A host of laws and regulations directly and indirectly govern the various cybersecurity requirements for any given business. Understanding how these laws and regulations impact a company’s need for security will help firms avoid costly lawsuits, loss of public trust and reputation, and unnecessary down time. However, legal compliance alone is not enough to make most companies truly secure. Companies will need to do much more to put themselves in a position to establish effective security. That being said, these laws and regulations can serve as a good starting point for establishing a company’s cybersecurity objectives because compliance with these laws is an absolute necessity in any cybersecurity plan.
Cybersecurity and privacy compliance are necessary for all firms, large and small, private and public. Small firms may be easier targets for hackers because they are less likely to have the time and resources to invest in cybersecurity. Unfortunately, small businesses are also less likely to be able to withstand a significant hack and the related legal and financial fallout. Companies in healthcare and other industries that collect sensitive information are required to invest in proper cybersecurity because of strict privacy laws and regulations from various government organizations and industry associations. Public companies are also faced with increased pressure to invest in cybersecurity to prevent unlawful security breaches that lead to illegal trading in the stock market. This article will cover the following topics and how they relate to Cyber Security:
One important distinction is that there are other cybersecurity frameworks that are not codified in law but rather are created and/or enforced by non-governmental entities. For example, the NIST or ISO 27001 cybersecurity frameworks are both widely used standards in many industries and government organizations. Companies might be required to comply with these frameworks by industry dynamics or by organizational partnerships with government or other entities. However, these certification and cybersecurity frameworks are not codified into law for all businesses.
This article’s purpose is to give firms and their leaders a starting point from which to build their understanding of the cybersecurity laws they need to comply with in order to run a successful business in the United States and beyond. This article does not provide an exhaustive list of all relevant laws and regulations, but instead is an introduction and overview of the laws related to cybersecurity. In order to become legally compliant, firms will need to apply these and other relevant laws to their individual business model. This article should not be construed as legal advice, but rather as a launching pad for building the knowledge business leaders need to talk intelligently with both their legal and cybersecurity teams.
Federal Cybersecurity Laws:
In the United States, the federal government has yet to pass laws that give a comprehensive treatment of cybersecurity. Instead, companies must learn to comply with a patchwork of other laws that are indirectly related to cybersecurity. While cybersecurity wasn’t originally included when these laws were written, many of these laws have been updated to include portions concerning cyber security. Many regulatory agencies have also released guidance that clarifies how cybersecurity standards are applicable under these laws. For example, healthcare laws require companies to guard protected health information (PHI) as well as electronic protected health information (ePHI). Other laws require companies to secure any personally identifiable information (PII) they have collected from their customers. Additionally, several laws have created requirements for companies in various areas of finance and investment. Companies should also consider that laws may cover them directly, or indirectly. In many cases, laws can apply to the organizations that have agreements with those that are directly covered. To comply with all of the laws and regulations, companies need to have cybersecurity measures in place, and those measures often need to meet certain standards. Details about the content and requirements of some of these federal laws and regulations are included below.
Health Insurance Portability and Accountability Act (HIPAA) of 1996
The Health Insurance Portability and Accountability Act was passed in 1996 with the purpose of creating a national set of standards requiring the entities involved in healthcare to protect the sensitive health-related and personal information of patients. Included in HIPAA is the security rule, which is most applicable to cybersecurity. The security rule covers the rules surrounding a covered entity’s responsibilities to put the correct technological and other safeguards in place to guard protected health information (PHI) as well as electronic protected health information (ePHI). Healthcare-related firms face constant cybersecurity threats that can lead to costly lawsuits, as demonstrated by Premera Blue Cross in the example below. Any firm that uses or has access to patient data can avoid unnecessary legal costs, and hits to their reputation, if they take the necessary steps to stay secure ahead of time. The example of Premera Blue Cross included below demonstrates how complicated and expensive a security breach can become. If a company does experience a data breach, that company is required to disclose this information to those that are affected. Breaches often lead to lawsuits and penalties assessed by the Department of Health and Human Services’ Office for Civil Rights (OCR).
