Cybersecurity Laws and Regulations (Part 1)

  1. Every organization should have “reasonable cybersecurity” or better which they continually improve. This is to prevent cybercrime or other incident and comply with legal requirements.
  2. Organizations need a cybersecurity program (and policy)
  3. Cybercrimes need to be detected and investigated, and reporting may be required by law.
  1. Applicable rules (the focus of this article),
  2. Threats such as cybercrime, and
  3. Helpful guidance.

1. Overview of Laws

There are many laws and regulations that relate to cybersecurity, to include traditional legal concepts, cybersecurity specific rules, data breach reporting requirements, privacy laws, and more. Each organization needs to consider which of these external rules apply to them, and then evaluate what is needed to comply. After reviewing these external rules and threats, the organization needs to create “internal rules” that protect and properly align with the external rules.

Cybersecurity and Privacy Law
  • Criminal laws
  • Negligence law
  • Contract law
  • Litigation — discovery and e-discovery
  • Data disposal laws
  • Data breach notification laws
  • Cybersecurity laws
  • Privacy laws
  • Regulations (for regulated sectors and professions such as finance, medical, education, utilities, certain professions, those doing business with the government, and more).

2. Criminal Laws

Criminal laws are beyond the focus of this article, but since we are talking laws, it’s worth a mention. And it can be helpful for many to get a reminder of the difference between criminal and civil laws. Criminal laws can be used to bring cybercrime offenders to justice. Our criminal justice system provides for the toughest of actions and penalties that our legal system can impose — arrest and incarceration. Criminal laws applicable to cyber include traditional laws regarding theft and fraud plus [relatively] newer cybercrime specific laws. Criminal laws are enforced by police, investigators, agents, and prosecutors at the local, state, and federal levels. Unfortunately, cybercrime criminal investigation and enforcement lags far behind the rampant criminal activity, and is an area our government needs to improve upon. Obviously, organizations should ensure they do not violate any criminal laws.

3. Traditional Civil Laws

Before delving into newer laws created specifically to address the challenges of technology, we should review some longstanding legal principles that are important to the information age; negligence, contract, and litigation.

  1. Offer,
  2. Acceptance,
  3. Exchange of something of value (“consideration”), and
  4. The contract does not violate the law or principles of good society (“public policy”).

4. Cyber Specific Civil Laws — An Overview

In the historical evolution of cybersecurity and privacy laws of general application, the sequence was (essentially):

  • Data disposal rules
  • Data breach notification rules
  • Cybersecurity rules
  • Privacy rules.


That concludes our summary of the basics of cybersecurity related laws. As you can tell, we have a rapidly evolving patchwork of laws and regulations regarding cybersecurity, privacy, and related issues. Part 2 of this article is less conversational (arguably slightly painful) but includes some important information as I start to list some of the specific laws and regulations with a brief summary and relevant links.

Additional reading

This article is also hosted at my website at where I also include links for additional reading, and it may be more current and with improved formatting.



Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
John Bandler

John Bandler

Cybersecurity, cybercrime prevention, privacy, law, more. Attorney, consultant, author, speaker, teacher. Find me at