Cybersecurity Laws and Regulations (Part 2 of 2) by John Bandler

This is part two (the final part) of an article about legal rules relating to cybersecurity. Laws, regulations, and other legal requirements impose legal duties regarding cybersecurity and the investigation and reporting of cybercrime. Cybersecurity meshes with privacy, so I cover privacy laws too.

If you haven't already, I suggest you first read Part One of this article.

This second part is less conversational but with important information as I list some of the specific laws and regulations with a brief summary and relevant links.

Each organization should look at all of the different rules it needs to comply with, and work to harmonize them. Different rules use different terminology and may impose both overlapping and unique requirements.

5. Cybersecurity (and Privacy) Laws and Regulations – A Partial Listing

Now that you have an overview of important and general legal concepts, I will list some important laws and regulations that relate to cybersecurity and privacy.

5.1 Laws of General Applicability for Data, Cybersecurity and Breach Notification

These are laws that apply generally regardless of the specific sector of the organization.

Generally, these are state laws that relate to data breach reporting, cybersecurity, privacy, and data disposal. For an excellent listing of all these state laws, see these webpages from the National Conference of State Legislatures (NCSL):

Some larger law firms have compiled excellent lists of all of these state laws. I will not try to compete with them, but merely list a few.

5.1.1 NY Laws: Data, Cybersecurity, and Breach Notification

New York’s SHIELD Act (passed in 2019) strengthened existing data breach notification rules and imposed a new “reasonable cybersecurity” requirement. SHIELD stands for, it is “Stop Hacks and Improve Electronic Data Security Act” and I will save the word count by not commenting further. Thus, New York has a requirement for reasonable cybersecurity, incident response (including cybercrime investigation), and data breach notification to state government agencies and affected parties. The SHIELD Act is found within the New York State General Business Law (“GBL” or “GBS”) §899-aa and §899-bb.

Sections and links include:

5.1.2 District of Columbia Laws for Cybersecurity and Breach Notification

The District of Columbia also recently created a security requirement (effective in 2020), to supplement their existing data breach notification requirement. These laws are within the District of Columbia Consumer Security Breach Notification Act, and their law is found at D.C. Code § 28–3851 et seq, https://code.dccouncil.us/dc/council/code/titles/28/chapters/38/subchapters/II/

The relevant sections are:

  • 28–3852. Notification of security breach. This section indicates that if “personal information” is breached, the organization must notify the person whose information was breached, and the DC Attorney General, and specifies additional details.
  • 28-3852.01. Security requirements (this became effective June 17, 2020). This section requires the organization to have “reasonable security safeguards, including procedures and practices that are appropriate to the nature of the personal information and the nature and size of the entity or operation.”

5.1.3 Connecticut Laws for Cybersecurity and Breach Notification

Of course, Connecticut (like every other state) has its own breach notification law. An amendment to the breach notification law (passed in June 2021 and effective 10/1/2021) imposes additional duties for breach notification. Connecticut law also imposes duties to properly safeguard personal information stored by an organization. A recent law (also effective 10/1/2021) provides a certain safe harbor from certain types of civil liability following a cybercrime or other incident if an organization properly adopts a respected cybersecurity framework (see my article on cybersecurity frameworks coming soon).

Below are some citations and links to the CT statutes.

  • CT General Statutes, §42-471, Safeguarding of personal information. Social Security numbers. Privacy protection policy. Civil penalty. https://www.cga.ct.gov/current/pub/chap_743dd.htm#sec_42-471 (requires the safeguarding of personal information).
  • CT General Statutes, §36a-701b, Breach of security re computerized data containing personal information. Notice of breach. Provision of identity theft prevention services and identity theft mitigation services. Delay for criminal investigation. Means of notice. Unfair trade practice, https://cga.ct.gov/current/pub/chap_669.htm#sec_36a-701b (data breach reporting requirements, if personal information is breached, organization must notify those people whose data was breached, and the CT Attorney General). Note a recent amendment effective October 1, 2021 (See Public Act No. 21-59, Substitute House Bill No. 5310. https://www.cga.ct.gov/2021/ACT/PA/PDF/2021PA-00059-R00HB-05310-PA.PDF).
  • CT Public Act No. 21-119, Substitute House Bill No. 6607, https://www.cga.ct.gov/2021/ACT/PA/PDF/2021PA-00119-R00HB-06607-PA.PDF (effective 10/1/2021) encourages organizations to adopt a respected cybersecurity framework, and in exchange shield that organization from certain civil liability if they are a victim of a cybercrime.
  • CT General Statutes § 38a-999b, Health Insurer specific security requirements, repealed effective 10/1/2021.

5.2 Laws of General Applicability for Privacy

Privacy laws impact information governance and almost always include information security requirements. The International Association of Privacy Professionals (IAPP) is a non-profit organization that has excellent information on privacy and offers a variety of privacy certifications, including the Certified Information Privacy Professional/United States (CIPP/US) (I hold this certification).

