Skip to content


Risk and Compliance

The majority of mid-market businesses are under the mistaken belief that, unlike the big corporations, they need not worry about cybersecurity. The statistics, however, show that small and medium businesses are the primary targets for cyber attacks, making up 43 percent of all attacks versus all other entity types.

Not only are cyber attacks a real threat but there are federal, state, and even international regulations that require certain cybersecurity protocols be followed. Whether you like it or not, your company may be subject to cyber compliance laws and ignoring these requirements may cause you to face legal consequences if your company faces a data breach. There is also compliance by industry, changing the cybersecurity landscape to protect consumers, employees, and even government data.


Business Compliance Across All Markets

Industry Based Compliance

There are a handful of federal regulations concerning cybersecurity that every company should be aware of. As major breaches start to appear regularly in the news cycle, however, the federal government is keen to add cybersecurity laws to address the changes in the cyber landscape.

Cybersecurity Maturity Model Certification 2.0 (CMMC)

The Cybersecurity Maturity Model Certification (CMMC) is a certification handled by the Cybersecurity Accreditation Board (Cyber-AB). They work directly with the Department of Defense (DoD) to accredit organizations. The goal of CMMC is to protect sensitive data created or possessed by the government or another organization on the government’s behalf.

This data is referred to as Controlled Unclassified Information (CUI) and Federal Contract Information (FCI). This applies to any defense contractors or other vendors who work with or wish to do work with the DoD.

Non-Compliance with these regulations can result in the immediate disqualification of request for proposals (RFPs).

Some of the regulations are as follows:

  • Vulnerability Assessments
  • Penetration Testing
  • Network Monitoring
  • Employee Training
  • Cybersecurity Risk Assessments
  • Incident Response Planning
  • Policy documentation
  • Implementation of Security Controls

At Alliant Cybersecurity, we are a Registered Provider Organization (RPO), certified to assist businesses in CMMC 2.0 compliance readiness.

Level 1: 17 Controls

Annual Self-Assessments

Level 2: 110 Controls

Triannual Third-Party Assessments

Level 3: 110+ Controls

Triannual Government Assessments

Want to Get Ahead on CMMC 2.0 Compliance?

Consider the Joint Surveillance Voluntary Assessment (JSVA) to be proactive in your compliance. The JSVA is a concurrent assessment based upon the NIST 800-171 framework, performed by the Defense Industrial Base Cybersecurity Assessment Center (DIBCAC) and CMMC Third-Party Assessor Organizations (C3PAOs). Some of the benefits of the JSVA include:

Proactively Mitigate Your Cyber Risk and Comply with the Upcoming Regulations

Gain a Competitive Advantage

Automatically Level 2 Certified for 3 Years Upon the Certification's Official Mandate

Health Insurance Probability and Accountability Act (HIPAA)

The Health Insurance Portability and Accountability Act of 1996 (HIPAA) is known for the establishment of rules for protecting the privacy of patient health information. HIPAA also has a security component specifically designed to protect the creation, use, transfer, and maintenance of electronic personal health information.

The HIPAA Security Rule establishes several safeguards to protect the confidentiality of electronic personal health records. The general requirements are the following:

  • Ensure confidentiality of all electronically protected health information created, received, maintained, or transmitted
  • Protect against any reasonably anticipated threat or hazard to the security or integrity of such information
  • Protect against any reasonably anticipated uses or disclosures of such information that is not permitted
  • Ensure compliance among covered entity’s workforce

Covered entities include health plan providers, health care clearinghouses, and health care providers such as doctors, dentists, pharmacists, etc. Business associates that are working with covered entities also must abide by HIPAA. For instance CPA’s or lawyers who receive protected health information may be subject to the HIPAA security rule.

While HIPAA allows for some leeway in how companies ensure security, there are specific administrative standards and requirements entities must follow.

First, covered entities must conduct a risk analysis to assess potential risks and vulnerabilities to their network that could be exploited to expose protected health information. They are also required to implement security measures that sufficient reduce the risks and vulnerabilities.

The HIPAA security rule also addresses the fact that a large majority of cyber attacks come via social engineering. The “Sanction Policy” addresses this by requiring that there be appropriate sanctions against employees who fail to comply with the security policies of covered entities.

Finally, organizations bound by HIPAA must implement procedures to regularly review network security.

Data Privacy and Protection Regulations

People care about privacy. Your employees, clients, and business partners have a right to understand what information you may have collected on them over the course of your business relationship. This includes simple pieces of information like names, email addresses, and phone numbers, as well as personally identifiable information (PII) such as social security numbers, financial records and more. Failure to disclose a privacy policy can have serious penalties.

California Consumer Privacy Act (CCPA)

The California Consumer Privacy Act (CCPA) enhances privacy rights and consumer protection for residents of California. CCPA Enforcement began on January 1, 2023.

The intentions of the act are to provide California residents with the right to:

    • Update privacy policies with newly required information
    • Designate methods for submitting data access requests
    • Avoid requesting opt-in consent for 12 months after a California resident opts out
    • “Right to say no to sale of personal information” link on the organization’s website
    • Implement processes to obtain consent from parents or guardians of minors under the age of 13 and the affirmative consent of minors between 13 and 16 years for data sharing purposes

The CCPA will impact any business that satisfies at least one of the following thresholds:

    • Annual gross revenue over $25 million
    • Possesses the personal information of 50,000 or more consumers, households, or devices
    • Earns more than half of its annual revenue from selling consumers’ personal data

Penalties for Non-Compliance:

    • Civil cause of action of $100 to $750 per California resident and incident, or actual damages, whichever is greater
    • A fine of up to $7,500 for each intentional violation and $2,500 for each unintentional violation

Colorado Privacy Act (CPA)

The Colorado Privacy Act (CPA) enhances privacy rights and consumer protection for residents of Colorado. CPA Enforcement begins on July 1, 2023.

