Did the COVID-19 pandemic cause a cyber pandemic by exposing the vulnerabilities of organizations forced to work remotely? In this article we examine cybersecurity incidents that occurred in four high profile organizations in 2020 in order to: (1) highlight relevant cybersecurity, privacy, and data breach legislation and regulations; (2) demonstrate that all industries and organizations can be victims of cybercrimes; (3) discuss the diversity of cyberattacks; (4) compare the organizations' responses and mitigation efforts; and last but not least (5) provide practical tips to avoid loss. We begin by highlighting the major data privacy and cybersecurity regulations that could be triggered by cyberattacks.

Navigating the Maze: The Legislative and Regulatory Angle

What cybersecurity, privacy, and data breach notification laws and regulations could be implicated in a cyberattack? It depends.

Many federal cybersecurity laws apply to industry-specific businesses. The Health Insurance Portability and Accountability Act (HIPAA), for example, applies to healthcare organizations, while the Gramm-Leach-Bliley Act (GLBA) applies to financial organizations. These industry-specific businesses also need to follow the cybersecurity guidance of industry-specific federal regulators and other regulatory organizations, such as—in the case of financial organizations—the Securities and Exchange Commission (SEC), the Financial Industry Regulatory Authority (FINRA) and the National Futures Association (NFA). There are more recent federal cybersecurity laws, such as the Cybersecurity Enhancement Act of 2014 and the Cybersecurity Act of 2015 (that includes the Cybersecurity Information Sharing Act (CISA)), and federal laws that are not specifically focused on cybersecurity but have cybersecurity provisions.