One important aspect of HIPPA is understanding which companies are required to comply with the law. Many companies or organizations will be covered by the law directly. These organizations are referred to as covered entities (CEs). However, many other will also be held accountable if they have business associate agreements (BAAs). In other words, organizations that do business with or provide services for CEs where PHI is involved are also required to comply with HIPPA laws. Often BAAs are more widely applicable, and more of a concern for companies who make them, because the agreements expose them to additional legal risk.
In May 2014, Premera Blue Cross experienced a significant cybersecurity breach. Hackers used a phishing email to install malware in the company’s system. The threat went undetected for 9 months and was finally discovered in January of 2015. The breach exposed the data of over 10.4 million patients. The Department of Health and Human Services Office for Civil Rights (OCR) decided to impose the second largest penalty of all time of $6.85 million, which doesn’t include the costs of other lawsuits and legal fees faced by the company. Two of the lawsuits reached settlements of $10 million and $74 million. The costs of this data breach go well beyond the financial cost of lawsuits. As part of the agreements with the OCR, the company also agreed to establish the necessary systems to become compliant. In addition to the penalties, lawsuits, and required investments, the company also took a significant hit to its reputation.
Children’s Online Privacy Protection Act of 1998
The Children’s Online Privacy Protection Act (COPPA) is intended to protect children under 13 years of age by giving their parents control over how their information is shared. If a website or internet service is targeted at children who are under 13 years of age, they are required to follow certain rules. This includes any service designed to be used by children including websites, apps, online video games, and any other service provided that includes a connection to the internet. Providers of these services are required to follow a set of specific rules regarding how they interact with their young users. The Federal Trade Commission provides resources to businesses that are attempting to come into compliance with COPPA. One of these resources is a six-step guide to becoming compliant.1 COPPA violations can be expensive, with the YouTube example below being the largest settlement the FTC has ever had with a company for violating this law.
In 2019, Google and its subsidiary YouTube faced allegations from the Federal Trade Commission (FTC) and the New York Attorney General. The FTC alleged that YouTube had violated COPPA by collecting information about children without parental consent. In the past, YouTube had claimed that the site was directed at a general audience. However, many YouTube channels were clearly directed at children. These channels violated COPPA by collecting the data of the children who were watching their videos. The data were collected by tools such as persistent trackers, which monitor the user’s subsequent internet browsing habits in order to show targeted advertisements. The FTC’s report on this lawsuit included the following quote from FTC Chairman Joe Simons—
YouTube touted its popularity with children to prospective corporate clients […] Yet when it came to complying with COPPA, the company refused to acknowledge that portions of its platform were clearly directed to kids. There’s no excuse for YouTube’s violations of the law.2
In the end, YouTube and Google settled with the FTC and New York in the largest settlement for a COPPA case in the law’s history. In total, Google and YouTube paid $136 million to the FTC and $34 million to New York for the violations. The cost of this settlement is put into context in Figure 1, which shows the cost of other privacy lawsuits Google has faced.
Gramm-Leach-Bliley Act of 1999
The Gramm-Leach-Bliley Act (GLBA) established rules regarding how financial institutions use the information of their customers. The law applies to any and all firms that are “significantly engaged” in providing financial products and/or services to customers. Under GLBA, companies are required to inform consumers of their data-sharing practices and give customers an opportunity to opt out of any of the data-sharing practices a firm might have with non-affiliated third parties. Penalties are assessed on a per violation basis. The liability can rest on both the institution as well as the managers and directors personally. Resources are available for companies to ensure they are following this law correctly.
In 2016, the Federal Trade Commission (FTC) began investigating Venmo for potential lack of compliance. The investigation ended up as a lawsuit that alleged several problems. The FTC claimed Venmo had misinformed users about its services. The suit clarified that Venmo had told users that funds were ready to be transferred to their bank account but did not adequately disclose that those transactions could still be frozen or removed. Another claim made by the FTC was that Venmo had misled consumers regarding the extent of control consumers had over the privacy of their information, putting the company in violation of the GLBA. The FTC stated the following–
In addition, the Commission alleges that Venmo violated the Gramm-Leach-Bliley Act’s Safeguards Rule, which requires financial institutions to implement safeguards to protect the security, confidentiality, and integrity of customer information, and Privacy Rule, which requires financial institutions to deliver privacy notices to customers.4
Venmo reached a settlement with the FTC that gave Venmo 150 days to come into compliance. Subsequent violations could result in fines.
