Cybersecurity Laws and Regulations Part 2
by John Bandler
This is the second part of an article about legal rules relating to cybersecurity, providing more detail on each external rule. Laws, regulations, and other legal requirements impose legal duties regarding cybersecurity and the investigation and reporting of cybercrime. Cybersecurity meshes with privacy, so I cover privacy laws here too.
Each organization should look at all of the different rules it needs to comply with, and work to harmonize them. Different rules use different terminology and may impose both overlapping and unique requirements.
Recapping Part 1 of this article
Part One of this article is more readable, covering general principles of law without getting into individual laws. We covered:
- Overview of all laws
- Criminal laws
- Traditional civil laws
- Cyber specific civil laws (overview)
Here in Part 2 it is less conversational, and more of a reference of specific laws and regulations with a brief summary and relevant links. So this page is more for specific research and reference, or to get through a bout of insomnia.
As before, I have chosen to lump this body of law together as "Cybersecurity and Privacy Law" because distinguishing between the two can be an unnecessarily complex chore.
Continuing the prior article, we pick up here with Section 5, and I start to list some important laws and regulations that relate to cybersecurity and privacy.
5. Laws of general applicability for cybersecurity and privacy, including breach notification, consumer data protection
These are laws that apply generally and do not depend upon the specific sector of the organization.
Generally, these are state laws, since the federal government has not enacted a specific cybersecurity or privacy law of generally applicability. However, the FTC Act has been applied to this area, so I start with that.
5.1 The Federal Trade Commission (FTC) Act
The Federal Trade Commission has some capabilities to investigate and enforce unfair or deceptive trade practices, which could include false promises about privacy or security, and perhaps even negligent cybersecurity. This main authority is under FTC Act § 5(a), 15 U.S.C. § 45(a)(1). The FTC also has authority over certain organizations under other laws, such as GLBA. For more information on the FTC and their powers, see:
5.2 State law compilations
Every state has a law regarding data breach reporting, many have laws regarding cybersecurity for consumer data, and more and more are enacting privacy laws.
The National Conference of State Legislatures (NCSL) has analyzed various state laws, and some of their helpful compilations are here:
- NCSL, Data Security Laws, Private Sector, https://www.ncsl.org/research/telecommunications-and-information-technology/data-security-laws.aspx
- NCSL, Security Breach Notification Laws, https://www.ncsl.org/research/telecommunications-and-information-technology/security-breach-notification-laws.aspx
- NCSL, Data Disposal Laws, https://www.ncsl.org/research/telecommunications-and-information-technology/data-disposal-laws.aspx
- NCSL, State Laws Related to Digital Privacy, https://www.ncsl.org/research/telecommunications-and-information-technology/state-laws-related-to-internet-privacy.aspx
The International Association of Privacy Professionals (IAPP) is a non-profit organization that has excellent information on privacy (which includes consumer data protection and breach notification) and offers a variety of privacy certifications, including the Certified Information Privacy Professional/United States (CIPP/US) (I hold this certification and have built a certification study course). The IAPP offers these resources:
Some larger law firms have also compiled excellent lists of all of these state laws.
I am not trying to compete with any of the above, but merely provide some helpful information in the following sections.
5.3 New York Laws: Data, Cybersecurity, and Breach Notification
New York’s SHIELD Act (passed in 2019) strengthened existing data breach notification rules and imposed a new “reasonable cybersecurity” requirement. SHIELD stands for, it is “Stop Hacks and Improve Electronic Data Security Act” and I will save the word count by not commenting further. Thus, New York has a requirement for reasonable cybersecurity, incident response (including cybercrime investigation), and data breach notification to state government agencies and affected parties. The SHIELD Act is found within the New York State General Business Law (“GBL” or “GBS”) §899-aa and §899-bb.
