers encrypted login credentials. While there is no one government agency that is responsible for IoT oversight, this lawsuit signals that manufacturers will bear significant responsibility when it comes to making sure these devices protect owner’s sensitive data.

Also in January, the FTC announced the Internet of Things Home Inspector Challenge, a public contest “to create a tool [that addresses] vulnerabilities caused by out-of-date software in IoT devices. The rel="noopener noreferrer" FTC is offering a grand prize of $25,000 and FTC Director Jessica Rich told Geekwire.com that the agency is hoping that one entry will, “help [consumers] keep device software up-to-date.”

Congress creates penalties for those that block/inhibit electronic health record sharing.

One of the last pieces of legislation passed by Congress in 2016 was the 21st Century Cures Act. rel="noopener noreferrer" Passed with bipartisan support, one of the bill’s components gives the federal government the authority to “investigate claims of information blocking and assign penalties for practices found to be interfering with the lawful sharing of EHRs.” Under this new law, the US Department of Health and Human Services will require EHR technology developers to demonstrate that they are not and will not engage in information blocking before their product can receive certification. Furthermore, technology developers will be fined up to $1 million for violating the law.

State agencies are starting to play a role in data security regulations.

As the home to some of the world’s largest banks and insurance companies, the State of New York recently proposed a new cybersecurity rel="noopener noreferrer" regulation for financial institutions that hold state-issued charters. A revised version of the proposed law was released on December 28, 2016 and states that in the light of recent data breaches, “certain regulatory minimum standards are warranted, rel="noopener noreferrer" while not being overly prescriptive so that cybersecurity programs can match the relevant risks and keep pace with technological advances.”

According to The National Law Review, New York financial institutions will be required to perform a “Risk Assessment” and “create written procedures to ensure the security of their applications, establish polices for the secure disposal of nonpublic data and develop an audit trail system.” If signed into law, this expands the compliance landscape beyond federal authority and paves the way for state governments to create and enforce standards for collecting, storing and transmitting data in their borders.

QTS is committed to helping our clients meet a broad array of compliance standards. Our integrated strategy reduces the complexity of compliance and reduces your organization’s exposure and risk. Click here to learn more about our flexible, integrated approach and contact us today to discuss your organization’s compliance goals and needs.