Sarbanes Oxley Act of 2002
The Sarbanes Oxley Act (SOX) requires companies to have internal security controls in place. While the law is broad in its scope, it also applies to cybersecurity. Under SOX, public companies are required to be able to demonstrate they have adequate security systems in place that will protect sensitive information, including data and information included in official company reports and statements.
Federal Information Security Management Act (FISMA) of 2002 & Federal Information Security Modernization Act (FISMA 2014) of 2014
The Federal Information Security Management Act was first passed in 2002. The law was then amended by the Federal Information Security Modernization Act (FISMA 2014) in 2014. The law was originally created to govern the cybersecurity of federal agencies. However, the provisions of the law have also been extended to other organizations, including any firm that does business with the federal government. The standards for compliance are set by the National Institute of Standards and Technology (NIST), which has a variety of resources available on its website to guide businesses working to become compliant.
Cybersecurity Information Sharing Act (CISA) of 2015
The Cybersecurity Information Sharing Act (CISA) of 2015 has two main provisions. The first is that firms are allowed to monitor and implement defensive measures on their own information systems. With written consent, firms can also do the same for other parties. The second provision is to provide protections for firms that make it easier to share relevant information about cybersecurity threats with the government. Under certain circumstances and conditions, the protections in this law include “liability, non-waiver of privilege, and protections from FOIA disclosure,”5 which can be significant for certain businesses. Any information shared with the government under this law must meet certain standards, including the removal of all personal identifying information. The Department of Homeland Security and the Department of Justice have released guidance on how the private sector can comply with CISA.
Federal Risk and Authorization Management Program (FedRAMP)
The Federal Risk and Authorization Management Program is a federal program that is currently responsible for authorizing and providing guidance to government entities that want to switch to, or use, cloud-based solutions as part of their operations. While FedRAMP standards are not currently considered law, they might soon be codified into law by the National Defense Authorization Act. This new law would make it possible for this program to certify agencies more quickly, and thus make the government and its programs more efficient and secure.
Federal Cybersecurity Regulation and Guidance
Several federal agencies have released guidance in an attempt to improve cybersecurity and set standards for businesses in their respective areas. The guidance offered by these agencies ranges widely in its specificity but can serve as a great starting point for companies looking to go beyond the minimum legal requirements. Two of the most prominent pieces of guidance are the SEC’s guidance for cybersecurity and the federal action regulation system.
Over the past decade, the Securities and Exchange Commission (SEC) has released several pieces of guidance to companies relating to cybersecurity. The SEC has stated on various occasions that cyber-related threats are some of the most significant problems facing modern investors. As such, the SEC has taken steps to try and help companies understand how to create proper security measures. The SEC has also pursued disciplinary actions against many companies and individuals for cyber-related misconduct. On its website, the SEC keeps a list of cyber-related legal actions taken against individuals and other entities.6 These listed actions include enforcement in areas such as digital and initial coin offerings, account intrusions, hacking, insider trading, market manipulation, privacy controls, and public disclosures.
One significant piece of guidance from the SEC was released in 2011. This guidance clarified that “although no existing disclosure requirement explicitly refers to cybersecurity risks and cyber incidents, a number of disclosure requirements may impose an obligation on registrants to disclose such risks and incidents.”7 In other words, cybersecurity information is important enough to be considered material and needs to be shared with investors. For example, investors may need to know that the firm has a security strategy in place, what the relevant threats are, how past breaches have impacted the business, and how future breaches may hurt the firm. The SEC guidance provides an explanation of how firms can successfully disclose the proper amount of information without creating new cybersecurity threats by revealing too much. Since the release of this guidance, many public companies have increased their disclosure of relevant cybersecurity risks. A 2019 study done by EY showed that 9 in 10 public companies now include cybersecurity in the risk oversight section of their proxy statements.8
On February 21, 2018, the SEC approved an interpretive release that provides further guidance regarding cybersecurity disclosures.9 This document reaffirms the importance of cybersecurity and provides a more in-depth framework to help companies establish the proper processes and protocols that will help them disclose cybersecurity related threats and security breaches. For example, the SEC reminds companies that knowledge of a cybersecurity breach is considered material information, and that insiders with the knowledge of an incident can’t trade stock until the information has been disclosed to the public. The document also establishes guidelines about which information is considered material and provides guidelines on when disclosures should be made.