Sections and links include:
- NY GBL § 399H, Disposal of records containing personal identifying information, https://www.nysenate.gov/legislation/laws/GBS/399-H
- NY GBL § 899-aa Notification; person without valid authorization has acquired private information, https://www.nysenate.gov/legislation/laws/GBS/899-AA
- NY GBL § 899-bb Data security protections, https://www.nysenate.gov/legislation/laws/GBS/899-BB
- I wrote an article about the NY SHIELD Act which is available here.
- New York State Attorney General, https://ag.ny.gov/
The proposed New York Privacy Act (NY Senate Bill S6701A) is pending in the NY legislature as a bill, so it is not a law and has no legal authority.
New York's Department of Financial Services (DFS) has also put forth a cybersecurity regulation for the financial sector, which I cover in the sector specific section.
5.3 District of Columbia Laws for Cybersecurity and Breach Notification
The District of Columbia also recently created a security requirement (effective in 2020), to supplement their existing data breach notification requirement. These laws are within the District of Columbia Consumer Security Breach Notification Act, and their law is found at D.C. Code § 28–3851 et seq, https://code.dccouncil.us/dc/council/code/titles/28/chapters/38/subchapters/II/
The relevant sections are:
- 28–3852. Notification of security breach. This section indicates that if “personal information” is breached, the organization must notify the person whose information was breached, and the DC Attorney General, and specifies additional details.
- 28-3852.01. Security requirements (this became effective June 17, 2020). This section requires the organization to have “reasonable security safeguards, including procedures and practices that are appropriate to the nature of the personal information and the nature and size of the entity or operation.”
5.4 Connecticut Laws for Cybersecurity and Breach Notification
Of course, Connecticut (like every other state) has its own breach notification law. An amendment to the breach notification law (passed in June 2021 and effective 10/1/2021) imposes additional duties for breach notification.
Connecticut law also imposes duties to properly safeguard personal information stored by an organization. A recent law (also effective 10/1/2021) provides a certain safe harbor from certain types of civil liability following a cybercrime or other incident if an organization properly adopts a respected cybersecurity framework (see my article on cybersecurity frameworks coming soon).
In May 2022 Connecticut passed a sweeping privacy law, effective July 2023.
Below are some citations and links to the CT statutes.
- CT General Statutes, §42-471, Safeguarding of personal information. Social Security numbers. Privacy protection policy. Civil penalty. https://www.cga.ct.gov/current/pub/chap_743dd.htm#sec_42-471 (requires the safeguarding of personal information).
- CT General Statutes, §36a-701b, Breach of security re computerized data containing personal information. Notice of breach. Provision of identity theft prevention services and identity theft mitigation services. Delay for criminal investigation. Means of notice. Unfair trade practice, https://cga.ct.gov/current/pub/chap_669.htm#sec_36a-701b (data breach reporting requirements, if personal information is breached, organization must notify those people whose data was breached, and the CT Attorney General). Note a recent amendment effective October 1, 2021 (See Public Act No. 21-59, Substitute House Bill No. 5310. https://www.cga.ct.gov/2021/ACT/PA/PDF/2021PA-00059-R00HB-05310-PA.PDF).
- CT Public Act No. 21-119, Substitute House Bill No. 6607, https://www.cga.ct.gov/2021/ACT/PA/PDF/2021PA-00119-R00HB-06607-PA.PDF (effective 10/1/2021) encourages organizations to adopt a respected cybersecurity framework, and in exchange shield that organization from certain civil liability if they are a victim of a cybercrime.
- REPEALED CT General Statutes § 38a-999b, Health Insurer specific security requirements, repealed effective 10/1/2021.
- Connecticut Data Privacy Act (“CTDPA”), CT Public Act No. 22-15, Substitute Senate Bill No. 6, "An Act Concerning Personal Data Privacy and Online Monitoring", signed into law 5/10/2022 and effective 7/1/2023, a new and sweeping privacy law for Connecticut. https://www.cga.ct.gov/2022/ACT/PA/PDF/2022PA-00015-R00SB-00006-PA.PDF
California has led the way with data breach reporting laws and more recently with U.S. privacy laws with the California Consumer Privacy Act (CCPA) enacted in 2018 and as amended by the 2020 California Privacy Rights Act (CPRA) (a ballot initiative, Proposition 24, which amended the CCPA). It also created the California Privacy Protection Agency (CPPA), meaning privacy is regulated by a dedicated agency (instead of by the state Attorney General).
