The mantra for cybersecurity professionals is protecting confidentiality, integrity, and availability of data through the appropriate use of physical, administrative, and technical safeguards. In the U.S., cybersecurity laws have historically adopted that mantra to require the application of reasonable security measures.

The more recent trend is for regulations to be more prescriptive, but even under a framework requiring reasonable security measures, the requirements can vary based on industry and specific laws such as:

· The HIPAA Security Rule for protected health information for covered entities and business associates under HIPAA
· The FTC Safeguards Rule for financial institutions for non-public information under the Gramm-Leach-Bliley Act (GLBA)
· The Colorado Privacy Act for protecting consumer privacy rights
· The California Consumer Protection Act (CCPA), New York Shield Act, and many other state laws
· The UK and EU General Data Protection Regulation (GDPR) for UK and EEA residents
· Rules of Professional Ethics and Responsibility, exemplified by the ABA Model Rules of Professional Conduct

The common thread remains the same: maintaining reasonable security measures that are standard for your industry. And there is a baseline expectation that spans across all industries, such as designating a qualified individual (or group) to be responsible for security, and the encryption of sensitive data at rest and in transit.

Jack and Demian will discuss the reasonable security measures that are common across all of these laws and regulations and steps that companies can take to meet these measures. Whether you have an established information security program or are just getting started, you will benefit from the back-and-forth discussion between Jack and Demian on these topics.