CPRA
The CPRA (California Privacy Rights Act) is a privacy law that expands upon the California Consumer Privacy Act (CCPA) and strengthens consumer privacy rights. The CPRA grants consumers additional rights, including the right to limit the use of sensitive personal information and the right to correct inaccurate personal information.
The CPRA creates a new enforcement agency, the California Privacy Protection Agency, to oversee and enforce privacy regulations. The CPRA increases the fines and penalties for non-compliance with privacy regulations. The CPRA went into effect on January 1, 2023, and applies to companies that do business with California residents and meet certain size or revenue thresholds.
GDPR
The GDPR (General Data Protection Regulation) is a set of data protection regulations that apply to all companies processing the personal data of individuals in the European Union (EU). It aims to strengthen individuals' rights and unify data protection laws across the EU.
The GDPR requires companies to obtain consent from individuals before collecting and using their personal data and mandates that companies take measures to protect this data. Non-compliance with the GDPR can result in significant fines and reputational damage. The GDPR went into effect on May 25, 2018, and applies to companies of all sizes and industries.
Compliance is a global, expanding requirement
The GDPR and CCPA were the first major cybersecurity compliance regulations to impact markets in the EU and the US. Most subsequent legislation are based on either GDPR, CCPA or both. Non-compliance with these regulations can result in significant fines and legal penalties, damaging the organization's financial standing and credibility.
Data is essential for the functioning of virtually all businesses. Regulations like the GDPR and CPRA will only become more ubiquitous through the 2020s. Conducting cybersecurity audits will likely be mandated by law.
iPAS can not only provide security assessments, but it can also audit the data landscape of a client, providing both protection from hackers and protracted legal battles. We’ve listed some examples of cybersecurity and data privacy legislation below. The list is comprehensive, but not exhaustive.
Americas
California Consumer Privacy Act (CCPA),
Amended by the California Privacy Rights Act (CPRA)
Health Insurance Portability and Accountability Act (HIPAA)
Sarbanes-Oxley Act (SOX)
Federal Information Security Management Act (FISMA)
Gramm-Leach-Bliley Act (GLBA)
Payment Card Industry Data Security Standard (PCI DSS)
Brazil: General Data Protection Law (GDPL)
Canada: Personal Information Protection and Electronic Documents Act (PIPEDA)
Mexico: Federal Law on the Protection of Personal Data Held by Private Parties
Europe
EU: General Data Protection Regulation (GDPR)
Digital Services Act (DSA)
Digital Markets Act (DMA)
Network and Information Systems (NIS)
Norway: Law on the Processing of Personal Data
UK: Data Protection Act (DPA)
Asia-Pacific
Australia: Privacy Act
India: Personal Data Protection Bill
Indonesia: Personal Data Protection Bill (PDPB)
Japan: Act on the Protection of Personal Information (APPI)
Pakistan: Prevention of Electronic Crimes Act (PECA)
ISO/IEC 27001 - Information Security Management System
ISO/IEC 27002 - Code of Practice for Information
ISO/IEC 27005 - Information Security Risk Management
ISO/IEC 27017 - Cloud Computing Security and Privacy Controls
ISO/IEC 27018 - Protection of Personal Data in Public Clouds
ISO/IEC 27032 - Cybersecurity Guidelines
ISO/IEC 27034 - Application Security
ISO/IEC 27035 - Information Security Incident Management
ISO/IEC 27701 - Privacy Information Management System
Global
NIST Cybersecurity Framework
NIST SP 800-53 - Security and Privacy Controls for Federal Information Systems
NIST SP 800-171 - Protecting Controlled Unclassified Information in Nonfederal Systems
SOC 2 - Service Organization Control 2
CSA STAR - Cloud Security Alliance Security, Trust, Assurance, and Ris
COBIT - Control Objectives for Information and Related Technologies
ITIL - Information Technology Infrastructure Library
IEC 62443 - Industrial Automation and Control System (IACS) Security
