Complicating the challenges of complying with GDPR and the new CA data privacy law, two additional state cybersecurity laws in NY and CO went into effect over Labor Day weekend. In particular, the NY State 23 NYCRR 500 Law now requires companies to encrypt non-public info at both rest and in transit.
What does this mean for companies doing business in these states? According to Pravin Kothari, CEO of cloud security vendor CipherCloud:
Pravin Kothari, CEO at CipherCloud:
Consider all of this comes in the large wake of the newly enacted General Data Protection Regulation in the European Union that just went into effect in May, and in the shadow of the pending U.S. Cloud Act, the U.S. Encrypt Act, and California’s new Consumer Privacy Act (effective 2020). All of this new regulation sets the bar higher than ever before for U.S. companies.
Conclusions? It is a mess. These sort of regulations will need to be handled by Federal omnibus. The expense and risk to businesses in attempting to implement a rolling thunder of different regional and/or state data privacy laws will be overpowering. Companies doing business in the U.S. will require the same data privacy controls and capabilities that multinationals doing business in the European Union require today.
As always, “failure to protect the data” signals clearly the same need GDPR has for end-to-end encryption, tokenization, and data residency. You need the tools to gain visibility to your data, provide the data and threat protection you need, and to enable the strong controls required to meet and manage your compliance requirements.”
The opinions expressed in this article belongs to the individual contributors and do not necessarily reflect the views of Information Security Buzz.