Federal privacy and cybersecurity enforcement — an overview
The federal government creates and enforces federal laws and regulations regarding privacy and cybersecurity. As we dive into that, we should put it within the broader perspective of the patchwork of state and federal requirements for privacy and cybersecurity rules. In earlier articles, I discussed federal and state privacy and security laws, why infosec pros should learn about the law, the foundations of our country’s laws and the CIPP/US learning path for privacy and the leading privacy certification.
Get your free course catalog
The U.S. government, in theory, is a limited government
In theory, our federal government has limited power with only specifically enumerated abilities. In practice, it has immense authority, including its power over interstate commerce and its ability to tax and spend.
Our U.S. government has not enacted any laws of general application regarding privacy and cybersecurity, which is one reason states are now creating laws to fill the void. Federal bills (proposed laws) have been put forth, but none have passed yet.
An existing federal consumer protection law has been applied to cybersecurity and privacy, even though it does not mention those terms in the law. There are also sector-specific federal laws and regulations relating to cybersecurity and privacy that apply to industries such as finance and health.
FTC enforcement and the FTC Act
The Federal Trade Commission (FTC) Act of 1914 established the FTC and has been amended over the years. The FTC is a government agency with some independence from the executive branch since five appointed commissioners run it. The FTC protects consumers against unfair or deceptive trade practices under Section 5 of the FTC Act. While this is not a dedicated privacy law, it has been interpreted and enforced to provide certain privacy protections for consumers and thus is the main federal privacy law of general application.
One takeaway of this legal requirement is that organizations need to make accurate statements to consumers about their cybersecurity and privacy practices (to avoid being “deceptive”), and poor cybersecurity is arguably an “unfair” trade practice.
Federally regulated sectors
The federal government regulates specific sectors and has passed laws relating to privacy and cybersecurity. Those laws may create or empower regulators — the many departments and agencies that oversee the financial sector, health sector, utilities and others. These laws also authorize regulators to create regulations that are essentially more detailed rules.
Financial sector federal laws
The Gramm-Leach-Bliley Act (GLBA) and Sarbanes–Oxley Act (SOX) are examples of federal laws that led to further regulations which impose requirements upon the financial sector for privacy and information security. The laws and regulations may be updated occasionally, and assorted federal regulators enforce these. These rules protect consumer information from cybercriminals and marketing, and ensure our financial system's resilience, safety and soundness.
Health sector federal regulation
The Health Insurance Portability and Accountability Act (HIPAA) of 1996 and the Health Information Technology for Economic and Clinical Health Act (HITECH) of 2009 are federal laws that impose privacy and security requirements on the health sector. The U.S. Department of Health and Human Services (HHS) is the enforcer here.
Our health information is among the most private, and HIPAA was one of our country’s first important privacy laws. As a state trooper when HIPAA was passed, I remember the increased need to obtain a written HIPAA waiver from assault victims so that the prosecutor could obtain relevant medical records needed to prove the assault.
Education sector federal rules
Educational information is also highly personal and a target of those who market educational products. The federal Family Educational Rights and Privacy Act (FERPA) provides privacy protections for students and imposes requirements on organizations that collect federal educational funds. Those rules are enforced by the U.S. Department of Education (ED).
Critical infrastructure
Many critical infrastructures are already regulated, including finance, health and utilities; our government recognizes the damage digital attacks can cause to our country. Nation states, cybercriminals and natural disasters threaten our digitally dependent country.
In early 2022 the Cyber Incident Reporting for Critical Infrastructure Act (CIRCIA) was signed into law, empowering the Cybersecurity and Infrastructure Security Agency (CISA) to make regulations and receive cyber reports of cybercrime and incidents. These regulations have yet to be issued.
Federal privacy and cybersecurity law: One patch of a big quilt
Federal privacy and cybersecurity law is an important part of our evolving framework of legal requirements. Remember, they are one significant part of a large quilt of privacy and cybersecurity law, far from finished, with many holes and ragged edges. So our patchwork is a work in progress and will remain so as society, technology and threats evolve.
