U.S. privacy and cybersecurity laws — an overview
Information security professionals can improve themselves and their ability to serve their organizations by learning about the laws applying to privacy and cybersecurity.
In earlier articles, I discussed why infosec pros should learn about the law, the foundations of U.S. law, and the Certified Information Privacy Professional (CIPP)/U.S. learning path. Now it is time to zoom in on privacy law.
Privacy vs. cybersecurity
Privacy intersects significantly with cybersecurity. The quick general takeaway is that every privacy law impacts cybersecurity. For example, all these laws recognize that consumer data should be held with a reasonable degree of security to prevent breaches or leaks and require notification of any data breaches. This Venn diagram shows how they intersect.
Privacy vs. Information Security and Cybersecurity
Copyright John Bandler 2022. All rights reserved.
The intersection of the two circles is not to scale — it is probably a greater overlap, but it is not a science.
As many readers will appreciate, cybersecurity and information security are about protecting an organization's information assets, keeping data and systems secure and ensuring their confidentiality, integrity and availability. Organizations in some regulated sectors may be legally required to take measures to protect and keep systems running. Other laws and regulations may require notification after certain personal data breaches or require consumer data to be secured with reasonable cybersecurity.
Organizations may hold personal data of consumers, customers, clients and employees. This data is regulated by privacy laws that include the above provisions (breach notification and reasonable cybersecurity) plus consumer notice and choice.
There are four main types of privacy:
- Information privacy (data privacy)
- Communications privacy
- Territorial privacy
- Bodily privacy
Our primary focus is on information privacy—consumer data and how it is collected, stored, used and shared. This emerging area of law gives consumers rights and imposes obligations on organizations. One part of privacy is cybersecurity for consumer data plus breach notification. Other aspects of privacy include consumer notice and choice, privacy practices and the collection, use and sharing of data.
Federal vs. state
It is often said that U.S. privacy and cybersecurity law is a patchwork of different rules from many places and with varying applicability. Some come from the federal government and some from the fifty states, plus districts and territories.
Federal laws and regulations may apply generally throughout the country or only to specific sectors, such as finance or health. The Federal Trade Commission (FTC) Act protects consumers against unfair or deceptive trade practices, which provides certain privacy protections for consumers, but it is not a dedicated privacy law.
No generally applicable federal law specifically extends privacy rights to consumers or requires security measures or data breach notifications. Bills have been submitted on these issues, but none have passed yet. Some federal laws and regulations pertain to regulated sectors, such as finance, health, and education.
Each state can pass laws relating to data breach notification, cybersecurity and privacy, and many have chosen to do so. California, Connecticut, Virginia and others have enacted comprehensive privacy laws. Every state has data breach notification laws, and many require specific cybersecurity measures.
Organizations need to evaluate what federal and state laws apply to them.
Law vs. regulation
Here’s the difference between a law and a regulation and how they relate.
A law is passed through the legislative process. After being approved by the legislature, it goes to the executive (president or governor), who signs it into law.
Some laws create a regulator (e.g., the FTC, Federal Deposit Insurance Corporation (FDIC), or Department of Health and Human Services, and empower the regulator to issue more detailed rules or regulations and enforce them. GLBA and HIPPA are federal privacy-related laws allowing a regulator to create more detailed regulations. A regulated organization must comply or face the consequences such as monitoring, fines, or loss of the license needed to operate.
There are many federal and state regulators. States license hospitals, banks and other businesses; with those licenses comes the responsibility to comply with the state rules, including those on privacy.
Should we panic and feel overwhelmed or learn, synthesize and improve?
We have a large and complex patchwork of laws and regulations on privacy and cybersecurity from state and federal governments. Even experienced lawyers might feel overwhelmed, but they should not, and neither should you.
We need to keep our eyes on the spirit of these legal requirements and try in good faith to comply and continually improve with effective management, protection, and transparency. I suggest four main points:
- Inform consumers about their data— what is collected, stored, shared, and used. Give them choices. Keep your promises.
- Protect consumer data from breaches and leaks.
- Protect your organization’s information assets.
- Continually improve.
Once we master these concepts, we can start looking at each applicable law or regulation in more detail and how to synthesize various legal requirements for compliance and protection.
Conclusion
Privacy intersects with cybersecurity, and we look to a mixture of federal and state laws and regulations. By looking at the big picture and the spirit of the laws as guides, we protect our organizations and comply with emerging requirements. The next step is diving into legal requirement details to ensure legal compliance and good business practices.
For more details on privacy, look at my Infosec CIPP/US certification learning path. And, if you are working on a privacy or cybersecurity document project, my learning path on policies and procedures is coming soon.