Federal Cybersecurity and Privacy Laws Directory

• Control environment: A set of standards, processes, and structures to provide the basis for applying internal controls across the organization.
• Risk assessment: This dynamic, iterative process identifies stumbling blocks to achieving the company's strategic objectives and forms the basis for determining how risks will be managed.
• Control activities: Policies and procedures to help make sure that management's directives to mitigate risks to the organization’s objectives are carried out.
• Information and communication: Relevant and quality information supports the internal control process. Management needs to continually obtain and share this information with people inside and outside of the company.
• Monitoring: Management should routinely evaluate whether each of the five components of internal controls is present and functioning.

• Ensure the security and confidentiality of customer records and information
• Protect against any anticipated threats or hazards to the security or integrity of customer records and information
• Protect against unauthorized access to or use of customer records or information that could result in substantial harm or inconvenience to any customer
• Provide initial and annual privacy notices to customers describing information sharing policies and informing customers of their rights
• Limit disclosures to third parties and reuse
• Properly dispose of the information by taking reasonable measures to protect against unauthorized access to or use of the information in connection with its disposal

• Identify, detect, and respond to any pattern, practice, or specific activity that indicates the possible existence of identity theft (red flags).
• The program must involve the board of directors or a designated senior manager empowered to train staff to effectively implement the program. The board or the manager must also maintain effective oversight of the program.

Penalties and enforcement:

Penalties for violation could be in excess of $1 million. There is also the possibility of termination of FDIC insurance, which could mean the end of the business for a financial firm.

Compliance:

The methods to achieve compliance are set out in the Interagency Guidelines Establishing Information Security Standards (12 CFR Appendix B to Part 30) (see also Federal Reserve Regulations).

These rules were later the basis for rules established under the Federal Information Security Management Act of 2002 (FISMA), and in the HIPAA Security Standards issued by the Department of Health and Human Services. The Security Rule is similar to many recognized cybersecurity frameworks. It requires financial institutions to do the following:

• Involve the board of directors
• Conduct a risk assessment
• Apply risk management and controls
• Conduct regular staff training
• Obtain oversight of service providers
• Implement a written security incident response plan
• Apply periodic reviews and updates

The law also institutes a Privacy Rule. The Privacy Rule (12 CFR 1016) requires financial institutions to undertake certain activities to protect consumer rights.

Enforcement of the GLBA depends on the type of financial institution that is being regulated and on what is being regulated: the Security Rule or the Privacy Rule. For the former, banks are regulated by federal banking regulators including Federal Reserve, Federal Deposit Insurance Corporation (FDIC), Office of the Comptroller of the Currency (OCC), Office of Thrift Supervision (OTS), and National Credit Union Administration (NCUA).

Since its founding, the FTC has interpreted “unfair or deceptive” broadly and this has, for the most part, been upheld by the US courts.

For cybersecurity and privacy, the FTC has alleged that companies acted deceptively by making material and false statements about their data security practices that misled consumers, and it has claimed that companies acted unfairly when allegedly lax data security practices caused (or were likely to cause) sensitive consumer information to be stolen through security breaches.

The FTC relies on two authorities to enforce data security compliance: its statutory authority to police unfair and deceptive acts or practices under Section 5 of the FTC Act, and its authority to enforce its safeguards regulations promulgated under the GLBA.

Compliance:

The problem is that organizations must engage in all “reasonable and necessary” security practices, but these are generally undefined.

The FTC has promulgated a regulation, the Safeguards Rule (16 CFR 314) for companies within its jurisdiction that have to comply with the GLBA. This rule is the same as the Security Rule (see above) and would be a good start to determine a company’s responsibilities under the act.

• The confidentiality, integrity, and availability of electronic protected health information (ePHI) be protected. ePHI only consists of individually identifiable health care information that is produced, saved, transferred, or received in electronic form
• ePHI must be protected with administrative safeguards
• ePHI must be protected with physical safeguards
• ePHI must be protected with technical safeguards

The privacy rule requires that ePHI can only be used or disclosed in the following cases:

• The individual gives their consent
• For treatment, payment, or health care operations
• Incident to a permitted disclosure
• Public interest

The breach notification rule has specific requirements:

• Individuals to be notified within 60 days of the discovery of a breach
• Notification has to include the type of information compromised, steps the individual needs to take to protect
• themselves, description of what the covered entity is doing to investigate and mitigate the breach, and contact information
• Breaches of more than 500 individuals require notification to the media and to the Secretary of Health and Human Services (HHS)
• Breaches of fewer than 500 individuals should be logged and reported to the Secretary of HHS once a year

Compliance:

Unlike many other cybersecurity laws, the regulation mandates compliance with a specific cybersecurity standard: the National Institute of Standards and Technology (NIST) Special Publication (SP) 800-171, Protecting Controlled Unclassified Information in Nonfederal Information Systems and Organizations (see Appendix D of NIST 800-171 for reference to other cybersecurity frameworks including ISO 27001).