5.2.1 General Data Protection Regulation (GDPR)

The European Union (EU) has always had strong privacy protections, and enactment of their General Data Protection Regulation (GDPR) created strong protections for EU citizens and imposed requirements that affected countries outside of the EU. U.S. organizations must be mindful of GDPR and careful not to violate its provisions when interacting with EU citizens. Other countries around the world and many states in the U.S. have followed the lead of GDPR by enacting their own privacy legislation.

Key terms of GDPR include:

  • Data Subject (a person)
  • Personal data (data about the data subject)
  • Data Controller (entity controlling personal data)
  • Data Processor (entity processing personal data on behalf of the controller)

Key provisions of GDPR include:

  • Cybersecurity (Information security)
  • Consent
  • Notice
  • Breach notification
  • Right to access data
  • Right to correct inaccurate information
  • Right of portability of data (transfer)
  • Right to be forgotten (erasure)

The text of GDPR can be found through https://ec.europa.eu/info/law/law-topic/data-protection/data-protection-eu_en

5.2.2 The Federal Trade Commission (FTC) Act

The Federal Trade Commission has some limited capabilities to investigate and enforce unfair or deceptive trade practices, which could include false promises about privacy or security, and perhaps even negligent cybersecurity. This main authority is under FTC Act § 5(a), 15 U.S.C. § 45(a)(1). The FTC also has authority over certain organizations under other laws, such as GLBA. For more information on the FTC and their powers, see:

5.2.3 California

California led the way in U.S. privacy laws with the California Consumer Privacy Act (CCPA) and California Privacy Rights Act (CRPA). More information is below.

5.2.4 Other states

Colorado has a privacy law called the Colorado Protections for Consumer Data Privacy Act (PCDPA).

Virginia has a new privacy law called the Virginia Consumer Data Protection Act (CDPA).

There is much proposed legislation as well. Of course, pending legislation does not have any legal effect unless and until it becomes a law.

5.2.5 Privacy Policies

While we are discussing privacy rules, let’s revisit the concept that a privacy policy can constitute a legally binding contract between the organization and their customer, client, or user. It also is a promise from the organization which, if false, could be considered an unfair or deceptive trade practice. The privacy policy should comply with applicable laws and regulations, and the organization should abide by their privacy policy.

5.3 Cybersecurity (and Privacy) Regulations & Rules for Certain Sectors

There are cybersecurity regulations that apply just to specific sectors. Laws of general applicability (prior sections) may still apply to regulated sectors, though often the regulations impose greater duties. A regulator has authority to enforce certain statutes or rules upon certain types of organizations. Thus, each organization needs to know who their regulators are and what rules the organization needs to comply with. Most regulators impose some type of rule relating to cybersecurity and privacy.

5.3.1 Financial Sector

The financial sector is heavily regulated and for good reason. Instability or a collapse could cripple our economy and affect public safety and national security. Financial regulations cover a wide swath of topics to ensure the safety and soundness of a financial institution, protect consumers, and ensure good information security and privacy practices. There are a dizzying number of federal financial regulators who have collaborated to create the Federal Financial Institutions Examination Council (FFIEC) which have rules for information security, technology, and more. On top of that, each state may have its own financial regulator.

5.3.1.1 Gramm-Leach-Bliley Act (GLBA)

The Gramm-Leach-Bliley Act (GLBA) (also known as the Financial Services Modernization Act of 1999) is a federal law that created privacy and information security requirements for financial institutions. GLBA’s implementation rules include the Safeguards Rule (to protect consumer information) and the Privacy Rule (regarding disclosure of consumers’ personal information).

5.3.1.2 Federal Financial Institutions Examination Council (FFIEC)

The Federal Financial Institutions Examination Council (FFIEC) establishes common standards for many financial sector regulators, including requirements for cybersecurity. Some of these rules may arise from GLBA, others from broader regulatory authority over safety, soundness, and consumer protection. Among the FFIEC rules and guidance are the FFIEC Audit IT Examination Handbook and Cyber Assessments Tool (CAT).

5.3.1.3 Sarbanes-Oxley Act (SOX)

The Sarbanes-Oxley Act of 2002 (SOX) is a federal law for publicly traded companies – companies listed on a stock exchange. SOX requires publicly traded companies to have proper internal control structures in place to validate that their financial statements accurately reflect their financial results, thus requiring controls over information systems. SOX is overseen by the Securities and Exchange Commission (SEC).

5.3.1.4 New York Cybersecurity Requirements for Financial Services Companies

The New York State Department of Financial Services (DFS) issued a rule pursuant to it’s rulemaking authority requiring certain cybersecurity measures by financial services companies within NY. This is DFS Rule 500, Cybersecurity Requirements for Financial Services Companies, 23 NY Codes, Rules and Regulations (NYCRR) Part 500.

5.3.1.5 Partial Listing of Financial Regulators

Below is a partial listing of some financial regulators, each of which will impose requirements for cybersecurity and privacy upon those organizations they regulate.