The SEC makes cybersecurity a top concern in many other ways as well. For example, the Office of Compliance Inspections and Examinations (OCIE), a division of the SEC, lists information security as a top concern for companies in its annual examination priorities.10 In 2017, the Enforcement division of the SEC also established a “Cyber Unit” dedicated to targeting, identifying, and enforcing cyber-related standards.11
Federal Acquisition Regulation System
The Federal Acquisition Regulation System is a set of rules that governs government purchases in the United States. These rules include a variety of requirements for government contractors. Contractors have to follow these rules or they risk losing the government’s business. In terms of cybersecurity, these rules include several requirements for the systems and security needed within a company. The rules specify what information can and cannot be shared, when companies are required to report cyber-related incidents, and which standards companies need to uphold for cybersecurity.12 These rules go beyond those required by the more general federal law.
State Cybersecurity Laws
In addition to the federal laws and regulations, a number of states have passed their own more comprehensive cybersecurity laws. These laws increase each company’s responsibility for cybersecurity, regardless of where they do business. For example, all fifty states now have laws regarding disclosure of a cybersecurity breach. However, these laws differ in several important ways. For example, different states have different requirements regarding what is considered private personal information. States may also have different requirements for the time window in which a notification must be sent to the customer. Some states also require companies to notify state agencies after a cybersecurity breach. These nuances need to be tracked carefully by every company doing business in each state. To add to this legal complexity, many states require companies to comply with the laws of the state in which their customers reside. Thus, avoiding a geographical extension of a business doesn’t necessarily preclude the legal extension of that firm’s compliance responsibilities.
Many states have passed cybersecurity laws, but two states in particular are often cited as the leaders in the area of cybersecurity laws—California and New York.
California Consumer Privacy Act (CCPA)
The California Consumer Privacy Act created several new requirements for companies operating in California, including the first IoT (internet of things) law passed in the United States. The new IoT law requires companies to embed “reasonable cybersecurity measures” in their IoT devices. While the law provides some specifics, critics of the law say that it is not effective because of its vague descriptions and lack of specific penalties for non-compliance.
California Privacy Rights and Enforcement Act (CPRA)
Often referred to as the CCPA 2.0, the CPRA was recently passed by California voters, and it will take full effect in January of 2023. This new law introduces even more stringent requirements on companies regarding information privacy. In this law, any business that crosses certain thresholds will be responsible to comply. These thresholds include numbers regarding the number of consumer records collected or shared, and how the information is used. The law created a new class of protected information called sensitive personal information (SPI). By law, this includes personal information such as Social Security number, driver’s license, passport, financial account numbers, race, ethnicity, religion, union membership, personal communications, genetic data, health information, and sexual orientation. The law gives consumers the right to restrict how these data are shared. This law also created a new enforcement organization, the California Privacy Protection Agency, which will be responsible for enforcing the law, creating guidance, and making rules. The law also raised the fines for violations against children. Overall, the CPRA is often compared to the European Union’s general data protection regulation (GDPR)13, which defines and restricts the use of SPI in a similar fashion.
New York Stop Hacks and Improve Electronic Data Security (SHIELD) Act of 2019
The SHIELD act in New York requires any firm doing business in New York to have reasonable administrative, technical, and physical safeguards for personal information tracked by the company. The law clearly lays out the definitions and requirements of what constitutes personal information and how companies can come into compliance with each of these three areas. The New York Attorney General can prosecute cases of non-compliance with a penalty of up to $5,000 for each violation. The law also includes requirements for companies to disclose cybersecurity breaches to those whose information was accessed.
