Cybersecurity Laws and Regulations 1 (Part 1 of 2) by John Bandler

This is part one of a two part article which focuses on legal rules relating to cybersecurity. Laws, regulations, and other legal requirements impose legal duties regarding cybersecurity and investigation and reporting of cybercrime. Cybersecurity meshes with privacy, so I cover some of those laws too.

Understanding these rules is a part of good organization cybersecurity which requires evaluation of a number of important areas; (i) applicable rules, (ii) threats such as cybercrime, and (iii) helpful guidance.

These rules can be complex, but important takeaways are:

  1. Every organization should have "reasonable cybersecurity" or better which they continually improve. This is to (a) prevent a cybercrime or other incident and (b) comply with legal requirements.
  2. Organizations need a cybersecurity program (and policy)
  3. Cybercrimes need to be detected and investigated, and sometimes reporting is required by law.

Before we get into the meat of this article, a quick word about related reading

To learn more about cybercrime threats, see my articles on the critical threats of data breach, ransomware, and email-based funds transfer frauds. Preventing cybercrime should be the priority for all organizations because this is the underlying goal of most cybersecurity laws. If organizations can prevent a cybercrime then they are on their way towards compliance with cybersecurity related laws and avoiding related issues.

For more on helpful guidance, see my article Cybersecurity Frameworks and Guidance (coming soon) which discusses voluntary guidance organizations can follow, including my Four Pillars of Cybersecurity. If you want to learn more about harmonizing laws and frameworks for your organization’s cybersecurity program, read Policies, Procedures, and Governance of an Organization

If you are new to cybersecurity, first read my Introduction to Cybersecurity and Information Security article. If you are new to law, consider taking a look at my Introduction to Law outline, and Chapter 5 of my book, Cybercrime Investigations.

1. Overview of External Rules

There are many laws and regulations that relate to cybersecurity, to include traditional legal concepts, cybersecurity specific rules, data breach reporting requirements, privacy laws, and more. Each organization needs to consider which of these external rules apply to them, and then evaluate what is needed to comply. After reviewing these external rules and threats, the organization needs to create “internal rules” that protect and properly align with the external rules.

Here is a quick list of the main legal requirements to consider:

  • Criminal laws
  • Negligence law
  • Contract law
  • Litigation – Discovery and E-discovery
  • Data disposal laws
  • Data breach notification laws
  • Cybersecurity laws
  • Privacy laws
  • Regulations (for regulated sectors and professions such as finance, medical, education, utilities, certain professions, those doing business with the government, and more)

I put regulations last since regulations apply only to specific regulated entities, and if you are not that type of organization, it doesn’t concern you. Despite being last on my list, consider that regulators led the way on creating important rules relating to cybersecurity, and now there are cybersecurity laws that apply to all.

A quick word on the difference between a law and a regulation which students and non-lawyers may find helpful. A law is enacted by a government unit (such as the federal government or a state government) by being passed by the legislative body (e.g., Congress) and then signed by the executive (e.g., the President or a Governor). In contrast, a regulation is issued by a regulatory body which has legal authority over certain sectors. Examples of regulators include the Federal Deposit Insurance Corporation (FDIC) and New York State Department of Financial Services (NYDFS). The regulator exists and has authority by virtue of a law, giving it the right to issue certain rules. Regulated organizations may hold a license which is overseen by the regulator, and to keep that license they need to follow the regulator’s rules.

2. Criminal Laws

Criminal laws are beyond the focus of this article, but since we are talking laws, it’s worth a mention. And it can be helpful for many to get a reminder of the difference between criminal and civil laws. Criminal laws can be used to bring cybercrime offenders to justice. Our criminal justice system provides for the toughest of actions and penalties that our legal system can impose – arrest and incarceration. Criminal laws applicable to cyber include traditional laws regarding theft and fraud plus newer cybercrime specific laws. Criminal laws are enforced by police, investigators, agents, and prosecutors at the local, state, and federal levels. Unfortunately, cybercrime criminal investigation and enforcement lags far behind the rampant criminal activity, and this is an area our government needs to improve upon. Obviously, organizations should ensure their operations are conducted without violating any criminal laws.

3. Traditional Civil Laws

Before delving into newer laws created specifically to address the challenges of technology, we should review some longstanding legal principles that are important to the information age; negligence, contract, and litigation.

3.1 Negligence Law

Principles of negligence law hold that an individual or entity can be liable for failing to meet their duty of care. The elements of a cause of action for negligence are (i) duty, (ii) breach of that duty, and (iii) the breach of duty caused damages. Negligence law plus good business principles suggest that organizations should be diligent and reasonable, and never sloppy or negligent. In my teaching and writings, I often analogize cybercrime liability to premises liability and automobile accident liability. In short, consider the hypothetical where Organization A had negligent security which allowed Cybercriminal B to commit a crime and victimize Victim C. Victim C can’t sue Cybercriminal B (who can’t be identified and won’t come to court) so considers suing Organization A and alleging negligence.

