Management, compliance & auditing

U.S. privacy and cybersecurity laws — an overview

September 20, 2022 by John Bandler

Information security professionals can improve themselves and their ability to serve their organizations by learning about the laws applying to privacy and cybersecurity.

In earlier articles, I discussed why infosec pros should learn about the law, the foundations of U.S. law, and the Certified Information Privacy Professional (CIPP)/U.S. learning path. Now it is time to zoom in on privacy law.

Privacy vs. cybersecurity

Privacy intersects significantly with cybersecurity. The quick general takeaway is that every privacy law impacts cybersecurity. For example, all these laws recognize that consumer data should be held with a reasonable degree of security to prevent breaches or leaks and require notification of any data breaches. This Venn diagram shows how they intersect.

Privacy vs. Information Security and Cybersecurity

Copyright John Bandler 2022. All rights reserved.

The intersection of the two circles is not to scale — it is probably a greater overlap, but it is not a science.

As many readers will appreciate, cybersecurity and information security are about protecting an organization’s information assets, keeping data and systems secure and ensuring their confidentiality, integrity and availability. Organizations in some regulated sectors may be legally required to take measures to protect and keep systems running. Other laws and regulations may require notification after certain personal data breaches or require consumer data to be secured with reasonable cybersecurity. 

Organizations may hold personal data of consumers, customers, clients and employees. This data is regulated by privacy laws that include the above provisions (breach notification and reasonable cybersecurity) plus consumer notice and choice. 

There are four main types of privacy:

  • Information privacy (data privacy)
  • Communications privacy
  • Territorial privacy 
  • Bodily privacy

Our primary focus is on information privacy—consumer data and how it is collected, stored, used and shared. This emerging area of law gives consumers rights and imposes obligations on organizations. One part of privacy is cybersecurity for consumer data plus breach notification. Other aspects of privacy include consumer notice and choice, privacy practices and the collection, use and sharing of data. 

Federal vs. state 

It is often said that U.S. privacy and cybersecurity law is a patchwork of different rules from many places and with varying applicability. Some come from the federal government and some from the fifty states, plus districts and territories.

Federal laws and regulations may apply generally throughout the country or only to specific sectors, such as finance or health. The Federal Trade Commission (FTC) Act protects consumers against unfair or deceptive trade practices, which provides certain privacy protections for consumers, but it is not a dedicated privacy law. 

No generally applicable federal law specifically extends privacy rights to consumers or requires security measures or data breach notifications. Bills have been submitted on these issues, but none have passed yet. Some federal laws and regulations pertain to regulated sectors, such as finance, health, and education.

Each state can pass laws relating to data breach notification, cybersecurity and privacy, and many have chosen to do so. California, Connecticut, Virginia and others have enacted comprehensive privacy laws. Every state has data breach notification laws, and many require specific cybersecurity measures. 

Organizations need to evaluate what federal and state laws apply to them.

Law vs. regulation

Here’s the difference between a law and a regulation and how they relate.

A law is passed through the legislative process. After being approved by the legislature, it goes to the executive (president or governor), who signs it into law.

Some laws create a regulator (e.g., the FTC, Federal Deposit Insurance Corporation (FDIC), or Department of Health and Human Services, and empower the regulator to issue more detailed rules or regulations and enforce them. GLBA and HIPPA are federal privacy-related laws allowing a regulator to create more detailed regulations. A regulated organization must comply or face the consequences such as monitoring, fines, or loss of the license needed to operate. 

There are many federal and state regulators. States license hospitals, banks and other businesses; with those licenses comes the responsibility to comply with the state rules, including those on privacy.

Should we panic and feel overwhelmed or learn, synthesize and improve?

We have a large and complex patchwork of laws and regulations on privacy and cybersecurity from state and federal governments. Even experienced lawyers might feel overwhelmed, but they should not, and neither should you.

We need to keep our eyes on the spirit of these legal requirements and try in good faith to comply and continually improve with effective management, protection, and transparency. I suggest four main points:

  • Inform consumers about their data— what is collected, stored, shared, and used. Give them choices. Keep your promises.
  • Protect consumer data from breaches and leaks.
  • Protect your organization’s information assets.
  • Continually improve.

Once we master these concepts, we can start looking at each applicable law or regulation in more detail and how to synthesize various legal requirements for compliance and protection.

Conclusion

Privacy intersects with cybersecurity, and we look to a mixture of federal and state laws and regulations. By looking at the big picture and the spirit of the laws as guides, we protect our organizations and comply with emerging requirements. The next step is diving into legal requirement details to ensure legal compliance and good business practices.

For more details on privacy, look at my Infosec CIPP/US certification learning path. And, if you are working on a privacy or cybersecurity document project, my learning path on policies and procedures is coming soon.

Posted: September 20, 2022
Author
John Bandler
View Profile

John Bandler is a lawyer, consultant, speaker, teacher and author in the areas of cybersecurity, cybercrime, privacy, investigations and more. He is the founder of Bandler Law Firm PLLC and Bandler Group LLC, legal and consulting practices that help organizations and individuals with cybersecurity, the prevention and investigation of cybercrime, privacy, compliance, risk management and governance. John has expertise in many subjects, holds a number of certifications, and is a prolific writer and speaker. His first book is Cybersecurity for the Home and Office, his second book is Cybercrime Investigations, an extensive resource regarding the law, technology, process and skills regarding the investigation of cybercrime. John has authored articles on a range of topics and teaches professionals and students at the undergraduate, graduate and law school levels. Before entering private practice, John served in government as an assistant district attorney in the New York County District Attorney's Office where he investigated and prosecuted criminal offenses ranging from cybercrime, virtual currency money laundering and traditional street crimes and frauds. Prior to that, he served as a state trooper in the New York State Police providing full police services to the local community.

Leave a Reply

Your email address will not be published.