California and New York are only two examples of the various state laws with which companies need to comply. Each firm will need to consider where it is doing business, how it might interact with residents from another state, and then comply with all the relevant state laws. Resources are available to companies seeking to understand and comply with the various state laws. For example, the National Conference of State Legislators website has a compilation of all state cybersecurity breach notification laws.14
New York State Department of Financial Services Cybersecurity Regulations
The New York State Department of Financial Services (NYDFS) has a variety of regulations that are enforced on financial and related institutions in the state of New York. These regulations are varied and specific, including aspects such as risk assessments and documentation. The entities covered by these regulations include firms such as credit unions, health insurers, investment companies, licensed lenders, and mortgage brokers.15
International Cybersecurity Laws
In addition to the various state laws across the United States, global companies must adjust their cybersecurity measures to comply with international laws. Other countries have different standards, and in many instances, these standards require a company to implement new security systems and processes. One of the most prominent examples of international cybersecurity law is the European Union’s (EU) rules of cybersecurity. The EU has passed a number of regulations for all EU states to follow. These laws are applicable to any business that has a presence in or does business with residents of the EU.
EU Cybersecurity Act
The EU passed the Cybersecurity Act, which strengthened the European Network and Information Security Agency (ENISA). ENISA was founded in 2004, and is the European Union’s agency that covers cybersecurity. The agency is responsible for helping EU countries navigate cybersecurity issues and provides resources and frameworks for countries to follow. Another significant part of the EU Cybersecurity Act is that it established a certification framework. This framework provides guidelines about acceptable cybersecurity practices.
General Data Protection Regulation (GDPR)
The GDPR was created to help protect the personal information of citizens within the European Union. The regulation requires member states to meet certain certifications, establish an authority on cybersecurity certification, and establish penalties for violations or infringement of the certification schemes. Whether or not a company is located in the EU, the GDPR regulates all businesses that use, process, or store personal data from EU residents. The regulation also goes beyond most laws in the United States in terms of what it classifies as personal, protected information. This includes data such as location, IP address, cookie data, and RFID tags in addition to other information such as biometric data, racial or ethnic data, political opinions, or sexual orientation. The EU website about GDPR serves as a “Complete guide to GDPR compliance”16 and has posted the entire set of regulations along with checklists and guidance on how to become compliant.
Summary and Key Takeaways
Cybersecurity is a rapidly changing and developing field. While legislation has lagged behind the development of technology, it is likely that new laws will continue to be passed regarding cybersecurity and personal privacy. Every company should ensure that its managers are aware of and complying with all federal, state, and international cybersecurity laws that apply to their business. Companies should also continue to research and stay up to date in their efforts to remain secure and compliant as new laws are passed. However, in the end, knowledge of the relevant laws and regulations won’t do anything for a business that doesn’t make meaningful and lasting changes to become both compliant and reliably secure. As Steven Chabinsky, the Chief Risk Officer at CrowdStrike, explained, “If the response to that security breach is a government mandate to build a 40-foot wall, and I spent my money on that, then the attackers buy a 50-foot ladder. Where does it end?”17 In other words, compliance is likely not enough. Companies should continue to build on the systems and processes until they are truly secure. Building a stable and long-term cybersecurity strategy will allow businesses to build a stable and long-term future of success for the company, its customers, and its employees.
- Department of Justice: “Cybersecurity Unit.” 3 Dec 2020.
- Centers for Medicare and Medicaid Services: “HIPAA Basics for Providers: Privacy, Security, and Breach Notification Rules.” Sep 2018.
- Department of Health and Human Services: “Summary of the HIPAA Privacy Rule.” 26 Jul 2013.
- Centers for Disease Control and Prevention: “Health Insurance Portability and Accountability Act of 1996 (HIPAA).” Accessed 1 Feb 2021.
- HIPPA Journal: “OCR Imposes 2nd Largest Ever HIPAA Penalty of $6.85 Million on Premera Blue Cross.” 28 Sep 2020.
- McAfee: “GLBA Compliance Requirements.” Accessed 1 Feb 2021.