For my webpage, California probably deserved to go first, but I am based in the East Coast so I put it later. Some CA links are below.
The CCPA as amended is brutally long and complex, 65 pages and about 25,000 words. Add on to that the regulations (effective March 2023) another 65 pages and 27,000 words.
It could be argued that such a lengthy and complex law does a disservice to individuals and organizations, and is more of a boon to lawyers and compliance professionals who are needed to navigate the dense thicket. The hope is clear guidance and implementation on enforcement.
- CA AG webpage: https://oag.ca.gov/privacy/ccpa ** (really helpful summary, updated 5/10/2023)
- California Privacy Protection Agency (CPPA) webpage: https://cppa.ca.gov/
- CCPA statute: https://leginfo.legislature.ca.gov/faces/codes_displayText.xhtml?division=3.&part=4.&lawCode=CIV&title=1.81.5
- CCPA regulations: https://govt.westlaw.com/calregs/Browse/Home/California/CaliforniaCodeofRegulations?guid=IEB210D8CA2114665A08AF8443F0245AD&originationContext=documenttoc&transitionType=Default&contextData=(sc.Default)
- CPRA compilation from IAPP: https://iapp.org/resources/article/the-california-privacy-rights-act-of-2020/
- CPRA text: https://leginfo.legislature.ca.gov/faces/codes_displayText.xhtml?division=3.&part=4.&lawCode=CIV&title=1.81.5
- CPRA text: https://thecpra.org/
- California cybersecurity and breach statute: https://leginfo.legislature.ca.gov/faces/codes_displayText.xhtml?lawCode=CIV&division=3.&title=1.81.&part=4.&chapter=&article=
5.6 Other states
Colorado has a privacy law called the Colorado Protections for Consumer Data Privacy Act (PCDPA).
- CO AG Webpage, https://coag.gov/resources/data-protection-laws/.
Virginia has a new privacy law called the Virginia Consumer Data Protection Act (CDPA).
- VA CDPA statute, https://lis.virginia.gov/cgi-bin/legp604.exe?212+sum+HB2307.
- IAPP article, https://iapp.org/news/a/virginia-passes-the-consumer-data-protection-act/
There is much proposed legislation as well. Of course, pending legislation does not have any legal effect unless and until it becomes a law.
- New York has the proposed New York Privacy Act, NY Senate Bill S5642 (2019-2020) https://www.nysenate.gov/legislation/bills/2019/s5642
6. Cybersecurity and privacy requirements for certain sectors
There are cybersecurity and privacy regulations that apply just to specific sectors. Laws of general applicability (prior sections) may still apply to regulated sectors, though often the regulations impose greater duties. A regulator has authority to enforce certain statutes or rules upon certain types of organizations. Thus, each organization needs to know who their regulators are and what rules the organization needs to comply with. Most regulators impose some type of rule relating to cybersecurity and privacy.
6.1 Financial Sector
The financial sector is heavily regulated and for good reason. Instability or a collapse could cripple our economy and affect public safety and national security. Financial regulations cover a wide swath of topics to ensure the safety and soundness of a financial institution, protect consumers (including their deposits, investments, rights, and privacy), and ensure good information security and privacy practices. There are a dizzying number of federal financial regulators who have collaborated to create the Federal Financial Institutions Examination Council (FFIEC) which have rules for information security, technology, and more. On top of that, each state may have its own financial regulator.
6.1.1 Gramm-Leach-Bliley Act (GLBA)
The Gramm-Leach-Bliley Act (GLBA) (also known as the Financial Services Modernization Act of 1999) is a federal law that created privacy and information security requirements for financial institutions. GLBA’s implementation rules include the Safeguards Rule (to protect consumer information) and the Privacy Rule (regarding disclosure of consumers’ personal information).
