21 November 2025
Knowledge
ISO 27001
Unlike the European Union, the US has no single federal law regulating cybersecurity and privacy.
Several states have their own cybersecurity and data breach notification laws.
This poses a considerable challenge for organizations conducting business across all 50 states and worldwide
This page summarizes the compliance requirements for US cybersecurity laws and federal cybersecurity laws.
Sarbanes-Oxley
The Sarbanes-Oxley (SOX) requires organizations to prove their cybersecurity credentials.
Applicability:
SOX applies only to public companies. Generally, a public company is listed on a public stock exchange.
The purpose of the legislation and regulations is to make sure these companies produce accurate financial statements from public companies.
Penalties and enforcement:
SOX has very tough penalties. Unlike many other cybersecurity or privacy statutes, SOX has criminal penalties.
In theory, a CEO or CFO can be liable for maximum fines of $1 million and 10 years imprisonment for false certification and $5 million and 20 years for a willfully false filing.
SEC Regulation S-P: Privacy of Consumer Financial Information and Safeguarding Personal Information
SEC rule 30, part of Regulation S-P (17 CFR 248.30), is an information security regulation requiring appropriate cybersecurity measures.
Applicability:
SEC rule 30 applies to US and foreign brokers, dealers, investment companies, and investment advisers registered with the SEC.
These organizations could also be subject to the New York Department of Financial Services (NYDFS) cybersecurity regulations. Under SEC rule 30, organizations must adopt written policies to safeguard customer records and protect against unauthorized access.
Penalties and enforcement:
Civil fines for violating this regulation can be up to $1,098,190 or triple the monetary gain. This rule can be enforced by an SEC action or by the Financial Industry Regulatory Authority (FINRA). FINRA is a private corporation that acts as a self-regulatory organization for the financial industry. It has the contractual power to fine its members.
GLBA: Gramm-Leach-Bliley Act
The Gramm-Leach-Bliley Act (GLBA) is both an information security and a privacy law.
Applicability:
The law applies to financial institutions, but the definition is very broad and includes banks, insurance companies, securities firms, non-bank mortgage lenders, auto dealers, and tax preparers.
There is a Security Rule and a Privacy Rule. The Security Rule (16 CFR Part 314) requires organizations to “develop, implement, and maintain a comprehensive information security program that is written in one or more readily accessible parts and contains administrative, technical, and physical safeguards that are appropriate to your size and complexity, the nature and scope of your activities, and the sensitivity of any customer information at issue.” (15 USC §6801 (a))
Penalties and enforcement:
Penalties for violation could exceed $1 million. There is also the possibility of termination of FDIC insurance, which could mean the end of the business for a financial firm.
To comply with the GLBA:
The law also institutes a Privacy Rule. The Privacy Rule (12 CFR 1016) requires financial institutions to undertake certain activities to protect consumer rights.
Enforcement of the GLBA depends on the type of financial institution that is being regulated and on what is being regulated: the Security Rule or the Privacy Rule. For the former, banks are regulated by federal banking regulators including Federal Reserve, Federal Deposit Insurance Corporation (FDIC), Office of the Comptroller of the Currency (OCC), Office of Thrift Supervision (OTS), and National Credit Union Administration (NCUA).
FTC: Federal Trade Commission Act §5
FTC Act Section 5 is an information security regulation (which requires appropriate cybersecurity measures) and a privacy law.
Applicability:
The law applies to almost every organization in the US, except for banks and common carriers.
Penalties and enforcement:
The FTC is not shy about imposing civil liabilities, which have even reached $5 billion in the recent case concerning Facebook. It might seem odd that a law passed in 1914 to prohibit unfair or deceptive acts is one of the major sources of cybersecurity and privacy law in the US.
Since its founding, the FTC has interpreted “unfair or deceptive& broadly, and this has, for the most part, been upheld by the US courts.
The FTC has alleged that companies acted deceptively by making material and false statements about their data security practices that misled consumers
It has claimed that companies acted unfairly when allegedly lax data security practices caused (or were likely to cause) sensitive consumer information to be stolen through security breaches.
The FTC relies on two authorities to enforce data security compliance: its statutory authority to police unfair and deceptive acts or practices under Section 5 of the FTC Act and its power to enforce its safeguards regulations promulgated under the GLBA.
How to comply:
The problem is that organizations must engage in all “reasonable and necessary” security practices, but these are generally undefined.
The FTC has established a regulation, the Safeguards Rule (16 CFR 314), for companies within its jurisdiction that have to comply with the GLBA. This rule is the same as the Security Rule (see above). It would be a good start to determine a company’s responsibilities under the Act.
HIPAA: Health Insurance Portability and Accountability Act
45 CFR Part 160, 45 CFR Part 164
HIPAA has security, privacy, and breach notification rules.
Applicability:
The law applies to health care providers, health plans, health care clearinghouses, and, in some instances, business associates of these businesses called covered entities.
As a result, the Act can cover organizations as diverse as health insurance companies and pharmaceutical companies. Unlike other laws, HIPAA has particular rules to determine compliance.
Penalties and enforcement:
Fines depend on the nature and extent of the violation and, the extent to which the organization has attempted to protect information.
The largest fine to date was more than $16 million. Penalties have been increasing dramatically recently. In 2018 the total number of penalties reached a record $28 million.
To comply with HIPAA:
The Privacy Rule requires that ePHI can only be used or disclosed in the following cases:
The Breach Notification Rule has specific requirements:
DFAR: Defense Federal Acquisition Regulation
DFAR is a cybersecurity regulation that applies to the US Department of Defense (DoD) contractors.
Applicability:
This regulation applies to US Department of Defense (DoD) contractors. It requires contractors and subcontractors that possess, store, or transmit “covered defense information” to provide adequate security to safeguard the covered defense information on unclassified information systems.
Penalties and enforcement:
Failure to comply may result in debarment.
How to comply:
Unlike many other cybersecurity laws, the Regulation mandates compliance with a specific cybersecurity standard: the National Institute of Standards and Technology (NIST) Special Publication (SP) 800-171.
To comply with the DFAR:
COPPA: Children’s Online Privacy Protection Act
15 U.S. Code Chapter 91, 16 CFR Part 312
COPPA is a privacy and cybersecurity law.
