US State Cybersecurity Regulation More than Doubled in 2017, While Federal Regulation Waned

In 2017, U.S. states introduced 240 cybersecurity bills, according to end-of-year report by Edgile, the leading cyber risk/regulatory compliance firm

AUSTIN, Texas, January 29, 2018 — Edgile, the leading cyber risk and regulatory compliance partner to the Fortune 500, today announced the release of its quarterly iGRC update which adds new state and international sources addressing cybersecurity and privacy compliance to the iGRC content platform. The report added a number of new state and international law sources in a year that saw some reduction in federal regulation but a significant surge in state and international regulation. In 2017 approximately 42 U.S. states introduced 240 bills and resolutions related to cybersecurity — more than double the number in 2016 (during which 104 state bills and resolutions were introduced) — and at least 27 states enacted related legislation.

Relaxation at federal level, while state and global actions accelerate

The pace of legislation and enforcement at the state level is the latest evidence of the ever-shifting landscape that US enterprises are facing. Recent actions by Federal agencies suggest a measure of relaxation of enforcement authority in areas impacting consumer information privacy and security. For example, in December the FCC voted to repeal net neutrality rules introduced during the previous administration.  Additionally, after the former director of the Consumer Financial Protection Bureau (CFPB) stepped down in November, and a new interim director was appointed, the agency’s self-description in press releases was revised to reflect that it “helps consumer finance markets work by regularly identifying and addressing outdated, unnecessary, or unduly burdensome regulations.”

In the meantime, regulation in the international arena that impacts US businesses — for example, the EU’s GDPR, which will go into effect in the Spring of 2018 — has also reinforced the need for businesses to have better processes and technology to manage the regulatory landscape. Adding to the pressure on US businesses: well-publicized breaches sustained by companies such as Equifax, Deloitte, and Uber. While Congress was finally spurred to take action in the wake of these breaches (the “Data Security and Breach Notification Act” was filed in the Senate in late 2017, state response to the breaches was rapid and varied. In addition to lawsuits filed by consumers, regulatory authorities in several states have filed actions against Equifax and Uber based on violations of state and local information protection laws (see, for example, actions filed in Massachusetts, the State of Washington, and Illinois.

A solution for navigating the fast-evolving landscape

“Where the Federal government has either failed to implement uniform legislation addressing personal information privacy issues, or has retreated from regulatory enforcement of existing privacy protections, states have moved to fill the void by enacting their own legislation and strengthening enforcement efforts to protect the privacy interests of their citizens, said Edgile Partner David Deckter. “At the same time, foreign countries’ concerns over information privacy and security continue to rise. With the new updates in the iGRC content platform, businesses can be brought up to speed quickly to  reduce exposure to serious regulatory risk.”

The iGRC content platform is a key offering in Edgile’s Integrated Risk Management (IRM) practice, which enables companies to modernize their governance, risk and compliance programs through industry-leading models, approaches and accelerators which significantly improve the effectiveness of risk management practices throughout the entire technology estate, whether on-premises or in the cloud.  Edgile’s iGRC Content Managed Service powers the regulatory programs of institutions, including six of the top banks and seven top hospitals, by providing clients with streamlined access to the latest regulations and tools to efficiently stay in compliance.

“More and more, businesses will need to rely on services that leverage great expertise as well as technology to manage the new regulatory landscape,” said Deckter. “iGRC delivers both at a time of great change and uncertainty on the regulatory front.”

New bills and resolutions introduced in 2017 spanned a wide range of activities including the targeting of computer crimes, restricting public disclosure of sensitive data, and the implementation of workforce training.

Contact Edgile to speak with our regulatory and compliance experts

About Edgile

Edgile is the trusted cyber risk and compliance partner to the world’s leading organizations, providing consulting, managed services, and harmonized regulatory content. Our strategy-first model optimizes IAM, GRC, and cybersecurity both on-premises and in the cloud. By transforming risk into opportunity, we secure the modern enterprise through solutions that increase business agility and create a competitive advantage for our clients.

For more information:

Follow Edgile on Twitter and LinkedIn