- Federal Trade Commission: “PayPal Settles FTC Charges that Venmo Failed to Disclose Information to Consumers About the Ability to Transfer Funds and Privacy Settings; Violated Gramm-Leach-Bliley Act.” 27 Feb 2018
- Federal Trade Commission: “FTC Gives Final Approval to Settlement with PayPal Related to Allegations Involving its Venmo Peer-to-Peer Payment Service.” 24 May 2018.
- Karp, Brad S. Harvard Law School Forum on Corporate Governance: “Federal Guidance on the Cybersecurity Information Sharing Act of 2015.” 3 Mar 2016.
- The Department of Homeland Security & The Department of Justice: “Privacy and Civil Liberties Final Guidelines: Cybersecurity Information Sharing Act of 2015.” 15 Jun 2018.
- Arampatzis, Anastasios. The State of Security: “What Is the EU Cybersecurity Act and What Does It Mean for US-Based Businesses?” 30 Aug 2020.
- European Commission: “The EU Cybersecurity Act.” Accessed 1 Feb 2021.
- European Commission: “The EU cybersecurity certification framework.” Accessed 1 Feb 2021.
- European Union Agency for Cybersecurity: “About ENISA – The European Union Agency for Cybersecurity.” Accessed 1 Feb 2021.
- Nadeau, Michael. CSO: “General Data Protection Regulation (GDPR): What you need to know to stay compliant.” 12 Jun 2020.
- Sysman, Dean. Forbes: “California’s IoT Security Law: Why It Matters And The Meaning Of ‘Reasonable Cybersecurity’.” 20 Nov 2019.
- Ognibene, Mary F. McConville Considine Cooman and Morin Attorneys and Councilors at Law: “THE SHIELD ACT – New York State Cybersecurity Law Updates.” 25 Feb 2020.
- The Federal Trade Commission. “Children’s Online Privacy Protection Rule: A Six-Step Compliance Plan for Your Business.” Accessed 1 Feb 2021.
- Federal Trade Commission: “Google and YouTube Will Pay Record $170 Million for Alleged Violations of Children’s Privacy Law.” 4 Sep 2019.
- Federal Trade Commission: “Google and YouTube Will Pay Record $170 Million for Alleged Violations of Children’s Privacy Law.” 4 Sep 2019.
- Federal Trade Commission: “PayPal Settles FTC Charges that Venmo Failed to Disclose Information to Consumers About the Ability to Transfer Funds and Privacy Settings; Violated Gramm-Leach-Bliley Act.” 27 Feb 2018.
- Harvard Law School Forum on Corporate Governance: “Federal Guidance on the Cybersecurity Information Sharing Act of 2015.” 3 Mar 2016.
- Securities and Exchange Commission: “Cyber Enforcement Actions.” Accessed 1 Feb 2021.
- Securities and Exchange Commission: “CF Disclosure Guidance: Topic No. 2.” Accessed 1 Feb 2021.
- EY: “What companies are sharing about cybersecurity risk and oversight.” 1 Oct 2019.
- Securities and Exchange Commission: “Commission Statement and Guidance on Public Company Cybersecurity Disclosures.” Accessed 1 Feb 2021.
- Securities and Exchange Commission Office of Compliance Inspections and Examinations: “2020 Examination Priorities.” Accessed 1 Feb 2021.
- Securities and Exchange Commission: “SEC Announces Enforcement Initiatives to Combat Cyber-Based Threats and Protect Retail Investors.” 25 Sep 2017.
- Cornell Law School Legal Information Institute. “48 CFR § 252.204-7012 – Safeguarding covered defense information and cyber incident reporting.” Accessed 1 Feb 2021.
- Banyai, Peter; Batya Forsyth; William Kellermann. JS Supra: “California Consumer Privacy Act 2.0 – What You Need to Know.” 27 Nov 2020.
- National Conference of State Legislatures. “Security Breach Notification Laws.” 17 Jul 2020.
- Varonis: “NYDFS Cybersecurity Regulation in Plain English.” Accessed 25 May 2021.
- GDPR.eu: “Complete guide to GDPR Compliance.” Accessed Feb. 15, 2021.
- Bradley, Stu. SAS: “Data management for cybersecurity: Know the essentials.” Accessed Feb. 2, 2021.