Federal privacy and cybersecurity enforcement — an overview
The federal government creates and enforces federal laws and regulations regarding privacy and cybersecurity. As we dive into that, we should put it within the broader perspective of the patchwork of state and federal requirements for privacy and cybersecurity rules. In earlier articles, I discussed federal and state privacy and security laws, why infosec pros should learn about the law, the foundations of our country’s laws and the CIPP/US learning path for privacy and the leading privacy certification.
The U.S. government, in theory, is a limited government
In theory, our federal government has limited power with only specifically enumerated abilities. In practice, it has immense authority, including its power over interstate commerce and its ability to tax and spend.
Our U.S. government has not enacted any laws of general application regarding privacy and cybersecurity, which is one reason states are now creating laws to fill the void. Federal bills (proposed laws) have been put forth, but none have passed yet.
An existing federal consumer protection law has been applied to cybersecurity and privacy, even though it does not mention those terms in the law. There are also sector-specific federal laws and regulations relating to cybersecurity and privacy that apply to industries such as finance and health.
FTC enforcement and the FTC Act
The Federal Trade Commission (FTC) Act of 1914 established the FTC and has been amended over the years. The FTC is a government agency with some independence from the executive branch since five appointed commissioners run it. The FTC protects consumers against unfair or deceptive trade practices under Section 5 of the FTC Act. While this is not a dedicated privacy law, it has been interpreted and enforced to provide certain privacy protections for consumers and thus is the main federal privacy law of general application.
One takeaway of this legal requirement is that organizations need to make accurate statements to consumers about their cybersecurity and privacy practices (to avoid being “deceptive”), and poor cybersecurity is arguably an “unfair” trade practice.
Federally regulated sectors
The federal government regulates specific sectors and has passed laws relating to privacy and cybersecurity. Those laws may create or empower regulators — the many departments and agencies that oversee the financial sector, health sector, utilities and others. These laws also authorize regulators to create regulations that are essentially more detailed rules.
Financial sector federal laws
The Gramm-Leach-Bliley Act (GLBA) and Sarbanes–Oxley Act (SOX) are examples of federal laws that led to further regulations which impose requirements upon the financial sector for privacy and information security. The laws and regulations may be updated occasionally, and assorted federal regulators enforce these. These rules protect consumer information from cybercriminals and marketing, and ensure our financial system’s resilience, safety and soundness.
Health sector federal regulation
The Health Insurance Portability and Accountability Act (HIPAA) of 1996 and the Health Information Technology for Economic and Clinical Health Act (HITECH) of 2009 are federal laws that impose privacy and security requirements on the health sector. The U.S. Department of Health and Human Services (HHS) is the enforcer here.
Our health information is among the most private, and HIPAA was one of our country’s first important privacy laws. As a state trooper when HIPAA was passed, I remember the increased need to obtain a written HIPAA waiver from assault victims so that the prosecutor could obtain relevant medical records needed to prove the assault.
Education sector federal rules
Educational information is also highly personal and a target of those who market educational products. The federal Family Educational Rights and Privacy Act (FERPA) provides privacy protections for students and imposes requirements on organizations that collect federal educational funds. Those rules are enforced by the U.S. Department of Education (ED).
Many critical infrastructures are already regulated, including finance, health and utilities; our government recognizes the damage digital attacks can cause to our country. Nation states, cybercriminals and natural disasters threaten our digitally dependent country.
In early 2022 the Cyber Incident Reporting for Critical Infrastructure Act (CIRCIA) was signed into law, empowering the Cybersecurity and Infrastructure Security Agency (CISA) to make regulations and receive cyber reports of cybercrime and incidents. These regulations have yet to be issued.
Federal privacy and cybersecurity law: One patch of a big quilt
Federal privacy and cybersecurity law is an important part of our evolving framework of legal requirements. Remember, they are one significant part of a large quilt of privacy and cybersecurity law, far from finished, with many holes and ragged edges. So our patchwork is a work in progress and will remain so as society, technology and threats evolve.
We will next turn to state rules and state enforcers. While our federal government is, in theory, “limited,” the states have full powers within their borders — referred to in constitutional law as a general “police power.”
Despite the word “police,” this power extends far beyond law enforcement. States can and have passed general laws on cybersecurity, breach notification and privacy. They also license hospitals, banks, utilities, individuals and more. With a license comes the obligation to comply with specific rules, which often will include privacy and cybersecurity.
For more details on privacy, look at CIPP/US certification learning path. If you are planning a policy, procedure, or another document project for your organization relating to cybersecurity or privacy, stay tuned for my forthcoming learning path on policies and procedures, titled “Corporate Security Policies.”