The intentions of the act are to provide Colorado residents with the right to:

    • Confirm whether a controller is processing personal data concerning the consumer and to access the consumer’s personal data
    • Correct inaccuracies in the consumer’s personal data, taking into account the nature of the personal data and the purposes of the processing of the consumer’s personal data
    • Delete personal data concerning the consumer
    • Obtain personal data in a portable and, to the extent technically feasible, readily usable format that allows the consumer to transmit the data to another entity without hindrance
    • Opt-out of the processing of personal data concerning the consumer for purposes of
        • Targeted advertising;
        • The sale of personal data, or profiling in furtherance of decisions that produce legal or similarly significant effects concerning a consumer
    • Appeal a business’ denial to take action within a reasonable time period

The CPA will impact any business that satisfies at least one of the following thresholds:

    • Conducts business in Colorado or produces or delivers commercial products or services that are intentionally targeted to residents of Colorado; and

      • controls or processes the personal data of at least 100,000 consumers or more during a calendar year; or
      • derives revenue or receives a discount on the price of goods or services from the sale of personal data and processes or controls the personal data of 25,000 consumers or more

Penalties for Non-Compliance:

    • A fine of up to $20,000 per violation

Virginia Consumer Data Protection Act (VCDPA)

The Virginia Consumer Data Protection Act (VCDPA) enhances privacy rights and consumer protection for residents of Virginia. VCDPA Enforcement began on January 1, 2023.

The intentions of the act are to provide Virginia residents with the right to:

    • Know, access and confirm personal data
    • Delete personal data
    • Correct inaccuracies in personal data
    • Data portability (i.e., easy, portable access to all pieces of personal data held by a company)
    • Opt-out of the processing of personal data for targeted advertising purposes
    • Opt-out of the sale of personal data
    • Opt-out of profiling based upon personal data
    • Not be discriminated against for exercising any of the foregoing rights

The VCDPA will impact any business that satisfies at least one of the following thresholds:

    • Conduct business in Virginia or market their goods and services to Virginia residents; and either:
        • Control or process the personal data of at least 100,000 Virginia residents; or
        • Control or process the personal data of at least 25,000 Virginia residents and derive more than 50% of their gross revenue from the sale of personal data

Penalties for Non-Compliance:

    • A civil penalty of up to $7,500 per violation

Gramm-Leach-Bliley Act (GLBA)

The Gramm-Leach-Bliley Act (GLBA), also known as the Financial Services Modernization Act of 1999, established security requirements for financial institutions. Financial institutions includes the following:

    • Tax return preparers
    • Debt collectors
    • Banks
    • Real estate settlement services providers and appraisers
    • Loan brokers
    • Certain financial or investment advisers

GLBA established mandatory regulations to protect the personal data of consumers. This includes creating a policy to protect nonpublic personal information and personally identifiable information. There are three components that GLBA codifies in furtherance of this end.

    • Financial Privacy Rule: This rule requires that when a consumer establishes a relationship with a financial institution that the institution provide notice explaining the information collected on the consumer, who the information is shared with, how the information is used, and what protections are in place for the information.
    • Safeguards Rule: This requires a written information security plan that selects at least one employee to manage safeguards; describes a risk analysis plan for each department that handles sensitive data; develop, monitor, and test the information security system and; Update safeguards as needed.
    • Pretexting Protection: This rule requires financial institutions to create safeguards to prevent social engineering attacks such as phishing attacks. This may come in the form of training employees to know how to spot and avoid phishing attacks.

General Data Protection Regulation (GDPR)

The term ‘world wide web’ has never been truer. Everything we do online has a connection to another part of the world but there are few data protection regulations that reach across borders. The most significant of international data protection laws is the General Data Protection Regulation (GDPR) of the European Union. 

The GDPR not only subjects entities in the EU to its rules but also subjects entities that are using or processing the personal information of EU citizens. This means a company in America that has data of a citizen in the EU potentially would have to comply with the GDPR or face a significant fine.

Personal data that is protected by the GDPR includes any personal identifier such as:

    • Name
    • Location Data
    • Online alias/persona
    • Identification Number
    • Physical, physiological, genetic, economic, or cultural identifiers

The GDPR gives EU citizens more control over this type of data. Companies processing and controlling this data are required to design and implement safeguards to keep personal information safe which includes things such as pseudonymization and encryption. EU citizens must also be notified of why their data is being processed and they have discretion to revoke their consent at any time.

Alliant Cybersecurity Advantage

Alliant Cybersecurity will publish an initial report with our findings on: Why, Who, what, where, when, and how this attack happened. Our team will also assist you with:

  • Selecting tools to secure and strengthen your infrastructure
  • Assist in mediating with law enforcement agencies and insurance providers
  • Training for your workforce to avoid future attacks

Get the Alliant advantage today! Contact us for general consultation or reach out to us on our hotline number for a cyber-emergency.