Facebook Google Plus Twitter LinkedIn YouTube RSS Menu Search Resource - BlogResource - WebinarResource - ReportResource - Eventicons_066 icons_067icons_068icons_069icons_070

Why Security and Legal Need to Work Together

This three-part blog series explores the relationship between law and security, as it pertains to vulnerability management. In part one, we’ll look at how the changing field of cybersecurity requires legal and security teams to work together more closely than ever. 

Instead of merely being an issue for IT and security teams, cybersecurity has become a primary concern across the business – especially for the legal team. As the field of cybersecurity continues to evolve, legal and security teams will need to work together to create cohesive cybersecurity measures. 

The laws security teams need to know 

From Europe’s General Data Protection Regulation (GDPR) to its Californian counterpart, it’s evitable that laws will affect the work of the security team. Determining which regulations apply is only the first step, as cybersecurity practitioners also need to decide how those regulations should be interpreted within their specific organization. A close working relationship between legal and security teams is imperative for organizations to maintain compliance and avoid hefty fines or reputational damage. 

Here are some critical components of current cybersecurity and data laws that your legal team can help explain to your security team: 

U.S. federal law

The U.S. has no overarching federal cybersecurity laws. However, there may still be federal regulations that businesses must comply with. Government contracted workers have specific cybersecurity rules to follow. For example, the Department of Defense requires contractors to comply with set cybersecurity standards or risk losing their contract. There are also industry-specific federal laws to be aware of (e.g., HIPAA, GLBA). Depending on what industry your organization operates in, you may have specific regulations to follow. 

Questions to ask your legal team:

  • Are there industry-specific privacy or data regulations that our security measures must comply with? 
  • If so, what sort of protections and security measures will we need to put into place to both comply with federal law and prevent security breaches?
  • To maintain compliance, how can the legal and security teams work together to continuously monitor changes to existing laws and implementation of new laws?

State law

Cybersecurity and privacy laws can vary on a state-by-state basis. For example, in the instance of a data breach, different states have different requirements for data collection or notification timelines. Knowing the different regulations for each state could save your organization from fines or reputational risk. The National Conference of State Legislatures provides an overview of data security laws for each state. 

Some states are stricter than others when it comes to cybersecurity. New York, for example, has special laws in place to regulate the financial sector. The state of California has the most stringent information security regulations in place. The California Consumer Privacy Act (CCPA) gives consumers many rights, such as the right to know if their personal data is being collected and whether or not that data is sold. It also allows consumers to access their personal data. 

On January 1, 2020, California will enact SB-327 Bill for IoT Security, making it the first state to pass a law concerning IoT. The bill requires that internet-connected devices be equipped with “reasonable” security features. This piece of legislation is particularly powerful because vendors selling devices in other states as well as California must comply. 

Questions to ask your legal team: 

  • How should we be thinking about varying state laws when building security measures?
  • Are we operating in any states that may have stricter cybersecurity laws than others?
  • If one state has more stringent laws, what does that mean for our operations in other states? 

International law 

In 2018, the European Union (EU) implemented GDPR, which applies not only to EU businesses, but to any businesses that provide services to individuals in the EU or monitor the behavior of EU individuals. GDPR is a sweeping regulation intended to give individuals more control over their personal information. Businesses can be hit with heavy fines for non-compliance. 

Questions to ask your legal team: 

  • What aspects of GDPR affect our company’s security measures? 
  • If we were to collect personal information from individuals, how should we notify them – or do we need to obtain their consent before doing so?
  • Should we minimize the amount of data we process in order to comply? 

It’s a two-way street

For both parties to work cohesively, security teams need to work with the legal team to understand different laws that may impact a security policy. On the other hand, legal teams need to learn from the security teams how data is collected and used, and what technologies are being implemented. The legal team should understand not only how an organization uses its data, but how that data transfers throughout the organization. By understanding how data is used and transferred within an organization, the legal team is better equipped to understand the specific laws and regulations that apply in specific scenarios. 

When security and legal work together to take an interdisciplinary approach to cybersecurity measures, an organization is better poised to manage cyber risk in the modern era. 

Disclaimer: This post does not seek to give legal advice nor delve into the finer points of data protection legislation. Due to the complex nature of information security law, it is critical that legal and security teams work together to understand which laws apply to them and ensure they are engaging in industry best practices. The laws and regulations discussed above will provide a critical groundwork from which cybersecurity practitioners can build upon in order to create compliant security plans and understand their legal risk. 

Related Posts

Subscribe to the Tenable Blog

Subscribe
Try for Free Buy Now

Try Tenable.io

FREE FOR 30 DAYS

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. Sign up now.

Buy Tenable.io

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. Purchase your annual subscription today.

65 assets

$2,275

Buy Now

Try for Free Buy Now

Try Nessus Professional Free

FREE FOR 7 DAYS

Nessus® is the most comprehensive vulnerability scanner on the market today. Nessus Professional will help automate the vulnerability scanning process, save time in your compliance cycles and allow you to engage your IT team.

Buy Nessus Professional

Nessus® is the most comprehensive vulnerability scanner on the market today. Nessus Professional will help automate the vulnerability scanning process, save time in your compliance cycles and allow you to engage your IT team.

Buy a multi-year license and save. Add Advanced Support for access to phone, email, community and chat support 24 hours a day, 365 days a year. Full details here.

Try for Free Buy Now

Try Tenable.io Web Application Scanning

FREE FOR 30 DAYS

Enjoy full access to our latest web application scanning offering designed for modern applications as part of the Tenable.io platform. Safely scan your entire online portfolio for vulnerabilities with a high degree of accuracy without heavy manual effort or disruption to critical web applications. Sign up now.

Buy Tenable.io Web Application Scanning

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. Purchase your annual subscription today.

5 FQDNs

$3,578

Buy Now

Try for Free Contact Sales

Try Tenable.io Container Security

FREE FOR 30 DAYS

Enjoy full access to the only container security offering integrated into a vulnerability management platform. Monitor container images for vulnerabilities, malware and policy violations. Integrate with continuous integration and continuous deployment (CI/CD) systems to support DevOps practices, strengthen security and support enterprise policy compliance.

Buy Tenable.io Container Security

Tenable.io Container Security seamlessly and securely enables DevOps processes by providing visibility into the security of container images – including vulnerabilities, malware and policy violations – through integration with the build process.

Learn More about Industrial Security

Get a Demo of Tenable.sc

Please fill out the form below with your contact information and a sales representative will contact you shortly to schedule a demo. You may also include a short comment (limited to 255 characters). Please note that fields with asterisks (*) are mandatory.

Try for Free Contact Sales

Try Tenable Lumin

FREE FOR 30 DAYS

Visualize and explore your Cyber Exposure, track risk reduction over time and benchmark against your peers with Tenable Lumin.

Buy Tenable Lumin

Contact a Sales Representative to see how Lumin can help you gain insight across your entire organization and manage cyber risk.

Request a demo of Tenable.ot

Get the Operational Technology Security You Need.
Reduce the Risk You Don’t.