6.1.2 Sarbanes-Oxley Act (SOX)
The Sarbanes-Oxley Act of 2002 (SOX) is a federal law for publicly traded companies – companies listed on a stock exchange. SOX requires publicly traded companies to have proper internal control structures in place to validate that their financial statements accurately reflect their financial results, thus requiring controls over information systems. SOX is overseen by the Securities and Exchange Commission (SEC).
6.1.3 New York Cybersecurity Requirements for Financial Services Companies
The New York State Department of Financial Services (DFS) issued a rule pursuant to it’s rulemaking authority requiring certain cybersecurity measures by financial services companies within NY. This is DFS Rule 500, Cybersecurity Requirements for Financial Services Companies, 23 NY Codes, Rules and Regulations (NYCRR) Part 500.
- View 23 NYCRR Part 500 on Westlaw
- 23 NYCRR Part 500 at Cornell LII, https://www.law.cornell.edu/regulations/new-york/title-23/chapter-I/part-500
6.1.4 Federal Financial Institutions Examination Council (FFIEC)
The Federal Financial Institutions Examination Council (FFIEC) is a body of federal financial regulators that establishes common federal standards for many financial sector regulators, including requirements for cybersecurity. Some of these rules may arise from GLBA, others from broader regulatory authority over safety, soundness, and consumer protection. Among the FFIEC rules and guidance are the FFIEC Audit IT Examination Handbook and Cyber Assessments Tool (CAT).
6.1.5 Partial Listing of Financial Regulators
Below is a partial listing of some federal financial regulators, each of which will impose requirements for cybersecurity and privacy upon those organizations they regulate.
- Federal Financial Institutions Examination Council (FFIEC) (see earlier section too, since they issue their own robust guidance, designed to streamline compliance and the work of many of the below regulators)
- Federal Deposit Insurance Corporation (FDIC)
- Office of the Comptroller of the Currency (OCC)
- the Federal Reserve System (the Fed)
- National Credit Union Administration (NCUA)
- Consumer Financial Protection Bureau (CFPB)
- Securities and Exchange Commission (SEC)
- Financial Industry Regulatory Authority (FINRA)
And don't forget the various state regulators, including:
- New York Department of Financial Services (NY DFS)
6.1.6 Anti-Money Laundering requirements
Anti-money laundering (AML) requirements may also mandate investigation and reporting of certain cybercrime through AML channels, including the filing of suspicious activity reports (SARs). Guidance from the primary AML regulator (FinCEN, the Financial Crimes Enforcement Network) suggests financial institutions leverage all departments (AML, cybersecurity, etc.) to investigate and report this cybercrime.
Cybercrime is typically for-profit, and involves stealing both money and consumer data, so it is logical to fight cybercrime with AML investigation and action.
6.2 Health Sector
The health sector needs to comply with laws and regulations to protect patient health and other personal information, and to ensure our health sector is protected from cyberattack or natural disaster. The federal privacy and security laws are the Health Insurance Portability and Accountability Act (HIPAA) (enacted in 1998) and Health Information Technology for Economic and Clinical Health Act (HITECH) (enacted in 2009). HIPAA was one of the earliest laws to protect personal information and privacy. These federal laws are overseen by the U.S. Department of Health and Human Services (HHS), which issues rules and regulations in accordance with the laws. Within HHS, enforcement is done by their Office for Civil Rights (OCR). There are also state laws which relate to the health sector and health information.
From HIPAA and HITECH, HHS has issued rules, notably the privacy rule (2000), security rule (2003), and breach reporting requirements. As with any law or regulation, we need to be mindful of its definitions and what is covered. One important definition in HIPAA is that of protected health information (PHI).
HHS administers these rules, and has guidance but I found their site less helpful than other government sites, sometimes with outdated webpages and resources.