3.2 Contract law

Contract law establishes that individuals and organizations may enter into agreements with each other that are legally binding and can be enforced by the courts. The elements of a valid contract are (i) offer, (ii) acceptance, (iii) exchange of something of value (“consideration”), and (iv) the contract does not violate the law or principles of good society (“public policy”). Many contracts implicate cybersecurity and privacy, as there may be duties, promises, representations, disclaimers, waivers, and indemnification. Organizations may have a duty to implement certain cybersecurity measures, to detect, investigate, and notify of cybercrime attacks, and more. Terms of Use, Terms of Service, and Privacy Policies are all contracts. In my Frameworks and Guidance article, I mention the Payment Card Industry (PCI) Data Security Standard (DSS), a framework many organizations are contractually obligated to follow. Insurance policies, including "cyber insurance", are also contracts.

3.3 Litigation – Discovery & E-discovery

Ultimately our legal system exists to provide a mechanism to peacefully resolve disputes – a process ultimately done through litigation. A critical part of litigation is discovery (sometimes called disclosure) where parties exchange information prior to trial. In today’s digital age, electronic discovery (“E-discovery”) means enormous amounts of data must be sifted through, and this means reviewing storage of data, investigating where it might be found, and conducting digital forensics and analysis. Thus, every litigation – no matter the underlying subject – implicates cyber with legal rules regarding this evidence.

4. Cyber Specific Civil Laws – An Overview

In the historical evolution of cybersecurity laws of general application, the first arrival was state data disposal laws, designed to reduce the incidents of organizations throwing out or selling old computers or paper files without first destroying any sensitive information within them. Where those discarded objects contained personal information of clients or customers, that was a violation of privacy. If I had to sum up these laws in a sentence, it would be “Don’t throw away other people’s data where others can find it – destroy it first!

Next came state data breach notification laws. Now, every state has data breach reporting laws which require organizations to report data breaches involving personal information of state residents. The organization must notify affected parties (those whose information was breached) and various state agencies. Every organization is subject to these data breach laws. These laws impose explicit duties to accurately notify and report, and this implies duties to monitor, detect, and properly investigate. I would sum up these laws thusly; “If a cybercriminal steals data you are holding, you must tell the people whose data got stolen, and tell the government”.

Then came state cybersecurity laws. Many states have implemented laws requiring that organizations implement certain cybersecurity measures. Some laws are general, some have details, but most recognize that cybersecurity is not “one size fits all” and thus the touchstone of these laws is “reasonable and diligent” cybersecurity. I would summarize these laws as follows; “Be reasonable and diligent securing your systems, especially the personal information you store”.

Next came privacy laws. Cybersecurity and privacy intersect greatly, and most privacy laws have components of cybersecurity, investigation, and reporting. Privacy governs data that organizations collect, store, share, and use. The European Union’s (EU) General Data Protection Regulation (GDPR) was a groundbreaking privacy law with many implications for the US. Then came the California Consumer Privacy Act (CCPA) and other states have followed suit. These laws essentially give consumers rights over their data, how that data is collected, stored, used, and shared.

Notably, there is no federal law of general applicability regarding cybersecurity or data breach reporting, nor is there a specific federal privacy law. Bills have been brought, but nothing has passed (yet). Worthy of mention is the Federal Trade Commission (FTC) Act, which (among many other provisions) empowers the FTC to regulate unfair or deceptive trade practices. This power to regulate unfair and deceptive trade practices includes the principle that companies should have fair and clear privacy practices, hold data with a certain level of security (if subject to an appropriate rule) and not make deceptive claims about their level of security. Thus, the FTC is the primary federal enforcer of privacy rights.

State laws are enforced at the state level by each State’s Attorney General. Every state has its own attorney general, not to be confused with the Attorney General of the United States.

There are federal laws and regulations which apply to certain regulated sectors such as finance and health, which we will cover in the next section.

Each organization should look at all of the different rules it needs to comply with, and work to harmonize them. Different rules use different terminology and may impose both overlapping and unique requirements.

That concludes our summary of the basics of cybersecurity related laws. Part 2 of this article becomes less conversational but with important information as I start to list some of the specific laws and regulations with a brief summary and relevant links.

Click here to read Cybersecurity Laws and Regulations Part 2, at https://johnbandler.com/cybersecurity-laws-and-regulations-2/.

Conclusion & Additional Reading

As you can tell, we have a rapidly evolving patchwork of laws and regulations regarding cybersecurity, privacy, and related issues. Part 2 has additional information.

I welcome your feedback on this article including suggestions to improve it or additional laws or regulations to mention.

As long as this article is, it is still a brief summary with many simplifications, attempting to bring complex subject matter to all readers in an understandable and accessible manner. This article is for myself, students, clients, potential clients, and anyone else in need of basic information. It is not legal advice nor consulting advice, and is not tailored to your circumstances.

If your organization needs help with improving cybersecurity and protecting from cybercrime, creating or improving policies, and complying with cybersecurity related laws and regulations, contact me. Good policies are an important part of cybersecurity, along with Bandler's Four Pillars of Cybersecurity. Sometimes individuals need help with cybersecurity and investigations too.

References: Some additional helpful articles and resources on this site include:

This article is hosted at https://johnbandler.com/cybersecurity-laws-and-regulations-1, copyright John Bandler, all rights reserved.

This article is also available on Medium.com at TO BE POSTED SOON (though perhaps not updated as frequently).

Originally posted 7/26/2021. Last updated 7/27/2021.