Compliance with NIST SP 800-171 is mandatory for minimum compliance:

• The Regulation requirement extends mandatory compliance to all subcontractors
• All contractors and subcontractors must comply with NIST 800-171 by December 31, 2017
• The Regulation provides a detailed process for investigating and reporting the cyber incident to the DoD and the prime contractor (or next higher-tier subcontractor), including protecting and preserving evidence that includes the malware for possible forensic analysis

• Obtain verifiable parental consent before any collection, use, and/or disclosure of personal information from children
• Provide a reasonable means for a parent to review the personal information collected from a child and to refuse to permit its further use or maintenance
• Not make the child's participation in a game, the offering of a prize, or another activity cannot be a condition for a child to provide information
• Provide reasonable procedures to protect the confidentiality, security, and integrity of personal information collected from children

The Regulations are enforced by the FDA, which will conduct investigations and audits. Since these records are to be used for validating the research by the FDA, the Regulations are geared more toward the integrity part of the confidentiality, integrity, availability triad.

Compliance:

The Regulations require the following:

• Systems ensure accuracy, reliability, and consistent performance
• Limiting system access to authorized individuals
• Audit trails
• Establishing and adhering to written policies that hold individuals accountable
• Training

• An annual compliance report that must be sent to the board and CFTC
• Vulnerability testing of independent contractors twice every quarter
• Internal and external penetration testing at least annually
• Control testing once every three years
• Annual security incident response plan testing
• Annual enterprise technology risk assessment (ETRA)

Both the SCA and ECPA acts authorize equitable relief, damages, punitive damages, attorney’s fees, and costs. So compliance with these statutes should be considered by all organizations, not just law enforcement agencies. There are business and intra-family exceptions, but these must be used cautiously.

Both statutes require intentional violation. But if the statutes are violated and if the plaintiff or the plaintiff’s class can prove measurable damages, the liability could be very large.

There are also state laws that go further. The ECPA requires one-party authorization. Ten states require both parties to consent. A recent example of the potential impact of these laws is a lawsuit by a Lyft driver and his class, which are suing Uber for intentionally accessing information with Uber’s Hell software. There are damages for the entire class as well as punitive damages that could easily be in the millions. This is far greater than any criminal or civil fine.

Compliance:

• Policies should prohibit recording or disclosing any oral or electronic communications without obtaining consent from both parties
• Policies should prohibit surveillance of non-employees unless there is consent
• Polices allow surveillance, including video and email interception of employees, if there is a valid business reason for doing so

The European Commission adopted the EU-US Privacy Shield framework on July 12, 2016 and it came into effect the same day. The adoption did not stop the criticism. In April 2017, the European Parliament's Civil Liberties, Justice, and Home Affairs Committee (LIBE Committee) narrowly voted in favor of a resolution declaring the Privacy Shield inadequate, and is currently under review.

Penalties and enforcement:

Non-compliance with the GDPR can lead to fines of up to 4% of annual global turnover or €20 million – whichever is greater.

Compliance:

While the Privacy Shield is being contested, to self-certify, a company must undertake the following:

• Confirm that it is eligible. Most companies outside of the financial sector are
• Develop a Privacy Shield-compliant privacy policy statement and make sure that the organization's privacy policy conforms to the Privacy Shield principles
• Identify the organization’s independent recourse mechanism to enforce the privacy policy
• Make sure that the privacy policy is publicly available
• Make sure the organization has a compliance verification mechanism
• Designate a contact within your organization regarding the Privacy Shield
• Submit your organization's self-certification to the Department of Commerce

However, it was amended by the Judicial Redress Act, which allows citizens of ‘covered countries’ as determined by the Attorney General, with the concurrence of the Secretary of State, the Secretary of the Treasury, and the Secretary of Homeland Security, to sue in a federal court for willful disclosures of personally identifiable information by a federal agency.

According to the European Commission, “The EU-US Umbrella Agreement, entered into force on 1 February 2017. To finalize this agreement, the US Congress adopted a new law, the US Judicial Redress Act, which extends the benefits of the US Privacy Act to Europeans and gives them access to US courts.”

But since the FPA is limited to the US government, and since it does not preclude §702 of the FISA, it does not stop either the US National Security Agency (NSA) or private companies from obtaining, disclosing, or transferring personally identifiable information that is expressly prohibited by the GDPR.

Penalties and enforcement

Covered persons, which includes lawful residents of the US and citizens of certain foreign countries designated by the US Secretary of State, may sue in a US federal district court for actual damages or $1,000 (whichever is greater), attorney fees, and court costs. The court may also require the federal agency to amend or correct any information on file concerning the covered person.

Compliance

All US federal agencies must:

• Not disclose any record that is contained in a system of records by any means of communication to any person, or to another agency, except pursuant to a written request by, or with the prior written consent of, the individual to whom the record pertains
• Allow any individual to gain access to their record or to any information pertaining to them that is contained in the system, permit them and upon their request, a person of their own choosing to accompany them, to review the record and have a copy made of all or any portion thereof
• Maintain any record concerning any individual except with accuracy, relevance, timeliness, and completeness
• Assure fairness in any determination relating to the qualifications, character, rights, or opportunities of, or benefits to, the individual