Data security breaches have become notorious across the media in the past few years. With the potential of lax security, businesses may inadvertently end up not complying with federal laws. To that end, it may be a good idea to familiarize yourself with what is required under federal law and what is not.
A brand’s reputation and revenue can be completely tarnished by a data breach. It is also possible that numerous lawsuits may happen as a result. In some cases, you may also face other consequences such as penalties and fees.
When you are working within cybersecurity, there are five federal laws that you should be aware of:
Gramm-Leach Billey Act (also known as GLBA) of 1999
This federal law applies to companies that have access to private and personal financial information. This law includes standards for who has access to it, how the private information is stored and how it is collected.
As these organizations hold an abundance of information that must be kept private, cybersecurity professionals are often hired in order to implement security measures that will protect the information and to make sure that no risks or threats occur.
Health Insurance Portability and Accountability Act (also known as HIPPA) of 1996
This federal law applies to organizations that have access to sensitive medical information – such as a hospital or clinic. Within the law, the medical institution will have to comply by stating how the information is shared and stored. This is important to those who are working within a cybersecurity company that is outsourced for work within the medical institutions.
Cybersecurity Information Sharing Act (also known as CISA) of 2015
This federal law works with technology companies and the government to share data so that any threats can be identified sooner and responded to more efficiently. This act is key for businesses dealing with a large amount of personal data.
It is important to cybersecurity professionals as they are currently employed within these industries, therefore will have to have the knowledge of how to respond to threats that arise.
Federal Information Security Management Act (also known as FISMA), of 2002 Specifically targeted at organizations that deal solely with government information. To comply with this law, the supplier/contractor or government agency will have to explain what information is being stored, what security is in place to protect it, what risks the information has and they will have to produce a watertight system security plan.
Similarly to the above acts, this is applicable to those working as a cybersecurity professional as the information held within the government organizations are so sensitive, they will have to make sure that the security systems are frequently audited, risk assessments are carried out and any security updates are implemented quickly and efficiently.
California Consumer Privacy Act of 2018 (also known as CCPA)
Over the past couple of years, there has been an abundance of cybersecurity legislation that has been put forward to the government to pass. One example of which is the California Consumer Privacy Act of 2018 (also known as CCPA), which was introduced partly because of the GDPR laws that occurred in the EU.
Pushed back until at least 2020, this federal law has to be complied by both California based organizations and also those outside of the state. It affects organizations that process and collect personal information from California residents as well as those that conduct business in the state. In order for the CCPA to apply, the business will have to either receive/share personal information of over 50,000 residents annually, generate annual gross revenue of over $25 million or receive over 50% of its annual profits from selling the residents’ personal information.
Cybersecurity issues that are not currently covered under federal law
According to the U.S Government Accountability Office (GAO), there are a series of cybersecurity challenges that require critical actions that aren’t currently covered under federal law.
Firstly, in order to protect sensitive data and privacy, the government faces the challenge of implementing a law that will “appropriately limit the collection and use of personal information and ensure that it is obtained with appropriate knowledge or consent”. As well as making sure to “improve federal efforts to protect privacy and sensitive data”.
Secondly, another major challenge is “establishing a comprehensive cybersecurity strategy and performing effective oversight”. Regarding strategy, four critical actions have been cited for consideration under federal law:
- To “develop and execute a more comprehensive federal strategy for national security and global cyberspace”
- To “mitigate global supply chain risks (e.g installation of malicious software or hardware)”.
- To “address cybersecurity workforce management challenges
- To “ensure the security of emerging technologies (e.g artificial intelligence and Internet of Things)”.
Thirdly, the “securing federal systems and information”. This major challenge includes the need to “improve implementation of government-wide cybersecurity incentives” and to “address weaknesses in federal agency information security programs: and finally, “enhance the federal response to cyber incidents.
These are important issues you may want to be aware of if you are thinking of working within cybersecurity. There are also several lobbying firms across the U.S. These firms have been hired by well-known corporations. The objective would be to push the U.S. government protect them from data breaches and to work out why these attacks occurred.
According to an article in the Washington Post, the number of lobby firms pushing this issue has tripled since 2008. And that this increase in lobbying activity is due directly to the number of high-profile data breaches that have occurred in the past couple of years. Both large and small businesses are starting to realize just how important cybersecurity measures are for their profits and for their brand’s reputation.
What happens if you break a federal cybersecurity law?
The penalty for breaking a cybersecurity law will depend on how much of the data is exposed and how it is exposed. It is not all just about the fees and fines that a data breach can create. Companies may also face a huge backlash in terms of reputation.
It is possible that after a breach, customers might stop using the brand that was breached. For cybersecurity professionals, this could turn into a lot of pressure. Pressure to create and maintain security systems that prevent breaches from occurring. Here are additional specific ramifications of breaking federal laws aside from reputational damage:
- FISMA (Federal Information Security Management Act of 2002) applies to federal agencies and contractors working with the government. Violation or non compliance of FISMA could cause loss of public funding, government hearings and censure from future contracts.
- HIPPA, or Health Insurance Portability and Accountability Act of 1996 applies to anyone working in healthcare. Violating could result in fines or jail time. The penalty is based on the intent and nature of the violation. Ranges could span from a low monetary amount of $100 per medical record to a whopping $50,000 per medical record. Alongside huge fees, violating the laws with malicious intent could also result in up to 10 years in prison.
There aren’t only federal or state laws that you should consider
Federal laws aren’t the only laws that you should make yourself aware of. You should also check that the company is compliant with industry-specific standards and international laws. For example:
Payment Card Industry Data Security Standards (also known as PCI DDS). Created to lower the chance of credit card fraud. These standards are applicable for any credit card company/organization or one that accepts payments by cards. There are 12 requirements that should be met to comply with the standards. If you breach them, there are minimum fees of approximately $5,000 per month and maximum fees per month of $100,000. With the number of companies that now operate online, having a cybersecurity system that keeps credit/debit card information private is essential.
Similarly, the GDPR (General Data Protection Regulation Act) which became prolific in Europe over the past year, can also affect those within the US. Many U.S. Business have ties with European customers and firms. As such, these companies may have to comply with GDPR. There are specific cyber security standards within the General Data Protection Regulation Act. These standards are primarily associated with encryption. Violations may be punishable by hefty fines that either has to be paid out by the company or by the individual that broke the law.
How do you prevent cyber security threats from occurring?
It is a reasonable statement, that no ethical cyber professional would intentionally set out to violate laws or standards. Cyber professionals should aim to prevent cyber threats by implementing best practices within the industry. This would include:
- Creating new security controls: implement new security controls or upgrade any of your existing software to ensure that your controls are compliant with the federal laws that are in place.
- Creating a security plan: as well as ensuring all your cybersecurity is up to date in terms of the technology side, you should also create a plan that includes the priorities, protocols and policies for any type of attack that could occur. If a data breach then happens, this plan will help the business to decide what the next steps will be.
- See what software and IT hardware is already in place: this way you can figure out what cybersecurity risks there are and what vulnerabilities could result in an attack.
- Try a gap analysis: by performing a gap analysis on the security systems, you can see what protection needs to be implemented and what is currently existing. You can also audit these, which will inform you on what upgrades to make before any attacks occur.
- Risk assessment: this is a clever way of working out what the most consequential and common types of threats there are out there and how the current cybersecurity control can stand up against them.