Cybersecurity and Privacy Rules

Cybersecurity and privacy rules have changed the private and public sectors’ landscapes. The state and federal rules are changing the ways private and public organizations are managing their operations. These rules are focusing on privacy, security and regulations in all jurisdictions but uniformity is an issue. Therefore, state and federal legislators should ensure uniformity to avoid regulatory and enforcement contradictions.

The State of California has enacted laws to promote cybersecurity within its jurisdiction. For example, Assembly Bill 89 (“AB 89”) was enacted to ensure information sharing should be conducted in a way that protects an individual’s privacy and civil liberties, confidential information, preserves business confidentiality, and enables public officials to detect, investigate, and prevent network security breaches. It has also enacted the California Consumer Privacy Act (“CCPA”) that allows individuals to file a legal action against businesses that fail to implement and maintain reasonable security measures to protect their personal information. Now, “reasonable security measures” may include using a firewall, encryption, and intrusion detection software on their computer networks.

The State of New York has enacted laws to promote cybersecurity within its jurisdiction. For example, it has passed the Stop Hacks and Improve Electronic Data Security Act (“SHIELD Act”) to protect consumers from exposure of private information from cybersecurity attacks. This statute is designed to increase data protection and data breach notification requirements for commercial enterprises. It is meant to hold business organizations responsible for gathering and storing consumer personal information which may include a name, address, telephone number, email address, date-of-birth, and social security number.

The federal government has passed several statutes to promote cybersecurity. First, the Health Insurance Portability and Accountability Act (“HIPAA”) was enacted to promote a patient’s medical information. Second, the Gramm-Leach-Bliley Act (“GLBA”) was enacted to protect consumer financial information such as bank records and files. Third, the Homeland Security Act (“HSA”) was enacted to prevent domestic terrorist attacks on the government.  Fourth, the Computer Fraud and Abuse Act (“CFAA”) was enacted to prevent hackers from infiltrating a computer system without authorization. In essence, it’s a pseudo-civil and criminal statute that can be used in civil and criminal legal actions. In other words, plaintiffs have used this statute to prove the unauthorized access to their computer systems. Fifth, in 2015, the Cybersecurity Act (“Cybersecurity Act”) was enacted to establish a method for information sharing between the private sector and federal government agencies. It has the following three subparts: (1) An information sharing framework which is known as the “Cybersecurity Information Sharing Act (“CISA”) between the public and private sectors; (2) The Federal Cybersecurity Enhancement Act has implemented a program to deploy traffic monitoring devices and special technologies (e.g., Intrusion Detection Software) across the federal government’s networks. The technology is known as “EINSTEIN” and it is supposed to be available to all federal government agencies; and (3) The Federal Cybersecurity Workforce Assessment Act mandates the head of all federal agencies to identify the positions that perform cybersecurity and report to Congress how many of them in those roles have obtained appropriate certifications and training requirements.

The international community has also passed laws to promote cybersecurity. For example, in 2004, the Budapest Cybercrime Convention (also known as the “Convention on Cybercrime”) was passed to fight against cybercrime. It obligates its signatories to pass regulations to prosecute cybercriminals in their jurisdictions. It is the first international treaty that addresses internet crimes by promoting cooperation between foreign nations. This treaty faces certain prosecutorial challenges such as extradition and mutual legal support. However, there is no single international law or treaty that addresses all cybersecurity and privacy-related issues. Therefore, it is necessary to enact a series of international laws or treaties that would sufficiently address all issues.

Our law firm assists clients in matters related to cybersecurity and privacy.  It’s important to know your legal rights and responsibilities when involved with national and international internet transactions. Please contact our law firm to speak with a cybersecurity attorney at your earliest convenience.