<img src="https://ws.zoominfo.com/pixel/4CagHYMZMRWAjWFEK36G" width="1" height="1" style="display: none;">
Request Demo

Corporate Compliance and Oversight

Cybersecurity Regulations Impacted by COVID-19


As the landscape rapidly shifts in the wake of the COVID-19 pandemic, information security teams are being faced with shoring up security in the face of a majority virtual workforce and increased attacks, on top of their day-to-day responsibilities of managing risk and meeting compliance.

2020 was slated to be a benchmarking year for many industries in terms of cybersecurity compliance - we saw the first version of the Cybersecurity Maturity Model Certification released by the Department of Defense for defense contractors, new regulations emerge from the New York Department of Financial Services, and the much-anticipated California Consumer Privacy Act was set to go into effect. Now, with security teams being pulled in many directions they are being faced with hardening security as well as meeting these standards - or are they?

Cybersecurity Regulations Impacted by COVID-19

In this difficult time, we started examining which compliance requirements are being adjusted in 2020 to allow organizations to get a handle on the impacts of the novel coronavirus. We’ve created a page dedicated to tracking compliance requirements and impacts of COVID-19. Below are some of our findings - subscribe here to get updates on the regulatory impacts of COVID-19 for infosec teams.

HIPAA Security Rule: Enforcement relaxed

The HIPAA security rule is not new to the healthcare industry. However, in the face of the COVID-19 crisis, it is the healthcare systems and hospitals that are under the most strain. As a result, the United States' Department of Health and Human Services has announced that they are relaxing the enforcement of the security rules for the foreseeable future.

The relaxed enforcement focuses specifically on telehealth as it relates to using potentially less secure video conferencing tools to communicate with potentially infected patients.

The waiver only applies...

  • In the emergency area identified in the public health emergency declaration,
  • To hospitals that have instituted a disaster protocol,
  • For up to 72 hours from the time the hospital implements its disaster protocol. When the Presidential or Secretarial declaration terminates, a hospital must then comply with all the requirements of the Privacy Rule for any patient still under its care, even if 72 hours have not elapsed since implementation of its disaster protocol.

CCPA: Proceeding on schedule (contested)

Following the European Union's General Data Protection Regulation (GDPR), and falling in line with the privacy laws of Massachusetts, Vermont, Ohio and many others, California's controversial new privacy law presents the opportunity for businesses to level-up on privacy best practices. And for those CISOs and IT leaders who help manage their business's security risk and privacy activities, there is some work to be done.

On June 28, 2019, the California Governor signed into law the California Consumer Privacy Act, and enforcement of the CCPA began January 1st, 2020.

As of March 26, the California Consumer Privacy Act is still on track for enforcement starting in July. However, a group of over 60 businesses have submitted a letter to the California Attorney General asking for an extension given the extraordinary circumstances. The California Attorney General responded, saying that at this time the regulation would be proceeding on schedule for the July enforcement date.

CMMC: Proceeding on schedule

The Department of Defense's Cybersecurity Maturity Model Certification represents the next step toward securing the United States' defense industrial base and is slated to begin appearing in RFI's in the second half of 2020.

The CMMC has been developed in partnership with academia (Johns Hopkins and Carnegie Mellon) and industry leaders in the form of a listening tour and draws from a library of standards and frameworks, including NIST SP 800-171 and the NIST Cybersecurity Framework.

Working Through This Together

As we move through this together as a community, we will stay on top of these and any new updates that emerge for new and existing compliance requirements as a result of COVID-19. In this difficult time, we must unite to protect our organizations and ensure we know where to focus efforts. We will be keeping our Cybersecurity Compliance Standards Impacted by COVID-19 Resources page up to date - see the full list of regulations impacted by COVID-19 here.

You may also like

October Product Update
on October 3, 2022

Hey, Jimmy - is it really always 5 o’clock somewhere? If not, it should be! With this release, we’re focusing on empowering our customers to work smarter, not harder. Whether ...

How Does FAIR Fit into ...
on September 26, 2022

The Factor Analysis of Information Risk (FAIR) methodology breaks down risk into elements that organizations can compute, understand, analyze and quantify cyber threats and their ...

All-in-One Cybersecurity Board ...
on September 19, 2022

CISOs and Board Members can no longer ignore the importance of cybersecurity. New cyber attacks and threats surface every week and threaten the security of business operations. ...

Rules for Effective Cyber Risk ...
on September 12, 2022

Cybersecurity threats are becoming more challenging for businesses. According to PurpleSec’s Cyber Security Trend Report in 2021, cybercrime surged by 600% during the pandemic, ...

A Pocket Guide to Factor Analysis ...
on September 14, 2022

FAIR, short for Factor Analysis of Information Risk, is a risk quantification methodology founded to help businesses evaluate information risks. FAIR is the only international ...

Your Guide to Cyber Risk ...
on August 30, 2022

During the pandemic, online businesses flourished as people turned to e-commerce stores to shop from the comfort and safety of their homes. This unprecedented expansion of ...