Cybersecurity Laws and Regulations (Part 1)
This is the first of a two part article which focuses on legal rules relating to cybersecurity. Laws, regulations, and other legal requirements impose legal duties regarding cybersecurity, privacy, and investigation and reporting of cybercrime.
These rules can be complex, but important takeaways are:
- Every organization should have “reasonable cybersecurity” or better which they continually improve. This is to prevent cybercrime or other incident and comply with legal requirements.
- Organizations need a cybersecurity program (and policy)
- Cybercrimes need to be detected and investigated, and reporting may be required by law.
Understanding these rules is a part of good organization cybersecurity which requires evaluation of three important areas;
- Applicable rules (the focus of this article),
- Threats such as cybercrime, and
- Helpful guidance.
1. Overview of Laws
There are many laws and regulations that relate to cybersecurity, to include traditional legal concepts, cybersecurity specific rules, data breach reporting requirements, privacy laws, and more. Each organization needs to consider which of these external rules apply to them, and then evaluate what is needed to comply. After reviewing these external rules and threats, the organization needs to create “internal rules” that protect and properly align with the external rules.
Here is a quick list of the main legal requirements to consider:
- Criminal laws
- Negligence law
- Contract law
- Litigation — discovery and e-discovery
- Data disposal laws
- Data breach notification laws
- Cybersecurity laws
- Privacy laws
- Regulations (for regulated sectors and professions such as finance, medical, education, utilities, certain professions, those doing business with the government, and more).
I put regulations last since regulations apply only to specific regulated entities, and if you are not that type of organization, it doesn’t concern you. Despite being last on my list, consider that regulators led the way on creating important rules relating to cybersecurity, and now there are cybersecurity laws that apply to all.
A quick word on the difference between a law and a regulation which students and non-lawyers may find helpful. A law is enacted by a government unit (such as the federal government or a state government) by being passed by the legislative body (e.g., Congress) and then signed by the executive (e.g., the President or a Governor). In contrast, a regulation is issued by a regulatory body which has legal authority over certain sectors. Examples of regulators include the Federal Deposit Insurance Corporation (FDIC) and New York State Department of Financial Services (NYDFS). The regulator exists and has authority by virtue of a law, giving it the right to issue certain rules. Regulated organizations may hold a license which is overseen by the regulator, and to keep that license they need to follow the regulator’s rules.
2. Criminal Laws
Criminal laws are beyond the focus of this article, but since we are talking laws, it’s worth a mention. And it can be helpful for many to get a reminder of the difference between criminal and civil laws. Criminal laws can be used to bring cybercrime offenders to justice. Our criminal justice system provides for the toughest of actions and penalties that our legal system can impose — arrest and incarceration. Criminal laws applicable to cyber include traditional laws regarding theft and fraud plus [relatively] newer cybercrime specific laws. Criminal laws are enforced by police, investigators, agents, and prosecutors at the local, state, and federal levels. Unfortunately, cybercrime criminal investigation and enforcement lags far behind the rampant criminal activity, and is an area our government needs to improve upon. Obviously, organizations should ensure they do not violate any criminal laws.
3. Traditional Civil Laws
Before delving into newer laws created specifically to address the challenges of technology, we should review some longstanding legal principles that are important to the information age; negligence, contract, and litigation.
3.1 Negligence Law
Principles of negligence law hold that an individual or entity can be liable for failing to meet their duty of care. The elements of a cause of action for negligence are (i) duty, (ii) breach of that duty, and (iii) the breach of duty caused damages. Negligence law plus good business principles suggest that organizations should be diligent and reasonable, and never sloppy or negligent. In my teaching and writings, I often analogize cybercrime liability to premises liability and automobile accident liability. In short, consider the hypothetical where Organization A had negligent security which allowed Cybercriminal B to commit a crime and victimize Victim C. Victim C can’t sue Cybercriminal B (who can’t be identified and won’t come to court) so considers suing Organization A and alleging negligence.
3.2 Contract law
Contract law establishes that individuals and organizations may enter into agreements with each other that are legally binding and can be enforced by the courts.
The elements of a valid contract are
- Exchange of something of value (“consideration”), and
- The contract does not violate the law or principles of good society (“public policy”).
3.3 Litigation — Discovery & E-discovery
Ultimately our legal system exists to provide a mechanism to peacefully resolve disputes — a process ultimately done through litigation. A critical part of litigation is discovery (sometimes called disclosure) where parties exchange information prior to trial. In today’s digital age, electronic discovery (“E-discovery”) means enormous amounts of data must be sifted through, and this means reviewing storage of data, investigating where it might be found, and conducting digital forensics and analysis. Thus, every litigation — no matter the underlying subject — implicates cyber with legal rules regarding this evidence.