HIPAA main resources include:
HHS on HIPAA, https://www.hhs.gov/hipaa/index.html
More details on the law and history of HIPAA, HITECH, and the HHS privacy, security, and breach notification rules in this article.
6.3 Educational Sector
The Family Educational Rights and Privacy Act (FERPA) is a federal law protecting the privacy and security of student education records. See 20 U.S.C. §1232g and 34 CFR Part 99. FERPA applies to any school that receives funding from the U.S. Department of Education (ED or DoEd), which is most public schools.
- The Family Educational Rights and Privacy Act (FERPA), 20 U.S.C. § 1232g https://www.law.cornell.edu/uscode/text/20/1232g
- FERPA regulations, 34 CFR Part 99, Family Educational Rights and Privacy https://www.law.cornell.edu/cfr/text/34/part-99
U.S. Department of Education FERPA resources
- ED FERPA webpage, https://www2.ed.gov/policy/gen/guid/fpco/ferpa/index.html
- ED Protecting Student Privacy website, https://studentprivacy.ed.gov/
- Protecting Student Privacy list or regulations https://studentprivacy.ed.gov/node/548/
- Data Breach https://studentprivacy.ed.gov/topic/data-breach
6.3.1 Children and COPPA
Consider the Children's Online Privacy Protection Act (COPPA), with privacy requirements for children under 13.
- Children's Online Privacy Protection Act of 1998, 15 U.S.C. 6501–6505
- 15 USC Chapter 91, Children's Online Privacy Protection, https://www.law.cornell.edu/uscode/text/15/chapter-91
- 16 CFR Part 312 —Children's Online Privacy Protection Rule, https://www.law.cornell.edu/cfr/text/16/part-312
- FTC on COPPA, https://www.ftc.gov/legal-library/browse/rules/childrens-online-privacy-protection-rule-coppa
- FTC guidance for businesses on COPPA, https://www.ftc.gov/business-guidance/privacy-security/childrens-privacy
- FTC FAQ on COPPA, https://www.ftc.gov/business-guidance/resources/complying-coppa-frequently-asked-questions
Utilities are regulated as well, since they are critical infrastructure that needs to be kept running smoothly. Utility regulators impose requirements regarding cybersecurity and privacy, and may include:
- Federal Communications Commission (FCC)
- Federal Energy Regulatory Commission (FERC)
- North American Electric Reliability Corporation (NERC)
- State regulators
6.5 Critical infrastructure
Critical infrastructure includes finance, health, utilities, and more. A new law will eventually require incident reporting by all critical infrastructure.
In March 2022 the Cyber Incident Reporting for Critical Infrastructure Act of 2022 (CIRCIA) was signed into law. Eventually, it will mandate cyber incident reporting to the Cybersecurity and Infrastructure Security Agency (CISA, a part of the Department of Homeland Security).
The requirements are not effective until CISA finalizes their regulations. In the meantime, CISA encourages voluntary information sharing and provide an email address and phone number for that.
CISA has to provide proposed rules to the public (Notice of Proposed Rulemaking) no later than March 2024 (24 months after the law was enacted). Then, CISA needs to issue their final rule (the regulation) within 18 months of their notice.
- https://www.congress.gov/bill/117th-congress/house-bill/2471/text (text of CIRCIA)
6.6 Certain Licensed Professions
Any profession that is licensed comes with requirements to keep that license. For some professions, those rules extend to cybersecurity or privacy.
Doctors need to follow HIPAA and HITECH and related rules of doctor-patient confidentiality.
Attorneys have rules too relating to their duties of competence, confidentiality, diligence, and more. I compiled resources for this recent attorney continuing legal education (CLE) presentation.
6.7 Doing Business with the Federal Government
Organizations that do certain business with government may be contractually obligated to comply with certain cybersecurity rules. States may have rules, and the federal government definitely does. The federal government has rules about how it will secure its own information assets, and this extends to the organizations that provide goods and services for the government.
