U.S. Companies are Unprepared for a Rapidly Changing Regulatory Environment

Edgile releases 2019 Compliance Landscape Report

AUSTIN, Texas, January 31, 2019 – In 2018, at least 35 states considered a total of more than 265 bills and resolutions relating to cybersecurity. 50 of these efforts became law and many companies are unprepared for this rapidly changing regulatory environment, according to a new report—The 2019 Compliance Landscape Report—from Edgile, the leading cyber risk and regulatory compliance partner to the Fortune 500.

“I’ve tracked the compliance landscape for the last 20 years and the velocity of compliance changes impacting U.S. companies has never been greater,” said David Deckter, Edgile Partner. “Many U.S. businesses will be unable to keep up and that is going to translate into costly compliance violations, many of which will come as a complete surprise for executives who haven’t tracked these changes closely.”

A big reason for the flood of changes is that state legislatures are quickly coming to terms with the security and privacy risks faced by their constituents, as well as new global rules—such as the European Union’s GDPR privacy rules—impacting U.S. businesses.

Here are four significant but little-noticed changes that took effect in 2018:

  • California passed an “Internet of Things” (IoT) law, the first of its kind in the nation. The law requires a manufacturer of a “connected device” to “equip the device with a reasonable security feature or features designed to protect the device and any information contained therein from unauthorized access, destruction, use, modification, or disclosure.”
  • Vermont became the first state to enact a data broker law. Businesses falling within the definition of “data broker,” i.e. a business, or unit or units of a business, separately or together, that knowingly collects and sells or licenses to third parties the brokered personal information of a consumer with whom the business does not have a direct relationship, are required to register annually with the Secretary of State, incorporate standard security measures in handling personally identifiable information, and notify authorities of security breaches.
  • Ohio enacted Senate Bill 220. The purpose of the law is to provide businesses with a legal incentive to adopt and maintain written cybersecurity programs and is the first such state law of its kind.
  • South Carolina became the first state to pass an insurance cybersecurity law based on the NAIC Insurance Data Security Model Law. The South Carolina Department of Insurance Data Security Act was enacted in May.  Among the requirements for South Carolina licensees, defined as insurers, agents and other licensed entities, are maintenance of “an information security program based on ongoing risk assessment,” as well as the obligation to oversee third-party service providers, investigate data breaches and notify regulators of a cybersecurity event.

Edgile is a leader in providing businesses with tools to stay on top of this rapidly changing regulatory environment. Edgile’s iGRC Managed Content Service tracks over 70 state, federal, global and industry-specific compliance and regulatory requirements, including PCI, SOX, NIST, NYDFS, FFIEC and HIPAA. The iGRC “risk register” reduces the regulatory burdens on businesses by automatically identifying and updating all applicable legal, statutory and regulatory requirements every quarter.  Edgile’s professional services coupled with our risk methodology and risk assessment accelerators help clients successfully address these recurring regulatory hurdles.

Contact Edgile to speak with our regulatory and compliance experts.

About Edgile: We Secure the Modern EnterpriseSM
Edgile is the trusted cyber risk and regulatory compliance partner to the world’s leading organizations, providing consulting, managed services, and harmonized regulatory content. We secure the modern enterprise by developing on-premises and cloud programs that increase business agility and create a competitive advantage for our clients.