Applicability:
COPPA applies to websites and online services that are directed at children under the age of 13. It also applies if the site operator has actual knowledge that children under the age of 13 are using a website.
The Act’s purpose is to regulate how these websites collect, use, and/or disclose personal information from and about children.
Penalties and enforcement:
The Act is enforced by the FTC. Fines have been increasing, with the largest penalty to date reaching $5.7 million.
To comply with the COPPA:
FDA: Regulations for the Use of Electronic Records in Clinical Investigations
The Food and Drug Administration (FDA) Regulations for the Use of Electronic Records in Clinical Investigations is a cybersecurity law.
Applicability:
It applies to organizations involved in clinical investigations of medical products, including sponsors, clinical investigators, institutional review boards (IRBs), and contract research organizations (CROs).
Most, if not all, of these people and organizations are also health care providers, so their operations would most likely fall under the HIPAA rules as well. The Regulations concern the IT systems of these organizations, including any electronic systems used to create, modify, maintain, archive, retrieve, or transmit records used in clinical investigations.
Penalties and enforcement:
The Regulations are enforced by the FDA, which will conduct investigations and audits. Since these records are to be used for validating the research by the FDA, the Regulations are geared more toward the integrity part of the confidentiality, integrity, availability triad.
How to comply:
The Regulations require the following:
CFTC: Commodity Futures Trading Commission Derivatives Clearing Organizations Regulation
17 CFR Part 39, Subpart B, 17 CFR 39.18 – System safeguards
Applicability:
The CFTC Regulation applies to derivatives clearing organizations. These entities act as a medium for clearing transactions in commodities for future delivery or commodity option transactions. There are about 27 worldwide. These markets are at the heart of the global financial system.
Penalties and enforcement:
SEC regulation S-ID is subject to the same penalty as S-P. Civil fines for violating this Regulation can be up to $1,098,190 or triple the monetary gain. This rule can be enforced by an SEC action or by FINRA.
If this is accurate, please apply the same edits from earlier regarding the increase in the penalty.
How to comply:
To protect themselves, derivatives clearing organizations must develop an extensive and robust information security program that includes the following:
ECPA and SCA: Electronic Communications Privacy Act and Stored Communications Act
18 U.S. Code Chapter 119 and 18 U.S. Code Chapter 121
The Electronic Communications Privacy Act (ECPA) and the Stored Communications Act (SCA), also known as the Wiretap Act, are privacy statutes.
Applicability:
Originally designed to limit warrantless surveillance, these acts forbid the intentional use, disclosure, or access to any wire, oral, or electronic communication without authorization.
Penalties and enforcement:
The acts provide criminal penalties that could be used to jail malicious hackers. They also provide a private right of action.
The SCA and ECPA authorize equitable relief, damages, punitive damages, attorney’s fees, and costs, so compliance with these statutes should be considered by all organizations, not just law enforcement agencies. There are business and intra-family exceptions, but these must be used cautiously.
Both statutes require intentional violation. But if the statutes are violated, and if the plaintiff or the plaintiff’s class can prove measurable damages, the liability could be substantial.
There are also state laws that go further. The ECPA requires one-party authorization. Ten states require both parties to consent.
A recent example of the potential impact of these laws is a lawsuit by a Lyft driver and his class, which are suing Uber for intentionally accessing information with Uber’s Hell software.
There are damages for the entire class and punitive damages that could easily be in the millions. This is far greater than any criminal or civil fine.
How to comply:
EU-US Privacy Shield
Applicability:
The Privacy Shield was developed to protect EU residents’ data held and processed by organizations in the US.
The protection of an individual’s data in the US does not come anywhere near what the EU considers adequate. The EU-US Privacy Shield was declared invalid by the European Court of Justice (ECJ) on July 16, 2020, following the decision in Schrems II.
Since an enormous quantity of data is exchanged between the US and the EU, the US government and EU commissioners came up with a method to circumvent the previous Data Protection Directive with a program called Safe Harbor.
The Safe Harbor agreement was overturned on October 6, 2015 by the European Court of Justice (ECJ), so the EU commissioners and US government had to act quickly to come up with an alternative that would meet the requirements of the EU’s General Data Protection Regulation (GDPR).
Penalties and enforcement:
Non-compliance with the GDPR can lead to fines of up to 4% of annual global revenue or €20 million – whichever is greater.
How to comply with the EU-US Privacy Shield:
To self-certify to the Privacy Shield, a company must undertake the following:
FPA: Privacy Act of 1974
Applicability:
The FPA applies only to agencies of the US Federal Government. It governs the collection, maintenance, use, and dissemination of personally identifiable information about individuals maintained in systems of records by federal agencies.
It prohibits the disclosure of information from a system of records controlled by the federal agency without the subject’s written consent, unless the disclosure is permitted under one of 12 statutory exceptions. Until recently, it only applied to lawful residents of the US.
However, it was amended by the Judicial Redress Act, which allows citizens of ‘covered countries’ as determined by the Attorney General, with the agreement of the Secretary of State, the Secretary of the Treasury, and the Secretary of Homeland Security, to sue in a federal court for willful disclosures of personally identifiable information by a federal agency.
According to the European Commission, “The EU-US Umbrella Agreement, entered into force on 1 February 2017. To finalize this agreement, the US Congress adopted a new law, the US Judicial Redress Act, which extends the benefits of the US Privacy Act to Europeans and gives them access to US courts.”
But since the FPA is limited to the US government, and since it does not preclude §702 of the FISA, it does not stop either the US National Security Agency (NSA) or private companies from obtaining, disclosing, or transferring personally identifiable information that is expressly prohibited by the GDPR.
Penalties and enforcement
Covered persons, including lawful residents of the US and citizens of certain foreign countries designated by the US Secretary of State, may sue in a US federal district court for actual damages or $1,000 (whichever is greater), attorney fees, and court costs. The court may also require the federal agency to amend or correct any information on file concerning the covered person.
