<img src="https://ws.zoominfo.com/pixel/4CagHYMZMRWAjWFEK36G" width="1" height="1" style="display: none;">
Request Demo

Corporate Compliance and Oversight

Cybersecurity Regulations Impacted by COVID-19


As the landscape rapidly shifts in the wake of the COVID-19 pandemic, information security teams are being faced with shoring up security in the face of a majority virtual workforce and increased attacks, on top of their day-to-day responsibilities of managing risk and meeting compliance.

2020 was slated to be a benchmarking year for many industries in terms of cybersecurity compliance - we saw the first version of the Cybersecurity Maturity Model Certification released by the Department of Defense for defense contractors, new regulations emerge from the New York Department of Financial Services, and the much-anticipated California Consumer Privacy Act was set to go into effect. Now, with security teams being pulled in many directions they are being faced with hardening security as well as meeting these standards - or are they?

Cybersecurity Regulations Impacted by COVID-19

In this difficult time, we started examining which compliance requirements are being adjusted in 2020 to allow organizations to get a handle on the impacts of the novel coronavirus. We’ve created a page dedicated to tracking compliance requirements and impacts of COVID-19. Below are some of our findings - subscribe here to get updates on the regulatory impacts of COVID-19 for infosec teams.

HIPAA Security Rule: Enforcement relaxed

The HIPAA security rule is not new to the healthcare industry. However, in the face of the COVID-19 crisis, it is the healthcare systems and hospitals that are under the most strain. As a result, the United States' Department of Health and Human Services has announced that they are relaxing the enforcement of the security rules for the foreseeable future.

The relaxed enforcement focuses specifically on telehealth as it relates to using potentially less secure video conferencing tools to communicate with potentially infected patients.

The waiver only applies...

  • In the emergency area identified in the public health emergency declaration,
  • To hospitals that have instituted a disaster protocol,
  • For up to 72 hours from the time the hospital implements its disaster protocol. When the Presidential or Secretarial declaration terminates, a hospital must then comply with all the requirements of the Privacy Rule for any patient still under its care, even if 72 hours have not elapsed since implementation of its disaster protocol.

CCPA: Proceeding on schedule (contested)

Following the European Union's General Data Protection Regulation (GDPR), and falling in line with the privacy laws of Massachusetts, Vermont, Ohio and many others, California's controversial new privacy law presents the opportunity for businesses to level-up on privacy best practices. And for those CISOs and IT leaders who help manage their business's security risk and privacy activities, there is some work to be done.

On June 28, 2019, the California Governor signed into law the California Consumer Privacy Act, and enforcement of the CCPA began January 1st, 2020.

As of March 26, the California Consumer Privacy Act is still on track for enforcement starting in July. However, a group of over 60 businesses have submitted a letter to the California Attorney General asking for an extension given the extraordinary circumstances. The California Attorney General responded, saying that at this time the regulation would be proceeding on schedule for the July enforcement date.

CMMC: Proceeding on schedule

The Department of Defense's Cybersecurity Maturity Model Certification represents the next step toward securing the United States' defense industrial base and is slated to begin appearing in RFI's in the second half of 2020.

The CMMC has been developed in partnership with academia (Johns Hopkins and Carnegie Mellon) and industry leaders in the form of a listening tour and draws from a library of standards and frameworks, including NIST SP 800-171 and the NIST Cybersecurity Framework.

Working Through This Together

As we move through this together as a community, we will stay on top of these and any new updates that emerge for new and existing compliance requirements as a result of COVID-19. In this difficult time, we must unite to protect our organizations and ensure we know where to focus efforts. We will be keeping our Cybersecurity Compliance Standards Impacted by COVID-19 Resources page up to date - see the full list of regulations impacted by COVID-19 here.

You may also like

April Product Update
on May 3, 2022

Teamwork makes the dream work! Teamwork makes the dream work - an annoyingly accurate cliche we’ve repeatedly heard over the years from sports fields to corporate offices. It’s a ...

Watch The CyberStrong Platform ...
on April 27, 2022

With cyber-attacks on businesses at an all-time high, it’s more crucial than ever to keep an eye out for potential cyber risks. These risks pose an even bigger threat when ...

Alison Furneaux
January / February Product Update
on March 7, 2022

New year, new features! Each year brings a new list of new year’s resolutions - you know, that list of fake promises you make to yourself, like giving up chocolate, exercising ...

Kyndall Elliott
The Complete Guide to Your ...
on March 4, 2022

The incident response framework by the National Institute of Standards and Technology (NIST) is an impactful beginning for organizations looking to optimize their incident plan ...

Kyndall Elliott
All You Need to Know About NIST ...
on March 3, 2022

Businesses depend on protecting confidential information to establish a reputation of dependability in the market and build trusting relationships with their customers and ...

How Cyber and IT Risk ...
on March 10, 2022

Cybercrime has reached new heights over the last five years, especially during the COVID-19 pandemic. This is made evident by the costly security breaches in big corporations that ...