First, let’s mention the May 2021 White House Executive Order on Cybersecurity. This touches on some really difficult cyber issues we are facing, and which I discuss in my books.
The Federal Information Security Management Act (FISMA) gives authority to the Office of Management and Budget (OMB) and Department of Homeland Security (DHS) regarding information security in federal agencies and contracting.
Federal Risk and Authorization Management Program (FedRAMP) was developed with the National Institute of Standards and Technology (NIST) to create a standardized security framework for federal government use of cloud services. FedRAMP is based upon other NIST publications, including NIST 800-53 (see my frameworks article).
The Defense Federal Acquisition Regulation Supplement (DFARS) from the Department of Defense (DoD) has cybersecurity rules regarding defense contractors. The applicable section is DFARS 252.204-7012 (Safeguarding Covered Defense Information and Cyber Incident Reporting).
6.8 The IRS and tax information
The Internal Revenue Service (IRS) issued Publication 1075, Tax Information Security Guidelines for Federal, State and Local Agencies, Safeguards for Protecting Federal Tax Returns and Return Information. As the title indicates, this is to provide guidance for federal, state, and local government agencies to protect the security and privacy of tax information.
6.9 Criminal justice information
The Federal Bureau of Investigation (FBI) maintains the Criminal Justice Information Services (CJIS) which has a repository of criminal justice information, much of which is confidential. In order to provide access to law enforcement agencies, they must ensure their security is sufficient and certify that. I remember during my 20 years in law enforcement I needed to annually certify and pass a test regarding my responsibilities to safeguard this information and the systems.
7. General Data Protection Regulation (GDPR)
The European Union (EU) has always had strong privacy protections, and enactment of their General Data Protection Regulation (GDPR) created strong protections for EU citizens and imposed requirements that affected countries outside of the EU. U.S. organizations must be mindful of GDPR and careful not to violate its provisions when interacting with EU citizens. Other countries around the world and many states in the U.S. have followed the lead of GDPR by enacting their own privacy legislation.
Key terms of GDPR include:
- Data Subject (a person)
- Personal data (data about the data subject)
- Data Controller (entity controlling personal data)
- Data Processor (entity processing personal data on behalf of the controller)
Key provisions of GDPR include:
- Cybersecurity (Information security)
- Breach notification
- Right to access data
- Right to correct inaccurate information
- Right of portability of data (transfer)
- Right to be forgotten (erasure)
The text of GDPR can be found through https://ec.europa.eu/info/law/law-topic/data-protection/data-protection-eu_en
The IAPP topic page is at https://iapp.org/resources/topics/eu-gdpr/
8. Privacy Policies
As you can tell, we have a rapidly evolving patchwork of laws and regulations regarding cybersecurity, privacy, and related issues.
I welcome your feedback on both parts of this article including suggestions to improve it or additional laws or regulations to mention.
As long as this article is, it is still a brief summary with many simplifications, attempting to bring complex subject matter to all readers in an understandable and accessible manner. This article is for myself, students, clients, potential clients, and anyone else in need of basic information. It is not legal advice nor consulting advice, and is not tailored to your circumstances.
If your organization needs help with improving cybersecurity and protecting from cybercrime, creating or improving policies, and complying with cybersecurity related laws and regulations, contact me. Good policies are an important part of cybersecurity, along with Bandler's Four Pillars of Cybersecurity. Sometimes individuals need help with cybersecurity and investigations too.
10. Additional reading
- External Rules
- The Three Priority Cybercrime Threats
- Five Components for Policy Work
- Cybersecurity review and improvement for your organization - a checklist
- Bandler's Cybersecurity Tips
- My services page
- My books
This article is hosted at https://johnbandler.com/cybersecurity-laws-and-regulations-2/, copyright John Bandler, all rights reserved.
(This article will not be made available on Medium.com since it is a compilation of resources and a painful read).
Originally posted 7/26/2021. Last updated 11/05/2023.