How to comply:
All US federal agencies must:
Consumer Privacy Protection Act of 2017
The proposed Consumer Privacy Protection Act of 2017 has been designed to ensure the privacy and security of sensitive personal information, to prevent and mitigate identity theft, to provide notice of security breaches involving sensitive personal information, and to enhance law enforcement assistance and other protections against security breaches, fraudulent access, and misuse of personal information.
Applicability:
It will apply to organizations that collect, use, access, transmit, store, or dispose of sensitive personally identifiable information of 10,000 or more US citizens during any 12-month period.
Penalties and enforcement:
Civil penalty fines will not exceed $5 million unless the violation is found to be willful or intentional, in which an additional $5 million can be imposed.
Ready to simplify your security? Let’s get started.
Let us share our expertise and support you on your journey to cybersecurity best practices.
Cybersecurity for IT Support Self-Paced Online Training Course
Certified Cyber Security Foundation Self-Paced Online Training Course
Keep reading
Uncategorized
Test Gated Post
01 December 2025
·
Knowledge
What is Cyber Security? Definition and Best Practices
28 November 2025
·
Knowledge
UK Government Minimum Cyber Security Standard
28 November 2025
·
Knowledge
Transitioning to ISO 27001:2022 | GRC Solutions
28 November 2025
·
Knowledge
SWIFT CSCF Compliance | IT Governance Ltd
28 November 2025
·
Knowledge
Speak to a cyber security expert
28 November 2025
·
Knowledge
What is Social Engineering? Examples & Prevention Tips
28 November 2025
·
Knowledge
Securities and Exchange Commission Rules on Cybersecurity Risk Management, Strategy, Governance, and Incident Disclosure
28 November 2025
·
Knowledge
The Sarbanes-Oxley Act | GRC Solutions
27 November 2025
·
Knowledge
What is Phishing? Attack Techniques & Prevention Tips
27 November 2025
·
Knowledge
NIST Cybersecurity Framework (CSF) | GRC Solutions
27 November 2025
·
Knowledge
Operators of Essential Services and the NIS Regulations
27 November 2025
·
Knowledge
Digital Service Providers and the NIS Regulations
26 November 2025
·
Knowledge
NIS Regulations: Cyber Assessment Framework
26 November 2025
·
Knowledge
The NIS Directive and NIS Regulations
26 November 2025
·
Knowledge
Management system integration
26 November 2025
·
Knowledge
ITSM (IT Service Management)
26 November 2025
·
Knowledge
GRC Solutions ITIL and ITSM books
26 November 2025
·
Knowledge
ITIL®
26 November 2025
·
Knowledge
IT Governance: definition & explanation
26 November 2025
·
Knowledge
ISO 27701
26 November 2025
·
Knowledge
ISO 27017 and ISO 27018 Cloud security | GRC Solutions
26 November 2025
·
Knowledge
ISO 27005
26 November 2025
·
Knowledge
ISO 27001 Risk Assessments
26 November 2025
·
Knowledge
FastTrack™ | ISO 27001 | GRC Solutions
26 November 2025
·
Knowledge
Typical ISO 27001 certification costs
26 November 2025
·
Knowledge
Key Benefits of ISO 27001 Certification
26 November 2025
·
Knowledge
ISO/IEC 27001:2022 and ISO/IEC 27002:2022
26 November 2025
·
Knowledge
iso27001 2022 transition training
26 November 2025
·
Knowledge
ISO27001
26 November 2025
·
Knowledge
iso27000 family
26 November 2025
·
Knowledge
ISO22301 business continuity standard
26 November 2025
·
Knowledge
ISO20000
21 November 2025
·
Knowledge
ISO9001 Quality Management Standards
21 November 2025
·
Knowledge
ISMS Benefits
21 November 2025
·
Knowledge
Infosec
21 November 2025
·
Knowledge
Implementing ISO27001
21 November 2025
·
Knowledge
GDPR and ISO 27001
21 November 2025
·
Knowledge
Gambling Commission Compliance
21 November 2025
·
Knowledge
EU Digital Operational Resilience Act
21 November 2025
·
Knowledge
EU Cybersecurity Act
21 November 2025
·
Knowledge
Email Security
21 November 2025
·
Knowledge
DFARS
21 November 2025
·
Knowledge
Data Classification Software
21 November 2025
·
Knowledge
Cyber Threats
21 November 2025
·
Knowledge
Cyber Security Standards
21 November 2025
·
Knowledge
Cyber Security Risk Management
21 November 2025
·
Knowledge
Cyber Security Risk Assessment
21 November 2025
·
Knowledge
Cyber Security Consultancy Services
21 November 2025
·
Knowledge
Cyber Resilience Framework
21 November 2025
·
Knowledge
Cyber Resilience
20 November 2025
·
Knowledge
Cyber Incident Response
20 November 2025
·
Knowledge
Cyber Crime
20 November 2025
·
Knowledge
Compliance
20 November 2025
·
Knowledge
Cloud Security
20 November 2025
·
Knowledge
Capability Maturity Model
20 November 2025
·
Knowledge
Business Resilience
20 November 2025
·
Knowledge
Benefits of ISO 22301
20 November 2025
·
Knowledge
BC DR
20 November 2025
·
Knowledge
Advanced Persistent Threats APT
20 November 2025
·
Knowledge
Accredited Certification
20 November 2025
·
Articles
SOC reporting
20 November 2025
·
Knowledge
The pecr and eu eprivacy directive
20 November 2025
·
Knowledge
GDPR privacy compliance framework and standards
20 November 2025
·
Knowledge
GDPR Data Mapping
20 November 2025
·
Knowledge
GDPRConsultancy
20 November 2025
·
Knowledge
GDPR Compliance with ISO 27001
20 November 2025
·
Knowledge
GDPR Anniversary
20 November 2025
·
Knowledge
ePrivacy Regulation EPR
20 November 2025
·
Knowledge
DPO as a Service
20 November 2025
·
Knowledge
DPA and GDPR penalties
