Request Demo

Corporate Compliance and Oversight

Cybersecurity Regulations Impacted by COVID-19


As the landscape rapidly shifts in the wake of the COVID-19 pandemic, information security teams are being faced with shoring up security in the face of a majority virtual workforce and increased attacks, on top of their day-to-day responsibilities of managing risk and meeting compliance.

2020 was slated to be a benchmarking year for many industries in terms of cybersecurity compliance - we saw the first version of the Cybersecurity Maturity Model Certification released by the Department of Defense for defense contractors, new regulations emerge from the New York Department of Financial Services, and the much-anticipated California Consumer Privacy Act was set to go into effect. Now, with security teams being pulled in many directions they are being faced with hardening security as well as meeting these standards - or are they?

Cybersecurity Regulations Impacted by COVID-19

In this difficult time, we started examining which compliance requirements are being adjusted in 2020 to allow organizations to get a handle on the impacts of the novel coronavirus. We’ve created a page dedicated to tracking compliance requirements and impacts of COVID-19. Below are some of our findings - subscribe here to get updates on the regulatory impacts of COVID-19 for infosec teams.

HIPAA Security Rule: Enforcement relaxed

The HIPAA security rule is not new to the healthcare industry. However, in the face of the COVID-19 crisis, it is the healthcare systems and hospitals that are under the most strain. As a result, the United States' Department of Health and Human Services has announced that they are relaxing the enforcement of the security rules for the foreseeable future.

The relaxed enforcement focuses specifically on telehealth as it relates to using potentially less secure video conferencing tools to communicate with potentially infected patients.

The waiver only applies...

  • In the emergency area identified in the public health emergency declaration,
  • To hospitals that have instituted a disaster protocol,
  • For up to 72 hours from the time the hospital implements its disaster protocol. When the Presidential or Secretarial declaration terminates, a hospital must then comply with all the requirements of the Privacy Rule for any patient still under its care, even if 72 hours have not elapsed since implementation of its disaster protocol.

CCPA: Proceeding on schedule (contested)

Following the European Union's General Data Protection Regulation (GDPR), and falling in line with the privacy laws of Massachusetts, Vermont, Ohio and many others, California's controversial new privacy law presents the opportunity for businesses to level-up on privacy best practices. And for those CISOs and IT leaders who help manage their business's security risk and privacy activities, there is some work to be done.

On June 28, 2019, the California Governor signed into law the California Consumer Privacy Act, and enforcement of the CCPA began January 1st, 2020.

As of March 26, the California Consumer Privacy Act is still on track for enforcement starting in July. However, a group of over 60 businesses have submitted a letter to the California Attorney General asking for an extension given the extraordinary circumstances. The California Attorney General responded, saying that at this time the regulation would be proceeding on schedule for the July enforcement date.

CMMC: Proceeding on schedule

The Department of Defense's Cybersecurity Maturity Model Certification represents the next step toward securing the United States' defense industrial base and is slated to begin appearing in RFI's in the second half of 2020.

The CMMC has been developed in partnership with academia (Johns Hopkins and Carnegie Mellon) and industry leaders in the form of a listening tour and draws from a library of standards and frameworks, including NIST SP 800-171 and the NIST Cybersecurity Framework.

Working Through This Together

As we move through this together as a community, we will stay on top of these and any new updates that emerge for new and existing compliance requirements as a result of COVID-19. In this difficult time, we must unite to protect our organizations and ensure we know where to focus efforts. We will be keeping our Cybersecurity Compliance Standards Impacted by COVID-19 Resources page up to date - see the full list of regulations impacted by COVID-19 here.

You may also like

Risk Register Examples for ...
on July 29, 2020

Risk registers are a widespread utility among many cybersecurity professionals that allow practitioners to track and measure risks in one place. This type of reporting can quickly ...

3 Templates for a Comprehensive ...
on July 27, 2020

What is a Cyber Risk Assessment Information security risk assessments are increasingly replacing checkbox compliance as the foundation for an effective cybersecurity program. As ...

Infographic: The Six Steps of the ...
on July 24, 2020

As many organizations begin to mature their cybersecurity program, they are shifting to a risk-based approach to security. In most cases, security leaders are no strangers to ...

3 Cybersecurity Risk Areas to ...
on July 20, 2020

2020 has brought with it immense change across the cybersecurity risk landscape. The effects of COVID-19 pandemic are still ongoing, and the opportunities for new cybersecurity ...

Alison Furneaux
Efficient Demotivation: How Black ...
on July 16, 2020

As information security shifts from a siloed function to an increasingly relied upon business function and enabler, business executives and Boards have taken a greater interest in ...

Developing Your Risk Management ...
on July 14, 2020

The scope and process for an organization seeking to implement the NIST Cybersecurity Framework (CSF) can be daunting for even the most experienced CISO to handle. Despite the ...