  • Federal Financial Institutions Examination Council (FFIEC)  (see earlier section too, since they issue their own robust guidance)
  • Federal Deposit Insurance Corporation (FDIC)
  • Office of the Comptroller of the Currency (OCC)
  • the Federal Reserve System (the Fed)
  • National Credit Union Administration (NCUA)
  • Consumer Financial Protection Bureau (CFPB)
  • Securities and Exchange Commission (SEC)
  • Financial Industry Regulatory Authority (FINRA)
  • New York Department of Financial Services (NY DFS)

 5.3.2 Health Sector

The health sector needs to comply with laws and regulations to protect patient health and other personal information, and to ensure our health sector is protected from cyberattack or natural disaster. The federal privacy and security laws are the Health Insurance Portability and Accountability Act (HIPAA) and Health Information Technology for Economic and Clinical Health Act (HITECH). And (of course) there are state laws and regulations. There are privacy rules, security rules, and breach reporting requirements relating to protected health information (PHI). HIPAA was one of the earliest laws to protect personal information and privacy. I remember when HIPAA went into effect in 1998, I was a state trooper and the new law meant new procedures to gather evidence to support an assault case, such as obtaining a HIPAA waiver from an assault victim to obtain their medical records.

Federal regulation is done by the Department of Health and Human Services (HHS) Office for Civil Rights (OCR). States may do their own regulation.

5.3.3 Educational Sector

The Family Educational Rights and Privacy Act (FERPA) is a federal law protecting the privacy and security of student education records. See 20 U.S.C. §1232g and 34 CFR Part 99. FERPA applies to any school that receives funding from the U.S. Department of Education (ED or DoEd), which is most public schools.

5.3.4 Utilities

Utilities are regulated as well, since they are critical infrastructure that needs to be kept running smoothly. Utility regulators impose requirements regarding cybersecurity and privacy, and may include:

  • Federal Communications Commission (FCC)
  • Federal Energy Regulatory Commission (FERC)
  • State regulators

5.3.5 Certain Licensed Professions

Any profession that is licensed comes with requirements to keep that license. For some professions, those rules extend to cybersecurity or privacy.

Doctors need to follow HIPAA and HITECH and related rules of doctor-patient confidentiality.

Attorneys have rules too relating to their duties of competence, confidentiality, diligence, and more. I compiled resources for this recent attorney continuing legal education (CLE) presentation.

5.3.6 Doing Business with the Federal Government

Organizations that do certain business with government may be contractually obligated to comply with certain cybersecurity rules. States may have rules, and the federal government definitely does. The federal government has rules about how it will secure its own information assets, and this extends to the organizations that provide goods and services for the government.

First, let’s mention the May 2021 White House Executive Order on Cybersecurity. This touches on some really difficult cyber issues we are facing, and which I discuss in my books.

The Federal Information Security Management Act (FISMA) gives authority to the Office of Management and Budget (OMB) and Department of Homeland Security (DHS) regarding information security in federal agencies and contracting.

Federal Risk and Authorization Management Program (FedRAMP) was developed with the National Institute of Standards and Technology (NIST) to create a standardized security framework for federal government use of cloud services. FedRAMP is based upon other NIST publications, including NIST 800-53 (see my frameworks article).

The Defense Federal Acquisition Regulation Supplement (DFARS) from the Department of Defense (DoD) has cybersecurity rules regarding defense contractors. The applicable section is DFARS 252.204-7012 (Safeguarding Covered Defense Information and Cyber Incident Reporting).

The Internal Revenue Service (IRS) issued Publication 1075, Tax Information Security Guidelines for Federal, State and Local Agencies, Safeguards for Protecting Federal Tax Returns and Return Information. As the title indicates, this is to provide guidance for federal, state, and local government agencies to protect the security and privacy of tax information.

The Federal Bureau of Investigation (FBI) maintains the Criminal Justice Information Services (CJIS) which has a repository of criminal justice information, much of which is confidential. In order to provide access to law enforcement agencies, they must ensure their security is sufficient and certify that. I remember during my 20 years in law enforcement I needed to annually certify and pass a test regarding my responsibilities to safeguard this information and the systems.

Conclusion & Additional Reading

As you can tell, we have a rapidly evolving patchwork of laws and regulations regarding cybersecurity, privacy, and related issues.

I welcome your feedback on both parts of this article including suggestions to improve it or additional laws or regulations to mention.

As long as this article is, it is still a brief summary with many simplifications, attempting to bring complex subject matter to all readers in an understandable and accessible manner. This article is for myself, students, clients, potential clients, and anyone else in need of basic information. It is not legal advice nor consulting advice, and is not tailored to your circumstances.

If your organization needs help with improving cybersecurity and protecting from cybercrime, creating or improving policies, and complying with cybersecurity related laws and regulations, contact me. Good policies are an important part of cybersecurity, along with Bandler's Four Pillars of Cybersecurity. Sometimes individuals need help with cybersecurity and investigations too.

References: Some additional helpful articles and resources on this site include:

This article is hosted at https://johnbandler.com/cybersecurity-laws-and-regulations/, copyright John Bandler, all rights reserved.

This article is also available on Medium.com at TO BE POSTED SOON (though perhaps not updated as frequently).

Originally posted 7/26/2021. Last updated 7/29/2021.