20 November 2025
·
Knowledge
GDPR Gap Analysis
19 November 2025
·
Knowledge
DPA 2018 part 4 intelligence processing
19 November 2025
·
Knowledge
DPA 2018 part 3 law enforcement processing
19 November 2025
·
Knowledge
DPA 2018
19 November 2025
·
Knowledge
Data subject access requests
19 November 2025
·
Knowledge
Data Sovereignty and the Cloud
19 November 2025
·
Knowledge
Data protection officer dpo under the gdpr
19 November 2025
·
Knowledge
Data Protection dpa and eu data protection regulation
19 November 2025
·
Knowledge
Data Protection
19 November 2025
·
Knowledge
Data Privacy
19 November 2025
·
Knowledge
Data Governance
19 November 2025
·
Knowledge
Data Breaches
19 November 2025
·
Knowledge
Articles of the GDPR
19 November 2025
·
Knowledge
PCI DSS | What It Is and How to Comply
19 November 2025
·
Knowledge
Vulnerability testing for Cyber Essentials
19 November 2025
·
Knowledge
Cyber Essentials: Secure Configuration
19 November 2025
·
Knowledge
Cyber Essentials: Patch Management
19 November 2025
·
Knowledge
Cyber Essentials: Malware Protection
19 November 2025
·
Knowledge
ISO 27001 and the Cyber Essentials Scheme
19 November 2025
·
Knowledge
Defining the scope for Cyber Essentials certification
19 November 2025
·
Knowledge
The Cyber Essentials Scheme
19 November 2025
·
Knowledge
Cyber Essentials Repeat Testing and Assessment Fees
18 November 2025
·
Knowledge
The Cyber Essentials SAQ (Self-Assessment Questionnaire)
18 November 2025
·
Knowledge
Cyber Essentials for the MOD Supply Chain
18 November 2025
·
Knowledge
Cyber Essentials FAQs
18 November 2025
·
Knowledge
Cyber Essentials Benefits
18 November 2025
·
Knowledge
Cyber Essentials: Boundary Firewalls and Internet Gateways
18 November 2025
·
Case Study
Cyber Essentials Plus Case Study
18 November 2025
·
Knowledge
Cyber Essentials: User Access Control
18 November 2025
·
Knowledge
What is AI governance and why does it matter?
18 November 2025
·
Knowledge
ISO 42001: What it is and why it matters for AI management
18 November 2025
·
Knowledge
The EU AI Act: what it means for your organisation and how to comply
18 November 2025
·
White Papers
CISSP study planner
18 November 2025
·
Blog
IT Standards | GRC Solutions
18 November 2025
·
Blog
Become an GRC Solutions channel partner
18 November 2025
·
White Papers
Ethical Hacking Career Roadmap
17 November 2025
·
White Papers
Cyber Essentials – 2025 Scheme Changes: What You Need to Know
17 November 2025
·
Articles
Global Data Breaches and Cyber Attacks in October 2025 – At Least 21.2 Million Breached Records
14 November 2025
·
Articles
GRC Solutions Named Among the UK’s Top 20 Cyber Security Innovators
14 November 2025
·
Articles
Data Leakage Prevention and Data Deletion – ISO 27001 Controls 8.12 and 8.12 Explained
13 November 2025
·
Articles
Threat Intelligence – ISO 27001:2022 Control 5.7 Explained
06 November 2025
·
Articles
How DORA fits with ISO 27001, NIS2 and the GDPR
03 November 2025
·
Articles
CISM Exam Tips from a Consultant: Five Insider Insights to Help You Pass
03 November 2025
·
Articles
How To Comply with ISO 27001’s New Cloud Services Control
03 November 2025
·
Articles
What DORA Means for ICT Suppliers: MSPs, SaaS and Cloud in Scope
31 October 2025
·
Knowledge
Cyber Security Must Be a Board Priority – And It Starts With Cyber Essentials
28 October 2025
·
Articles
Top 5 Skills Every ISO 27001 Internal Auditor Needs
22 October 2025
·
Articles
AWS Outage: A Supply-Chain Security Lesson
21 October 2025
·
Articles
Global Encryption Day: Why Encryption Is a Core Requirement
21 October 2025
·
Articles
Why You Need Cyber Resilience and Defence in Depth
21 October 2025
·
Articles
ISO 27001:2022 Clause 6 – What’s Changed and What You Need to Do About It
21 October 2025
·
Articles
4 reasons to get CISMP qualified
20 October 2025
·
Articles
CISM vs CISSP: Which Certification is Right for You in 2025
17 October 2025
·
Articles
CISMP vs Security+: Which Certification is Right for You in 2025?
15 October 2025
·
Articles
ISO 27001 for Non-IT Roles: A Beginner’s Guide
15 October 2025
·
Articles
CRISC Salary & Career in the UK: What to Expect in 2025
10 October 2025
·
Articles
5 Practical Skills You’ll Gain from a GDPR Practitioner Course
10 October 2025
·
Articles
ISO 27001 Internal vs Lead Auditor Training Compared
10 October 2025
·
Articles
Global Data Breaches and Cyber Attacks in September 2025: Nearly 2 Million Records Exposed and Potentially 1.5 Billion More
08 October 2025
·
Articles
Is CISM Worth It? Salary, Career Value & Employer Demand in 2025
06 October 2025
·
Knowledge
5 Common GDPR Mistakes – and How Training can Fix Them
06 October 2025
·
Articles
5 Reasons ISO 27001 Implementations Fail (and How to Avoid Them)
03 October 2025
·
Articles
Our Experts’ Views on the Jaguar Land Rover Cyber Attack
01 October 2025
·
Knowledge
A Guide to the EU GDPR’s Requirements for an EU Representative
01 October 2025
·
Knowledge
Who Needs ISO 27001 Foundation Training?
01 October 2025
·
Knowledge
Human Error and Accidental Data Breaches: Lessons from Recent Cases
01 October 2025
·
Articles
How to Become a DPO (Data Protection Officer) in the UK
29 September 2025
·
Articles
How to Get Cyber Essentials Certified in 2025: Updated Steps and Key Changes
26 September 2025
·
Knowledge
GDPR Foundation vs Awareness Training: Which is Right for Your Team?
