<img src="https://ws.zoominfo.com/pixel/4CagHYMZMRWAjWFEK36G" width="1" height="1" style="display: none;">
Request Demo

Corporate Compliance and Oversight

Cybersecurity Regulations Impacted by COVID-19


As the landscape rapidly shifts in the wake of the COVID-19 pandemic, information security teams are being faced with shoring up security in the face of a majority virtual workforce and increased attacks, on top of their day-to-day responsibilities of managing risk and meeting compliance.

2020 was slated to be a benchmarking year for many industries in terms of cybersecurity compliance - we saw the first version of the Cybersecurity Maturity Model Certification released by the Department of Defense for defense contractors, new regulations emerge from the New York Department of Financial Services, and the much-anticipated California Consumer Privacy Act was set to go into effect. Now, with security teams being pulled in many directions they are being faced with hardening security as well as meeting these standards - or are they?

Cybersecurity Regulations Impacted by COVID-19

In this difficult time, we started examining which compliance requirements are being adjusted in 2020 to allow organizations to get a handle on the impacts of the novel coronavirus. We’ve created a page dedicated to tracking compliance requirements and impacts of COVID-19. Below are some of our findings - subscribe here to get updates on the regulatory impacts of COVID-19 for infosec teams.

HIPAA Security Rule: Enforcement relaxed

The HIPAA security rule is not new to the healthcare industry. However, in the face of the COVID-19 crisis, it is the healthcare systems and hospitals that are under the most strain. As a result, the United States' Department of Health and Human Services has announced that they are relaxing the enforcement of the security rules for the foreseeable future.

The relaxed enforcement focuses specifically on telehealth as it relates to using potentially less secure video conferencing tools to communicate with potentially infected patients.

The waiver only applies...

  • In the emergency area identified in the public health emergency declaration,
  • To hospitals that have instituted a disaster protocol,
  • For up to 72 hours from the time the hospital implements its disaster protocol. When the Presidential or Secretarial declaration terminates, a hospital must then comply with all the requirements of the Privacy Rule for any patient still under its care, even if 72 hours have not elapsed since implementation of its disaster protocol.

CCPA: Proceeding on schedule (contested)

Following the European Union's General Data Protection Regulation (GDPR), and falling in line with the privacy laws of Massachusetts, Vermont, Ohio and many others, California's controversial new privacy law presents the opportunity for businesses to level-up on privacy best practices. And for those CISOs and IT leaders who help manage their business's security risk and privacy activities, there is some work to be done.

On June 28, 2019, the California Governor signed into law the California Consumer Privacy Act, and enforcement of the CCPA began January 1st, 2020.

As of March 26, the California Consumer Privacy Act is still on track for enforcement starting in July. However, a group of over 60 businesses have submitted a letter to the California Attorney General asking for an extension given the extraordinary circumstances. The California Attorney General responded, saying that at this time the regulation would be proceeding on schedule for the July enforcement date.

CMMC: Proceeding on schedule

The Department of Defense's Cybersecurity Maturity Model Certification represents the next step toward securing the United States' defense industrial base and is slated to begin appearing in RFI's in the second half of 2020.

The CMMC has been developed in partnership with academia (Johns Hopkins and Carnegie Mellon) and industry leaders in the form of a listening tour and draws from a library of standards and frameworks, including NIST SP 800-171 and the NIST Cybersecurity Framework.

Working Through This Together

As we move through this together as a community, we will stay on top of these and any new updates that emerge for new and existing compliance requirements as a result of COVID-19. In this difficult time, we must unite to protect our organizations and ensure we know where to focus efforts. We will be keeping our Cybersecurity Compliance Standards Impacted by COVID-19 Resources page up to date - see the full list of regulations impacted by COVID-19 here.

You may also like

Compliance and Regulations for ...
on January 9, 2023

Compliance for many cybersecurity programs has been the cornerstone and the catalyst for why many programs exist in the first place. Since the rise of the information technology ...

Cyber Risk Quantification: Metrics ...
on January 6, 2023

Risk management is the new foundation for an information security program. Risk management, coupled with necessary compliance activities to support ongoing business operations, ...

Padraic O'Reilly
Cybersecurity Maturity Models You ...
on December 30, 2022

Cybercrime has forced businesses worldwide into paying billions of dollars yearly. As more of the population becomes dependent on technology, the fear of cyber attacks continues ...

Top 10 Risks in Cyber Security
on December 23, 2022

Increasing cyber security threats continue creating problems for companies and organizations, obliging them to defend their systems against cyber threats. According to research ...

Governance and Process Automation
on December 21, 2022

Any enterprise operating at scale understands the need for standardization and strong corporate governance. Having served Fortune 50 companies for decades, I have seen the ...

Jerry Layden
Introducing Crosswalking Templates
on December 19, 2022

Crosswalking can be a handy tool to view control performance for a single asset/system against multiple frameworks. One can complete an assessment using one framework by ...