Data cybersecurity laws and regulations in the United States are fast-moving and ever-changing. There is a growing focus on cybersecurity governance, and companies increasingly need to assess their security and information practices to ensure compliance with emerging assessment requirements. These requirements will compel organizations to take a hard look at their cybersecurity and information governance practices. The failure to comply with these assessment requirements could increase the spotlight on a company should it suffer a data breach. It is imperative that companies understand emerging laws and regulations to which they may be held accountable and proactively modify their practices to manage risk.

Risk Assessments as a Best Practice

National and international standards, such as the National Institute of Standards and Technology (NIST) and the International Organization for Standardization (ISO), have historically recommended conducting risk assessments as a best practice for validating the implementation of appropriate security safeguards. A risk assessment helps a company manage its risk by identifying and prioritizing risk to operations, assets, information, and systems. NIST states that the purpose of a risk assessment is to identify threats; vulnerabilities; impact; and likelihood of harm. See Nist Special Publication 800-30 ch. 1, (Sept. 2012).