25 September 2025
·
Blog
The Data Protection Officer (DPO) Role – A beginner’s guide
25 September 2025
·
Articles
CISSP® Exam Myths: What Learners Get Wrong
22 September 2025
·
Articles
UK GDPR Representative Services: What You Need to Know
19 September 2025
·
Articles
How to Maintain ISO 27001 Certification: 7 Top Tips
16 September 2025
·
Articles
3 ISO 27001:2022 Controls That Help Secure Your Cloud Services
15 September 2025
·
Articles
How ISO 27001 Helps You Comply With DORA
15 September 2025
·
White Papers
Free White Paper: The EU AI Act and ISO 42001 – A Beginner’s Guide
13 September 2025
·
Knowledge
GDPR Data Protection Impact Assessments: The 7 Key Stages of the DPIA Process
10 September 2025
·
Articles
Global Data Breaches and Cyber Attacks in August 2025: over 17.3 million records exposed
08 September 2025
·
Knowledge
Cyber Essentials: The 5 Cost-Effective Security Controls Everyone Needs
19 August 2025
·
Articles
Nine Steps to SOC 2 Compliance – Including a SOC 2 Readiness Checklist
14 August 2025
·
Articles
Global Data Breaches and Cyber Attacks in July 2025: over 14.9 million records exposed
12 August 2025
·
Articles
Data Protection Enforcement: Your Cookie Compliance Questions Answered
08 August 2025
·
Knowledge
A Guide to TOMs (Technical and Organisational Measures) Under the GDPR
06 August 2025
·
Articles
What are the Different Types of Penetration Test?
05 August 2025
·
Knowledge
The Six Data Processing Principles of the UK GDPR Explained
01 August 2025
·
Articles
The 4 CRISC Domains Explained
28 July 2025
·
Articles
What Are ISO 27017 and ISO 27018, and What Are Their Controls?
23 July 2025
·
Articles
The 9 CISMP Domains Explained
21 July 2025
·
Articles
How One Weak Password Destroyed a 158-Year-Old Company
21 July 2025
·
Knowledge
Nine Steps to Conducting a GDPR Gap Analysis
18 July 2025
·
Knowledge
Are You Ready for Cyber Essentials?
18 July 2025
·
Knowledge
How to Write a GDPR Data Retention Policy – with template
16 July 2025
·
Articles
The 4 CISM Domains Explained
14 July 2025
·
Articles
Choosing the Right PCI DSS SAQ: A Practical Guide
11 July 2025
·
Articles
Information Security vs Cyber Security: The Difference
09 July 2025
·
Articles
The 5 CISA Domains Explained
07 July 2025
·
Articles
How ISO 42001 supports EU AI Act compliance
04 July 2025
·
Articles
Global Data Breaches and Cyber Attacks in June 2025: Over 16 billion records exposed
04 July 2025
·
Articles
7 Steps to a Successful ISO 27001 Risk Assessment (Updated for 2025)
02 July 2025
·
Knowledge
How to Write a GDPR Data Protection Policy (Updated for 2025)
01 July 2025
·
Articles
Building Your Cyber Security Career: The Credentials Needed for Management and Specialist Roles
30 June 2025
·
Knowledge
How to Respond to a DSAR (Data Subject Access Request)
30 June 2025
·
Knowledge
How to Write a GDPR Data Privacy Notice – Updated Guide and Template for 2025
24 June 2025
·
Knowledge
The Critical Role of a DPO: Why Outsourcing is the Smart Choice
20 June 2025
·
Knowledge
The Data (Use and Access) Act and How it Affects the UK GDPR and DPA 2018, and PECR
19 June 2025
·
Articles
Understanding the CIA Triad in 2025: A Cornerstone of Cyber Security
18 June 2025
·
Articles
Global Data Breaches and Cyber Attacks in May 2025 – More Than 1.4 Billion Records Breached
17 June 2025
·
Articles
Penetration Testing for SaaS Providers: Building Trust and Security
12 June 2025
·
Articles
How to Start Your Career in Data Protection and Privacy
10 June 2025
·
Knowledge
GDPR Documentation: The Documents You Need to Comply with the UK and EU GDPR
09 June 2025
·
Articles
How to FastTrack your ISO 27001 ISMS Implementation and Certification
05 June 2025
·
Articles
Author of the Month: Bridget Kenyon
04 June 2025
·
Articles
CCTV and the GDPR in 2025: What Employers Must Know
03 June 2025
·
Knowledge
The GDPR in 2025: What’s the Difference between Personal Data and Special Category Data?
03 June 2025
·
Articles
Data Protection Gap Analysis: Identifying Weak Spots Before Regulators Do
29 May 2025
·
Knowledge
Lessons Learned from the Legal Aid Agency Data Breach
22 May 2025
·
Articles
How to Spot a Phishing Email in 2025 –with Real Examples and Red Flags
16 May 2025
·
Articles
The Co-op, M&S, Harrods… You? Mitigating the Risk of Ransomware
13 May 2025
·
Articles
The 8 CISSP domains explained
08 May 2025
·
Articles
Windows 10 End of Life: What Does it Mean for Your Organisation?
02 May 2025
·
Articles
Author of the Month: Richard Bingley
01 May 2025
·
Articles
Author of the Month: Andrew Pattison
01 April 2025
·
Knowledge
The Cyber Essentials Scheme’s 2025 Update and What it Means for Your Organisation
20 March 2025
·
Knowledge
What It Takes to Be Your Organisation’s DPO or Data Privacy Lead
20 January 2025
·
Articles
Free Expert Insights: Index of Interviews
15 January 2025
·
Articles
How Can Organisations Transition to ISO 27001:2022?
14 January 2025
·
Articles
The Benefits of Becoming an Ethical Hacker
13 January 2025
·
Knowledge
Step-by-Step Guide to Achieving GDPR Compliance
08 January 2025
·
Articles
How You Can Continually Improve Your ISO 27001 ISMS (Clause 10)
06 January 2025
·
Knowledge
How a GDPR Gap Analysis Helps Secure Support From Senior Management
11 December 2024
·
Articles
How to Select Effective Security Controls
09 December 2024
·
Articles
Cyber Threats During the Holidays: How to Stay Safe From Seasonal Scams and Data Breaches
04 December 2024
·
Knowledge
Cyber Essentials vs ISO 27001: Key Differences
02 December 2024
·
Articles
Meet the Hacker: How Simulated Phishing Addresses Your Biggest Security Risk
27 November 2024
·
Articles
Breaking In to Keep Hackers Out: The Essential Work of Penetration Testers
25 November 2024
·
Knowledge
How Do the Cyber Essentials and Cyber Essentials Plus Assessments Work?
