United States Cybersecurity Laws – Part I

Cybersecurity is paramount to secure online communications whether they are for sending or receiving sensitive or confidential information – e.g., trade secrets, intellectual properties, financial information. Many people assume they are protected on the internet when transferring or receiving files over computer networks. They may attach tax-related documents to their message and press the send button without hesitation. What most people do not realize is that information may be intercepted without authorization. Now, most laws require “reasonable security measures” to ensure the privacy of confidential records.

What are the state laws?

There is no single state law that applies to all cybersecurity-related issues. So, every state has promulgated several statutes in order to address and promote cybersecurity. These state laws are usually similar in their nature and scope. For example, California recently passed the California Consumer Privacy Act (“CCPA”) codified under Civil Code Sections 1798.100, et seq., to enhance consumer privacy rights. It grants consumers the right to know what kind of personal information is being collected about them, whether the personal information is sold or disclosed, to refuse the sale of their personal information, to gain access to their personal information, to request deletion of their personal information, and to not be discriminated against for exercising their privacy rights.

What are the federal laws?

There is no single federal law that applies to all cybersecurity-related issues. The federal government has promulgated several statutes to address and promote cybersecurity. For example, the Federal Trade Commission Act (“FTC Act”) was designed to prohibit unfair and deceptive practices and to require companies to implement proper security measures to prevent cybersecurity violations such as data breaches.

Computer Fraud and Abuse Act

The Computer Fraud and Abuse Act (“CFAA”) is designed to prohibit cybercrime. It is a pseudo-criminal and civil statute that provides criminal and civil penalties. It prohibits any kind of unauthorized access to a computer that is used in interstate or foreign commerce. It also prohibits unauthorized access to a non-public computer that is used by the government or knowingly accessing a protected computer without authorization and with the intent to defraud.

Electronic Communications Protection Act

The Electronic Communications Protection Act (“ECPA”) is designed to protect electronic communications that are in transit and storage. It has the following subsequent titles: Title I (Wiretap Act), Title II (Stored Communications Act), and Title III (Pen Register Act). The Wiretap Act (18 U.S.C. § 2510, et seq.) is intended to prevent the interception of wire, oral, and electronic communications while in transit. The Stored Communications Act (18 U.S.C. § 2701, et seq.) is intended to prevent access to stored electronic communications while at rest such as stationary emails. The Pen Register Act (18 U.S.C. § 3121, et seq.) addresses issues related to pen registers and trap and trace devices which provide non-content information regarding the origin and destination of communications. The courts have held that this kind of information is not subjection to the usual reasonable expectation of privacy since the communication service providers already have access to it.

What are the international laws?

The internet has given its users a long list of benefits. It has opened to door to possibilities that did not exist before its invention. But, with every benefit comes a disadvantage. According to the Georgetown Law Library, the most common disadvantage is its security vulnerabilities which stem from its decentralized and multi-stakeholder model. The following institutions govern the internet at this time: (1) Internet Engineering Task Force (“IETF”) which is responsible for network protocol developments; and (2) Internet Corporation for Assigned Names and Numbers (“ICANN”) which manages domain name and Internet Protocol address allocations.

The expansion of e-commerce transactions has led businesses and their customers to using the cloud for sending and receiving information. This has caused a systematic increase in international transactions over the internet. So, various international organizations have passed legislation to regulate the international transactions. For example, the European Commission started the Digital Single Market Initiative to create standard laws and to allow access to online products and services and to promote digital network conditions within the European Union. Then, it initiated the General Data Protection Regulation (“GDPR”) which is meant to address the transfer of personal information outside of the European Union.

Our law firm assists clients in matters related to cybersecurity. It’s important to know your legal rights and responsibilities when involved with internet transactions. Please contact our law firm to speak with an internet attorney at your earliest convenience.