4. Cyber Specific Civil Laws — An Overview
In the historical evolution of cybersecurity and privacy laws of general application, the sequence was (essentially):
- Data disposal rules
- Data breach notification rules
- Cybersecurity rules
- Privacy rules.
Let’s talk about each.
4.1 Data disposal
The first arrival was data disposal laws, designed to reduce the incidents of organizations throwing out or selling old computers or paper files without first destroying any sensitive information within them. Where those discarded objects contained personal information of clients or customers, that was a violation of privacy. If I had to sum up these laws in a sentence, it would be “Don’t throw away other people’s data where others can find it — destroy it first!”
4.2 Data breach notification
Next came state data breach notification laws. Now, every state has data breach reporting laws which require organizations to report data breaches involving personal information of state residents. The organization must notify affected parties (those whose information was breached) and various state agencies. Every organization is subject to these data breach laws. These laws impose explicit duties to accurately notify and report, and this implies duties to monitor, detect, and properly investigate. I would sum up these laws thusly; “If a cybercriminal steals data you are holding, you must tell the people whose data got stolen, and tell the government”.
Then came state cybersecurity laws. Many states have implemented laws requiring that organizations implement certain cybersecurity measures. Some laws are general, some have details, but most recognize that cybersecurity is not “one size fits all” and thus the touchstone of these laws is “reasonable and diligent” cybersecurity. I would summarize these laws as follows; “Be reasonable and diligent securing your systems, especially the personal information you store”.
Next came privacy laws. Cybersecurity and privacy intersect greatly, and most privacy laws have components of cybersecurity, investigation, and reporting. Privacy governs data that organizations collect, store, share, and use. The European Union’s (EU) General Data Protection Regulation (GDPR) was a groundbreaking privacy law with many implications for the US. Then came the California Consumer Privacy Act (CCPA) and other states have followed suit. These laws essentially give consumers rights over their data, how that data is collected, stored, used, and shared.
4.5 State vs. federal
Most of the above rules that apply across sectors are state. There are federal rules for specific sectors (health, financial, education, etc.), but there is no federal law of general applicability regarding cybersecurity or data breach reporting, nor is there a specific federal privacy law. Bills have been brought, but nothing has passed (yet). But we need to mention the Federal Trade Commission (FTC) Act, which (among many other provisions) empowers the FTC to regulate unfair or deceptive trade practices. This power to regulate unfair and deceptive trade practices includes the principle that companies should have fair and clear privacy practices, hold data with a certain level of security (arguably) and not make deceptive claims about their level of security. Thus, the FTC is the primary federal enforcer of privacy rights.
State laws are enforced at the state level by each State’s Attorney General. Every state has its own attorney general, not to be confused with the Attorney General of the United States.
We will cover more details in Part 2, including the federal laws and regulations which apply to certain regulated sectors such as finance and health.
That concludes our summary of the basics of cybersecurity related laws. As you can tell, we have a rapidly evolving patchwork of laws and regulations regarding cybersecurity, privacy, and related issues. Part 2 of this article is less conversational (arguably slightly painful) but includes some important information as I start to list some of the specific laws and regulations with a brief summary and relevant links.
Each organization should look at all of the different rules it needs to comply with, and work to harmonize them. Different rules use different terminology and may impose both overlapping and unique requirements. Preventing cybercrime should be the priority for all organizations and this is also the underlying goal of most cybersecurity laws. If organizations can prevent a cybercrime then they are on their way towards compliance with those laws.
For a view on compliance, see my Three Platforms to Connect, and then the Fourth to align it with mission. My Four Pillars of Cybersecurity is an entry level cybersecurity framework for small businesses.
To learn more about cybercrime threats, see my article on the three priority threats which also links to more detailed articles on each: data breach, ransomware, and email-based funds transfer frauds.
If you are new to cybersecurity, read my Introduction to Cybersecurity and Information Security and if you are new to law, take a look at my Introduction to Law outline.
This is a brief summary with many simplifications, attempting to bring complex subject matter to all readers in an understandable and accessible manner. It is not legal advice nor consulting advice, and is not tailored to your circumstances.
If your organization needs help with improving cybersecurity, protecting from cybercrime, and complying with cybersecurity related laws and regulations, contact me. Good policies are an important part of cybersecurity, along with Bandler’s Four Pillars of Cybersecurity.
This article is also hosted at my website at https://johnbandler.com/cybersecurity-laws-and-regulations-1/ where I also include links for additional reading, and it may be more current and with improved formatting.
Copyright John Bandler all rights reserved.
Posted to Medium on 8/3/2022 based on my earlier article. Last updated here on 8/3/2022.