20 November 2024
·
Articles
How to Create a Strong Security Culture
18 November 2024
·
Articles
Your Biggest Security Risk: The Insider Threat
13 November 2024
·
Articles
Layering Defences to Safeguard Sensitive Data Within AI Systems
11 November 2024
·
Knowledge
How Organisations Are Failing to Process Personal Data Lawfully Under the GDPR
04 November 2024
·
Articles
The 6 CCSP Domains Explained
30 October 2024
·
Knowledge
GDPR: International Data Transfers Using the IDTA, SCCs or BCRs
28 October 2024
·
Articles
Strategies for Securing Your Supply Chain
23 October 2024
·
Articles
How to Meet the NCSC’s 14 Cloud Security Principles
21 October 2024
·
Articles
The Insider Threat: Strategies to Safeguard Against Malicious Insiders
16 October 2024
·
Knowledge
GDPR: Data Subject Rights and Organisations’ Responsibilities
14 October 2024
·
Knowledge
How Do You Demonstrate Accountability Under the GDPR?
08 October 2024
·
Articles
Security Risks of Outsourcing to the Cloud: Who’s Responsible?
03 October 2024
·
Articles
7 Steps to Prepare for PCI DSS Audit Success
01 October 2024
·
Articles
How to Overcome Unconscious Bias in the Workplace
24 September 2024
·
White Papers
GDPR Benchmark Report: Compliance Insights
17 September 2024
·
Articles
8 Ways to Reduce Your PCI DSS Compliance Burden
17 September 2024
·
Articles
How to Address AI Security Risks With ISO 27001
12 September 2024
·
Articles
How to Write a Modern Slavery Statement – 6-Step Guide
10 September 2024
·
Articles
How Do You Mitigate Information Security Risk?
05 September 2024
·
Articles
Where to Start with Cyber Security Risk Management
29 August 2024
·
Articles
Tips for Environmental Sustainability at Work and How ISO 14001 Can Help
27 August 2024
·
Knowledge
What Is Access Control and Why Do Cyber Essentials and ISO 27001 Require It?
21 August 2024
·
Knowledge
A Guide to GDPR International Transfers
20 August 2024
·
Articles
Online Merchants: PCI DSS Compliance Tips When Outsourcing
15 August 2024
·
Articles
Are You Meeting Your Occupational Health & Safety Requirements?
13 August 2024
·
Knowledge
Streamlining GDPR Compliance With ROPAs, Data Flow Maps and DPIAs
08 August 2024
·
Articles
5 Cyber Security and ISO 27001 Myths
01 August 2024
·
Articles
CrowdStrike: Lessons on the Importance of Contracts, Insurance and Business Continuity
30 July 2024
·
Articles
How to Easily Meet the PCI DSS Awareness Training Requirements
25 July 2024
·
Articles
ISO 27001:2022 Transition Challenges and How to Use ISO 27002
18 July 2024
·
Articles
Analysing Data Breaches Caused by Human Error
16 July 2024
·
Articles
The Good, the Bad and the Improvable of PCI DSS v4
11 July 2024
·
Articles
‘RockYou2024’: Nearly 10 BILLION Unique Plaintext Passwords Leaked
10 July 2024
·
Knowledge
GDPR Article 28 Contracts: What You Need to Know
09 July 2024
·
Knowledge
Records of Processing Activities (ROPAs): Simplifying GDPR Compliance
04 July 2024
·
Articles
Security Trends for 2024 and Beyond
28 June 2024
·
Articles
Creating an AI Policy – A Guide for SMEs
10 June 2024
·
Articles
Worrying Ransomware Trends, and What to Do About Them
07 June 2024
·
Articles
Security Tips and Concerns for Remote Working
31 May 2024
·
Articles
A Practical Guide to Cyber Incident Response
24 May 2024
·
Articles
ISO 27001 and Physical Security
15 May 2024
·
Articles
6,009,014 MovieBoxPro Accounts Breached in Another Data Scraping Incident
07 May 2024
·
Articles
Global Data Breaches and Cyber Attacks in 2024
02 May 2024
·
Articles
Global Data Breaches and Cyber Attacks in April 2024 – 5,336,840,757 Records Breached
02 May 2024
·
Articles
The Week in Cyber Security and Data Privacy: 22 – 28 April 2024
29 April 2024
·
Articles
Looking Back on the Channel Partner Event and Awards 2024
24 April 2024
·
Articles
The Week in Cyber Security and Data Privacy: 15 – 21 April 2024
22 April 2024
·
Articles
Cyber Defence in Depth: An Expert’s Overview
19 April 2024
·
Articles
The Week in Cyber Security and Data Privacy: 8 – 14 April 2024
15 April 2024
·
Articles
The Week in Cyber Security and Data Privacy: 1 – 7 April 2024
09 April 2024
·
Articles
Global Data Breaches and Cyber Attacks in March 2024 – 299,368,075 Records Breached
04 April 2024
·
Articles
An Expert Overview of CISM®
04 April 2024
·
Articles
The Week in Cyber Security and Data Privacy: 25 – 31 March 2024
02 April 2024
·
Articles
The Week in Cyber Security and Data Privacy: 18 – 24 March 2024
25 March 2024
·
Articles
The False Economy of Deprioritising Security
20 March 2024
·
Articles
The Week in Cyber Security and Data Privacy: 11 – 17 March 2024
18 March 2024
·
Articles
ISO 27001:2022 Annex A Controls Explained
13 March 2024
·
Articles
The Week in Cyber Security and Data Privacy: 4 – 10 March 2024
11 March 2024
·
Articles
Global Data Breaches and Cyber Attacks in February 2024 – 719,366,482 Records Breached
05 March 2024
·
Articles
The Week in Cyber Security and Data Privacy: 26 February – 3 March 2024
05 March 2024
·
Articles
The Week in Cyber Security and Data Privacy: 19 – 25 February 2024
27 February 2024
·
Knowledge
Ashley Brett on Cyber Essentials Solutions
21 February 2024
