Tip #24 for National Cybersecurity Awareness Month: Meet your legal obligations.

Cybersecurity isn’t just a technical issue. It’s a legal one, too.

The regulatory landscape is constantly evolving, and different countries and even states are enacting their own cybersecurity and privacy laws.

Violations of cybersecurity regulations could carry hash fines or penalties.

It’s important to understand what regulations apply to your organization so you can ensure compliance with these requirements.

Additionally, should there ever be a consumer complaint or investigation about violating a cybersecurity regulation, it’s important that you have a defensible position and be able to articulate the steps you took to assess and meet your regulatory obligation. Lack of awareness could be interpreted as a neglectful management practice or ignorance — and that’s never a good defense.

Steps you can take

If your in-house counsel has expertise in cybersecurity, start to involve them in your decisions. If not, find outside counsel that has that expertise.

  1. Engage with counsel familiar with cybersecurity laws in your jurisdiction and places of commerce to understand what cybersecurity laws and consumer privacy laws apply to your organization.
  2. Perform a current state assessment and identify gaps that prevent you from meeting the regulatory requirement. All too often, organizations tend to overstate their process capability, so it may make sense to engage a qualified consulting organization to help you through this assessment.
  3. Develop a remediation plan to close any identified gaps.
  4. Execute against that remediation plan and make sure your organization meets the compliance requirement and can prove compliance