Data breaches have become notorious across the media in the past few years. With the potential of lax security, businesses may end up not complying with federal laws. To that end, it may be a good idea to get familiar with these cyber security laws. As well as what is required under federal law and what is not.
A brand’s reputation and revenue can be tarnished by a data breach. It is also possible that numerous lawsuits can occur as a result. In some cases, you may also face other problems such as penalties and fees. When you work in cyber sec, there are five federal cyber security laws that you should be aware of:
Gramm Leach Billey Act (also known as GLBA) of 1999
This law is for companies that have access to private and personal financial info. This law includes standards for who has access to it as well as how it is stored and how it is collected. As these agencies hold a lot of info that must be kept private, cyber sec pros are often hired in order to input measures that will protect the info and to make sure that no risks or threats occur.
Health Insurance Portability and Accountability Act (also known as HIPPA) of 1996
This cyber security law applies to companies that have access to sensitive medical info – such as a hospital or clinic. Within the law, the medical institution will have to comply by stating how the info is shared and stored. This is key to those who that work in a cyber sec company. Especially those that are out sourced for work in a medical institution.
Cyber security Information Sharing Act (also known as CISA) of 2015
This cyber security law works with tech companies and the gov’t to share data so that any threats can be identified sooner and dealt with more efficiently. This act is key for companies that deal with a large amount of personal data. It is key to cyber sec pros as they are currently employed within these fields. And, therefore will have to have the knowledge of how to respond to threats that arise.
Federal Information Security Management Act (also known as FISMA), of 2002 is targeted at companies that deal solely with gov’t info. To comply with this law, the supplier, contractor or agency will have to explain what info is being stored. They also explain what security is in place to protect it and what risks the info has. And, they will also have to produce a water tight system security plan.
Similarly to the above acts, this is applicable to those that work as a cyber sec pro as the info held within the gov’t agencies are so sensitive, they will have to make sure that the security systems are frequently audited, risk assessments are carried out and any security updates are implemented quickly and efficiently.
California Consumer Privacy Act of 2018 (also known as CCPA)
Over the past couple of years, there has been much cyber sec legislation that has been put forward to the gov’t to pass. One example of which is the California Consumer Privacy Act of 2018 (also known as CCPA), which was introduced partly because of the GDPR laws that occurred in the EU.
Pushed back until at least 2020, this law has to be complied by both CA based agencies and also those outside of the state. It affects agencies that process and collect personal info from CA residents as well as those that conduct business in the state. In order for the CCPA to apply, the business will have to either receive/share personal info of over 50,000 residents yearly, generate yearly gross revenue of over $25 million or receive over 50% of its yearly profits from selling the residents’ personal info.
Cyber sec issues that are not currently covered under federal law
According to the U.S Government Accountability Office (GAO), there are a series of cyber sec challenges that require actions not covered under federal law.
To protect sensitive data, the gov’t faces the challenge of how to implement laws that “appropriately limit the collection and use of personal information and ensure that it is obtained with appropriate knowledge or consent”. As well as making sure to “improve federal efforts to protect privacy and sensitive data”.
Another challenge is “establishing a comprehensive cyber sec strategy and performing effective oversight”. With regard to strategy, four key actions have been cited for consideration under federal law. To:
- “Develop and execute a more comprehensive federal strategy for national security and global cyber space”
- “Mitigate global supply chain risks”
- “Address cyber security workforce management challenges”
- “Ensure the security of emerging technologies”
Then there’s “securing federal systems and information”. Like the need to “improve implementation of government wide cyber sec incentives” and to “address weaknesses in federal agency info sec programs” and also to “enhance the federal response to cyber incidents.”
These are key issues you may want to be aware of if you’re thinking of working in cyber sec. There are also lobbying firms across the U.S. These firms have been hired by well known corporations. Their job is to push the U.S. gov’t to protect them from data breaches and to work out why these attacks occurred.
According to the Washington Post, the number of lobby firms pushing this issue has tripled since 2008. And this increase in activity is due to the number of high profile data breaches that occurred in the past couple of years. All companies are starting to realize just how key cyber sec measures are for their profits and for their brand’s reputation.
What happens if you break a federal cyber security law?
The penalty for breaking a cyber sec law will depend on how much of the data is exposed and how it is exposed. It is not all just about the fees and fines that a data breach can create. Companies may also face a huge backlash in terms of reputation.
It is possible that after a breach, customers might stop using the brand that was breached. For cyber sec pros, this could turn into a lot of pressure. Pressure to create and maintain systems that prevent breaches from occurring. Here are other consequences of breaking federal laws aside from damage to reputation:
- FISMA applies to fed agencies and contractors that work with the gov’t. Violation of FISMA could cause loss of public funding, gov’t hearings and censure from future contracts.
- HIPPA Act of 1996 applies to those that work in health care. Violating could result in fines or jail time. The penalty is based on the intent and nature of the violation. Ranges could span from a low monetary amount of $100 per medical record to a whopping $50,000 per medical record. Along side huge fees, violating the laws with harmful intent could also result in up to 10 years in prison.
There aren’t only federal or state laws that you should consider
Federal or state laws aren’t the only laws that you should make yourself aware of. You should also check that the company is compliant with industry standards and int’l laws. Like:
Payment Card Industry Data Security Standards (also known as PCI DDS). Made to lower the chance of credit card fraud. These standards are applicable for any credit card company or one that accepts payments by cards. There are 12 needs that should be met to comply with the standards. If you breach them, there are min. fees of about $5,000 per month and max fees per month of $100,000. With the number of companies that are now online, having a cyber sec system that keeps credit or debit card info private is key.
Similarly, the GDPR (General Data Protection Regulation Act) which became prolific in Europe over the past year, can also affect those in the US. Many U.S. business have ties with European customers and firms. As such, these companies may have to comply with GDPR. There are certain cyber sec standards within the GDPR Act. These standards mostly deal with encryption. Violations may be punishable by hefty fines that either has to be paid out by the company or by the person that broke the law.
How do you prevent cyber security threats from occurring?
It is a reasonable statement, that no ethical cyber pro would set out to violate laws or standards. Cyber pros should aim to stop cyber threats by helping to implement best practices in the field. This would include:
- Creating new security controls: implement new security controls or upgrade any of your software to ensure that your controls are compliant with the laws that are in place.
- Creating a security plan: as well as to ensure all your cyber sec is up to date in terms of the tech side, you should also create a plan that includes the priorities, methods and policies for any type of attack that could occur. If a data breach then happens, this plan will help the business to decide what the next steps will be.
- See what software and IT hardware is already in place: this way you can figure out what cyber sec risks there are and what weakness could result in an attack.
- Try a gap analysis: by doing a gap analysis on the security systems, you can see what protection needs to be implemented and what exists. You can also audit these, which will inform you on what upgrades to make before any attacks occur.
- Risk assessment: this is a clever way of how to work out what the most consequential and common types of threats there are out there and how the current cyber sec control can stand up against them.