·
Articles
The Week in Cyber Security and Data Privacy: 12 – 18 February 2024
21 February 2024
·
Articles
Maintaining GDPR and Data Privacy Compliance in 2024
16 February 2024
·
Articles
Sophie Sayer on the IT Governance Partner Programme
14 February 2024
·
Articles
The Week in Cyber Security and Data Privacy: 5 – 11 February 2024
14 February 2024
·
Articles
Your CVSS Questions Answered
09 February 2024
·
Articles
Elearning Staff Awareness Course Overview: Ransomware
07 February 2024
·
Articles
The Week in Cyber Security and Data Privacy: 29 January – 4 February 2024
06 February 2024
·
Articles
Global Data Breaches and Cyber Attacks in January 2024 – 29,530,829,012 Records Breached
05 February 2024
·
Articles
Expert Insight: Vanessa Horton on Anti-Forensics
02 February 2024
·
Articles
The Week in Cyber Security and Data Privacy: 22 – 28 January 2024
30 January 2024
·
Articles
‘Mother of All Breaches’: 26 BILLION Records Leaked
24 January 2024
·
Articles
The Week in Cyber Security and Data Privacy: 15 – 21 January 2024
23 January 2024
·
Articles
The Week in Cyber Security and Data Privacy: 8 – 14 January 2024
16 January 2024
·
Articles
The Week in Cyber Security and Data Privacy: 1 – 7 January 2024
09 January 2024
·
Articles
List of Data Breaches and Cyber Attacks in 2023 – 8,214,886,660 records breached
05 January 2024
·
Articles
Global Data Breaches and Cyber Attacks in December 2023 – 2,241,916,765 Records Breached
05 January 2024
·
Articles
Expert Insight: Adam Seamons on Zero-Trust Architecture
05 January 2024
·
Articles
The Weeks in Cyber Security and Data Privacy: 18 – 31 December 2023
04 January 2024
·
Articles
The Third-Party Threat for Financial Organisations
22 December 2023
·
Knowledge
Sam McNicholls-Novoa on CyberComply
20 December 2023
·
Articles
The Week in Cyber Security and Data Privacy: 11 – 17 December 2023
19 December 2023
·
Articles
The Week in Cyber Security and Data Privacy: 4 – 10 December 2023
11 December 2023
·
Articles
Data Breaches and Cyber Attacks in November 2023 – 519,111,354 Records Breached
05 December 2023
·
Articles
The Week in Cyber Security and Data Privacy: 27 November – 3 December 2023
05 December 2023
·
Articles
Expert Insight: Cliff Martin
28 November 2023
·
Articles
The Week in Cyber Security and Data Privacy: 20 – 26 November 2023
28 November 2023
·
Articles
Alan Calder on Cyber Resilience
24 November 2023
·
Articles
Risk Management under the DORA Regulation
23 November 2023
·
Articles
The Week in Cyber Security and Data Privacy: 13 – 19 November 2023
20 November 2023
·
Articles
Catches of the Month: Phishing Scams for November 2023
17 November 2023
·
Articles
The Week in Cyber Security and Data Privacy: 6 – 12 November 2023
13 November 2023
·
Articles
The Week in Cyber Security and Data Privacy: 30 October – 5 November 2023
06 November 2023
·
Articles
Expert Insight: Andrew Snow
06 November 2023
·
Articles
Data Breaches and Cyber Attacks in October 2023 – 867,072,315 Records Breached
03 November 2023
·
Articles
The Week in Cyber Security and Data Privacy: 23 – 29 October 2023
31 October 2023
·
Articles
Expert Insight: Stephen Hancock on SAQ SPoC
30 October 2023
·
Articles
The Week in Cyber Security and Data Privacy: 16 – 22 October 2023
24 October 2023
·
Articles
IT Governance Podcast 20.10.23: Casio, Cisco, MOVEit (again) and the ICC
23 October 2023
·
Articles
Catches of the Month: Phishing Scams for October 2023
13 October 2023
·
Articles
IT Governance Podcast 6.10.23: TikTok, Sony and MOVEit and DarkBeam
06 October 2023
·
Articles
List of Data Breaches and Cyber Attacks in September 2023 – 3,808,687,191 Breached Records
05 October 2023
·
Articles
Royal Family’s Website Targeted by Denial-of-Service Attack
02 October 2023
·
Articles
IT Governance Podcast 22.09.23: MGM Resorts, Microsoft Azure, International Criminal Court
22 September 2023
·
Articles
MGM Resorts suffers ransomware infection following social engineering attack
18 September 2023
·
Articles
Catches of the Month: Phishing Scams for September 2023
15 September 2023
·
Articles
IT Governance Podcast 08.09.23: Electoral Commission (again), Meta, Pôle emploi
07 September 2023
·
Articles
List of Data Breaches and Cyber Attacks in August 2023 – 79,729,271 Records Breached
06 September 2023
·
Articles
IT Governance Podcast 25.8.23: Tesla, Duolingo, Lapsus$ trial
24 August 2023
·
Articles
IT Governance Podcast 11.8.23: Electoral Commission, PSNI, Capita
10 August 2023
·
Articles
Catches of the Month: Phishing Scams for August 2023
07 August 2023
·
Articles
What is Vishing? Definition, Examples and Prevention
03 August 2023
·
Articles
List of Data Breaches and Cyber Attacks in July 2023 – 146 Million Records Breached
01 August 2023
·
Articles
What is Tailgating? Definition, Examples & Prevention
27 July 2023
·
Articles
Norwegian Government Hit by Widespread Cyber Attack
24 July 2023
·
Articles
What is Smishing? Definition, Examples and Prevention
19 July 2023
·
Articles
IT Governance Podcast 14.7.23: EU-US DPF, UK-US data bridge, MOVEit patches and other security fixes
13 July 2023
·
Articles
Red Team vs Blue Team: What’s the Difference?