We will next turn to state rules and state enforcers. While our federal government is, in theory, “limited,” the states have full powers within their borders — referred to in constitutional law as a general “police power.”
Despite the word "police," this power extends far beyond law enforcement. States can and have passed general laws on cybersecurity, breach notification and privacy. They also license hospitals, banks, utilities, individuals and more. With a license comes the obligation to comply with specific rules, which often will include privacy and cybersecurity.
For more details on privacy, look at CIPP/US certification learning path. If you are planning a policy, procedure, or another document project for your organization relating to cybersecurity or privacy, stay tuned for my forthcoming learning path on policies and procedures, titled “Corporate Security Policies.”
- Expert instruction
- Hands-on labs
- Unlimited access
In this Series
- Federal privacy and cybersecurity enforcement — an overview
- Is AI cybersecurity in your policies?
- The top security architect interview questions you need to know
- U.S. privacy and cybersecurity laws — an overview
- Common misperceptions about PCI DSS: Let’s dispel a few myths
- How PCI DSS acts as an (informal) insurance policy
- Keeping your team fresh: How to prevent employee burnout
- How foundations of U.S. law apply to information security
- Data protection Pandora's Box: Get privacy right the first time, or else
- Privacy dos and don'ts: Privacy policies and the right to transparency
- Starr McFarland talks privacy: 5 things to know about the new, online IAPP CIPT learning path
- Data protection vs. data privacy: What’s the difference?
- NIST 800-171: 6 things you need to know about this new learning path
- Working as a data privacy consultant: Cleaning up other people’s mess
- 6 ways that U.S. and EU data privacy laws differ
- Navigating local data privacy standards in a global world
- Building your FedRAMP certification and compliance team
- SOC 3 compliance: Everything your organization needs to know
- SOC 2 compliance: Everything your organization needs to know
- SOC 1 compliance: Everything your organization needs to know
- Overview: Understanding SOC compliance: SOC 1 vs. SOC 2 vs. SOC 3
- How to comply with FCPA regulation – 5 Tips
- ISO 27001 framework: What it is and how to comply
- Why data classification is important for security
- Threat Modeling 101: Getting started with application security threat modeling [2021 update]
- VLAN network segmentation and security- chapter five [updated 2021]
- CCPA vs CalOPPA: Which one applies to you and how to ensure data security compliance
- IT auditing and controls – planning the IT audit [updated 2021]
- Finding security defects early in the SDLC with STRIDE threat modeling [updated 2021]
- Cyber threat analysis [updated 2021]
- Rapid threat model prototyping: Introduction and overview
- Commercial off-the-shelf IoT system solutions: A risk assessment
- A school district's guide for Education Law §2-d compliance
- IT auditing and controls: A look at application controls [updated 2021]
- 6 key elements of a threat model
- Top threat modeling frameworks: STRIDE, OWASP Top 10, MITRE ATT&CK framework and more
- Average IT manager salary in 2021
- Security vs. usability: Pros and cons of risk-based authentication
- Threat modeling: Technical walkthrough and tutorial
- Comparing endpoint security: EPP vs. EDR vs. XDR
- Role and purpose of threat modeling in software development
- 5 changes the CPRA makes to the CCPA that you need to know
- 6 benefits of cyber threat modeling
- What is threat modeling?
- First Safe Harbor, then Privacy Shield: What EU-US data-sharing agreement is next?
- How to make cybersecurity budget cuts without sacrificing security
- How to mitigate security risk in international business environments
- Security theatrics or strategy? Optimizing security budget efficiency and effectiveness
- NY SHIELD Act: Security awareness and training requirements for New York businesses
- Time to update your cybersecurity policy?
- Ultimate guide to international data protection and privacy laws
Management, compliance & auditing
Management, compliance & auditing
The top security architect interview questions you need to know
Management, compliance & auditing
Management, compliance & auditing
Common misperceptions about PCI DSS: Let’s dispel a few myths