Cybersecurity laws and regulations play a key role in our day-to-day lives. These important policies ensure that our information is protected from cyber threats. Nearly every aspect of our daily lives has been digitized. This includes everything from storing health information to water infrastructure and corporate emails. Unfortunately, this means that our information and infrastructure could be impacted by a cyber attack. Cyber attacks are among the greatest risks to government, companies, and individuals alike in the United States. Attacks are increasing in frequency and pose a danger to physical infrastructure, privacy, and financial systems. In 2023, IBM found that the average global cost of data breach was more than $4 million. Costs increase in industries like healthcare, where the average cost of a data breach was $11 million.
Effective cybersecurity laws protect users from cyber attacks. This includes protections from phishing schemes, ransomware attacks, identity theft, data breaches, and financial losses. On both the state and national levels, cybersecurity laws aim to strengthen the tracking, prevention, and mitigation of cyber threats. They bolster the cybersecurity efforts undertaken by private companies and the government itself. For consumers, cybersecurity and data protections make up the foundations of online data privacy. Laws like HIPAA, the GDPR in Europe, and CCPA in California govern how personal data is transferred and processed.
U.S. Government Approaches to Cybersecurity
Cybersecurity is especially sensitive for the United States government. Bad actors may use cyber threats to gain access to sensitive information, government employees’ data. Further, a ransomware attack could have grave impacts. National security, the military, and critical infrastructure are all at risk.
Threats to America’s digital infrastructure necessitate government adoption of cybersecurity best practices. Best practices should also extend to public agencies, companies, and private corporations. These efforts include:
- Presidential strategies
- Cybersecurity laws and regulations passed by Congress
- Directives and initiatives by federal agencies
The Role of Government Agencies
The U.S. Department of Homeland Security plays a leading role in cybersecurity. The agency aims to strengthen cybersecurity resilience across key infrastructure sectors. One key department under Homeland Security is The Cybersecurity and Infrastructure Security Agency (CISA.) CISA leads efforts to understand, manage, and reduce risks to our cyber and physical infrastructure. It serves two key roles. CISA serves as the operational lead for federal cybersecurity efforts. It also acts as a national coordinator for critical infrastructure security and resilience.
Many other federal executive roles and agencies play key roles in cybersecurity policymaking. This includes advising the White House and ensuring that existing regulations, laws, and executive orders are followed. This includes:
- The National Cyber Director, who advises the White House on cybersecurity policy and strategy.
- The National Cybersecurity Strategy, which President Biden signed into law in March of 2023. The Strategy is less a cybersecurity law and more a blueprint documenting challenges and best practices in sectors reliant on cybersecurity.
- The Cyber Safety Review Board, which operates under CISA. The Board is a public-private-partnership that reviews significant cybersecurity threats in both the public and private sector.
- The Office of Management and Budget (OMB), which approves and enforces information security requirements under federal law for “federal systems.” OMB also oversees the Chief Information Officers Council. The Council consists of the chief information officers for each federal agency.
- The U.S. Department of Justice handles most enforcement and prosecution. It works with other agencies like the Secret Service and Department of Defense to handle certain intelligence, law enforcement, or military-related investigations.
Cybersecurity Laws and Regulations for Protecting Sensitive Information
There are many cybersecurity laws and regulations that govern the United States. This legislative framework consists of state, federal, and international measures.
U.S. Federal Laws
The federal government has taken significant action on cybersecurity spanning decades. Read below to learn about three key laws.
The Health Insurance Portability and Accountability Act (HIPAA)
Passed in 1996, HIPAA is one of the first data regulation laws. HIPAA focuses solely on healthcare data. It created national standards to protect sensitive patient health information from being disclosed without the patient’s consent or knowledge. HIPAA has also evolved alongside technological advancements. The law now reflects the digitization of healthcare data, what with the implementation of electronic medical records and digital patient data.
HIPAA also set forth reporting requirements for cybersecurity breaches. It imposes fines depending on the severity of the incident. Federal agencies like the Federal Trade Commission are also involved with investigating and collecting fines related to cyber breaches.
The Gramm-Leach-Bliley Act
Passed in 1999, the Gramm-Leach-Bliley Act regulates cybersecurity practices in the financial industry. It requires financial institutions offering products or services like loans, investment advice, or insurance to explain their information-sharing practices to their customers. Financial institutions must also take steps to safeguard sensitive data. The Gramm-Leach-Bliley Act created three main rules:
- A privacy rule that ensures the protection of consumers’ personal financial information
- A safeguards rule requiring security measures to prevent data breaches
- A provision that prohibits deceptive methods of obtaining personal financial information
The Federal Information Security Management Act (FISMA)
FISMA was passed as part of the 2002 Homeland Security Act. The law requires the Director of the OMB to oversee federal agency information security policies and practices. FISMA also requires each agency to provide information on their information security practices. The Act has been amended several times since its passage in 2002. In 2014, it added Homeland Security as a key partner in federal cybersecurity efforts.
State and International Law(s)
Beyond federal cybersecurity laws and regulations, several key state and international measures govern cybersecurity best practices in the United States.
The General Data Protection Regulation (GDPR)
Created in 2016 and launched in 2018, GDPR is the European Union’s (EU) cybersecurity law. GDPR created regulations and standards about collecting, storing, and managing data on companies. Any company in the world that targets or collects data related to people in the EU is subject to GDPR. GDPR also created fines against those who violate privacy and security standards. The largest fine imposed by the EU was 1.2 billion euros against Meta in 2023.
The California Consumer Privacy Act (CCPA)
The CCPA became law in response to GDPR. It serves as a de-facto national data privacy law. The law applies to any company – inside or outside of the state – that collects data from California citizens. The CCPA standardized privacy rights around consumer data. It includes rights for consumers to opt-out of sharing their data and personal information to websites and apps. These include:
- The Right to Know
- The Right to Delete
- The Right to Opt-Out of Sale
- The Right to Correct
- The Right to Limit
- The Right to Non-Discrimination
The Importance of Understanding Cybersecurity Policy
Cybersecurity is a key interest for national security and companies large and small. Preventing cybersecurity threats is a key aspect of CISA’s 16 critical infrastructure sectors. Any cybersecurity threat could jeopardize these critical industries and sectors, endangering Americans and our infrastructure.
The same can be said for protecting individual data. With almost all of our data online, the risk of unwanted parties accessing and using personal, sensitive information is a almost a given. The current patchwork of laws and regulations help ensure that the public and private sectors follow cybersecurity best practices.
Cybersecurity policy in itself is often complicated. Federal cybersecurity laws mix with international and state compliance, presidential strategic initiatives, and specific regulations in crucial sectors. Overall, cybersecurity laws and policy will continue to evolve. Best practices and emerging technologies like artificial intelligence will shape the course of this evolution.
Plural for Insights Into Cybersecurity Laws
Plural is the legislative tracking tool of choice for those seeking to monitory cybersecurity laws and regulations. With Plural, you’ll:
- Access superior public policy data
- Be the first to know about new bills and changes in bill status
- Streamline your day with seamless organization features
- Harness the power of time-saving AI tools to gain insights into individual bills and the entire legislative landscape
- Keep everyone on the same page with internal collaboration and external reporting all in one place
Create a free account or book a demo today!