13 July 2023
·
Articles
Data Breaches and Cyber Attacks Quarterly Review: Q2 2023
11 July 2023
·
Articles
Catches of the Month: Phishing Scams for July 2023
06 July 2023
·
Articles
List of Data Breaches and Cyber Attacks – June 2023
04 July 2023
·
Articles
IT Governance Podcast 30.6.23: ChatGPT, LetMeSpy and MS Teams, plus Alan Calder on cyber security
29 June 2023
·
Articles
Phone-Tracking App LetMeSpy Says It Has Been Hacked
29 June 2023
·
Articles
How to Recover From a Cyber Attack
27 June 2023
·
Articles
100,000 ChatGPT Accounts Hacked in Malware Attack
22 June 2023
·
Articles
10 Ways to Prevent Phishing Attacks in 2023
21 June 2023
·
Articles
IT Governance Podcast 16.6.23: MOVEit, LinkedIn, Spotify and Google Bard
15 June 2023
·
Articles
Ofcom Becomes the Latest Victim of MOVEit Supply Chain Attack
15 June 2023
·
Articles
API Penetration Testing Checklist
13 June 2023
·
Articles
51 Must-Know Phishing Statistics for 2023
08 June 2023
·
Articles
Catches of the Month: Phishing Scams for June 2023
06 June 2023
·
Articles
IT Governance Podcast 2.6.23: Capita, NHS, Meta, GDPR, DPDI Bill and Alan Calder on cyber regtech
01 June 2023
·
Articles
List of Data Breaches and Cyber Attacks – May 2023
01 June 2023
·
Articles
What is a DoS Attack?
31 May 2023
·
Knowledge
GDPR Article 32: Your Guide to the Requirements
23 May 2023
·
Articles
IT Governance Podcast 19.5.23: A Capita special, featuring pension providers, Colchester City Council and Alan Calder’s analysis
18 May 2023
·
Articles
What Is a Brute Force Attack? Definition, Prevention and Examples
17 May 2023
·
Articles
Eurovision Organisers Concerned About the Threat of Cyber Attacks
11 May 2023
·
Knowledge
Cyber Essentials Pricing in 2023: What You Need to Know
10 May 2023
·
Articles
Catches of the Month: Phishing Scams for May 2023
10 May 2023
·
Articles
IT Governance Podcast 5.5.23: ChatGPT, LockBit, T-Mobile and Alan Calder on cyber security for boards
04 May 2023
·
Articles
List of Data Breaches and Cyber Attacks in April 2023 – 4.3 Million Records Breached
02 May 2023
·
Articles
World Economic Forum: Organisations Must Invest in Security as ‘Catastrophic Cyber Event’ Looms
27 April 2023
·
Articles
IT Governance Podcast 21.4.23: Capita, Chrome, LockBit for Macs and Alan Calder on cyber security
20 April 2023
·
Articles
Capita Admits That Its ‘Cyber Incident’ Was Ransomware and That Customer Data Was Breached
20 April 2023
·
Articles
What Is Data Minimisation? Definition & Examples
18 April 2023
·
Articles
Data Breaches and Cyber Attacks Quarterly Review: Q1 2023
13 April 2023
·
Articles
April 2023’s Catch of the Month: Uncovering Phishing Scams
11 April 2023
·
Articles
IT Governance Podcast 2023-7: Capita, ChatGPT and TikTok (yet again)
05 April 2023
·
Articles
How to Prevent Malware Attacks: 8 Tips for 2023
05 April 2023
·
Articles
List of Data Breaches and Cyber Attacks in March 2023 – 41.9 Million Records Breached
03 April 2023
·
Knowledge
GDPR Article 17: What Is the Right to Erasure?
30 March 2023
·
Articles
Data Backups Are for Life, Not Just for World Backup Day
28 March 2023
·
Articles
IT Governance Podcast 2023-6: Ferrari, Dole, TikTok (again), Android
23 March 2023
·
Articles
TikTok Banned on UK Government Devices
16 March 2023
·
Articles
3 reasons cyber security training is essential
09 March 2023
·
Articles
IT Governance Podcast 2023-5: WH Smith, the Data Protection and Digital Information Bill, TikTok
09 March 2023
·
Articles
Catches of the Month: Phishing Scams for March 2023
07 March 2023
·
Knowledge
Cyber Essentials is Updating its Technical Requirements
02 March 2023
·
Articles
List of Data Breaches and Cyber Attacks in February 2023 – 29.5 Million Records Breached
01 March 2023
·
Articles
IT Governance Podcast 2023-4: EU-US Data Privacy Framework, Twitter 2FA, GoDaddy, HardBit 2.0
23 February 2023
·
Articles
Twitter’s Security Move: Charging Users for SMS Two-Factor Authentication
23 February 2023
·
Articles
Is Pepsi Okay? Bottling Plant Suffers Malware Attack
16 February 2023
·
Articles
IT Governance Podcast 2023-3: Bank security flaws ranked, ION ransom paid, MP hacked
09 February 2023
·
Articles
Phishing Alert: February 2023’s Notable Scams
07 February 2023
·
Articles
How to Investigate a Cyber Incident: 5-Step Guide
02 February 2023
·
Articles
List of Data Breaches and Cyber Attacks in January 2023 – 277.6 Million Records Breached
01 February 2023
·
Articles
IT Governance Podcast 2023-2: Mailchimp, fast food, T-Mobile, ice rinks, iOS update and ISO 27001
26 January 2023
·
Articles
What Are You Doing for Data Protection Day?
25 January 2023
·
Articles
NortonLifeLock Says Customer Accounts were Compromised in Credential-Stuffing Attack
19 January 2023
·
Articles
7 Ways to Avoid Physical Security Threats in the Workplace
17 January 2023
·
Articles
IT Governance Podcast 2023-1: more ransomware attacks on the education sector, and DPC and Meta sued
13 January 2023
·
Articles
Catches of the Month: Phishing Scams for January 2023
12 January 2023
·
Articles
Data Breaches and Cyber Attacks in 2022: 480 Million Breached Records
10 January 2023
·
Articles
Criminal Hackers Leak Email Addresses of 220 Million Twitter Users
05 January 2023
·
Articles
List of data breaches and cyber attacks in December 2022 – 31.5 million records breached
03 January 2023
·
White Papers
GDPR – A compliance guide
17 August 2021
·