framework. Additionally, the proposed NIST Cybersecurity Framework Assessment and Auditing Act, which passed out of the House Science Committee in March but has not yet reached the House floor, would task the NIST with verifying that agencies have proper cyber protections in place and reporting on those agencies which do not. In the meantime, it is clearly worth considering the NIST Framework when adopting any extensive data security program since it may be viewed by some insurance companies as a prerequisite to coverage. Following the standards described in the NIST Framework might also serve as a defense against any FTC charge of inadequate data security. Other Cybersecurity Standards. In addition to the NIST Framework, the International Organization for Standardization (ISO) and the International Electrotechnical Commission (IEC) have issued cybersecurity standards. These various cybersecurity standards enable organizations to practice safe security techniques and minimize successful cybersecurity attacks. They provide general outlines as well as specific techniques for implementing cybersecurity. In some cases, obtaining certification under one of these standards might be a prerequisite to obtaining cybersecurity insurance. As noted above, it can also help defend against any FTC investigation and assertion of lax data security by a business. Federal Law and Proposed Legislation Congress has considered data privacy and security legislation that would have significant implications for U.S. businesses, their online and internet-connected products and services, and relations with the federal government. IoT Device Security The Internet of Things (IoT) Cybersecurity Improvement Act of 2020 was passed and signed into law on December 4, 2020. The Act requires the National Institute of Standards and Technology (NIST) to develop and publish (1) minimum security standards and
59
Made with FlippingBook - Online Brochure Maker