Blog  |  July 14, 2022

Between a Rock and a Hard Place: Recent Changes to the Regulatory Landscape

In our previous blog, we discussed how organizations are not only between a rock and a hard place, but they are also actually between a rock and a rock and a hard place, as they are experiencing three difficult data protection challenges. One of those challenges is the ever-changing regulatory landscape to which organizations must continue to adjust. Let’s look at some of the recent changes to the regulatory landscape.


SEC Proposed Rules for Cybersecurity Risk Management

On March 9th, the Securities and Exchange Commission (SEC) proposed amendments to its rules to enhance and standardize disclosures regarding cybersecurity risk management, strategy, governance, and incident reporting by public companies (registrants).

The proposed amendments would require, among other things:

  • Current reporting about material cybersecurity incidents within four business days and periodic reporting to provide updates about previously reported cybersecurity incidents.
  • Periodic reporting about:
    • A registrant’s policies and procedures to identify and manage cybersecurity risks.
    • The registrant’s board of directors’ oversight of cybersecurity risk; and management’s role and expertise in assessing and managing cybersecurity risk and implementing cybersecurity policies and procedures.
  • Annual reporting or certain proxy disclosure about the board of directors’ cybersecurity expertise, if any.

The comment period for the SEC proposed rules ended in May, so it will be interesting to see what, if any changes, are made. Regardless, the SEC proposed rules are likely to have a significant impact on how public companies address their cybersecurity obligations.

State Data Privacy Laws

While California adopted the California Consumer Privacy Act (CCPA) in June 2018 (which became effective on January 1, 2020), other states have been slow to adopt comprehensive data privacy laws. In fact, the next state to approve one was…again…California, for which voters approved Proposition 24, adopting the California Privacy Rights Act (CPRA) of 2020, which significantly expands the data privacy rights of consumers over what the CCPA covers and will replace it in January 2023.

However, in the past sixteen months, four more states have approved comprehensive data privacy laws, all of which are set to go into effect next year. They are:

While the state data privacy laws have several similarities, there are also considerable differences as well. For example, California is the only state that offers a private right of action (both CCPA and CPRA include it). Once CPRA goes into effect, Utah will be the only state that doesn’t offer the right of rectification or the right against automated decision making. And it will be the only state that doesn’t require risk assessments.

With 45 states still to adopt a comprehensive data privacy law, you can imagine there will be plenty of adjustments to come. Currently, Massachusetts, Michigan, New Jersey, Ohio, and Pennsylvania have bills in committee, but that’s no guarantee that those bills will proceed into law – 23 states have submitted privacy bills that have failed to gain traction and are currently inactive.

Federal Data Privacy Law

Despite several proposals in recent years, there is no one comprehensive federal law that governs data privacy in the U.S. Instead, U.S. citizens are protected by a combination of laws and regulations that address telecommunications, health information, credit information, financial institutions, and marketing, including:

Although there has been a recent bipartisan compromise draft on potential federal privacy legislation, there is still a long way to go  before there is a fully comprehensive data privacy law  in the U.S.

State Data Breach Notification Laws

State data breach laws are also changing. Even though all 50 states, the District of Columbia, Guam, Puerto Rico, and the Virgin Islands have laws requiring businesses to notify individuals of security breaches of information involving personally identifiable information, those laws are still being updated periodically.

Recently, Indiana passed House Enrolled Act No. 1351, which requires companies to provide data breach notification “not more than 45 days after discovery of the breach” where the standard was previously “without unreasonable delay”. And Arizona recently passed House Bill 2146, which added the Director of the Arizona Department of Homeland Security to the three largest consumer reporting agencies and the Arizona attorney general to be notified when a breach happens. Changes are ongoing here as well.


If we were to write this article in a few months, the recent changes to the regulatory landscape would likely be different because the regulatory landscape is always evolving! Data security threats continue to rise and identifying sensitive data continues to be challenging so organizations have a tremendous challenge to keep up with changing regulations, especially when the stakes of failing to do so are higher than ever.

It’s important to work with experienced professionals who not only know how to address rising data security threats and understand how to identify sensitive data within Big Data collections, but also keep track of the changing regulations so that you can avoid getting stuck between a rock and a rock and a hard place!

For more regarding Cimplifi security, privacy, and compliance capabilities, click here.

Read the full blog series here: Part 1    Part 2    Part 3    Part 4    Part 5    Part 6