Management, compliance & auditing

Federal privacy and cybersecurity enforcement — an overview

John Bandler
January 30, 2023 by
John Bandler

The federal government creates and enforces federal laws and regulations regarding privacy and cybersecurity. As we dive into that, we should put it within the broader perspective of the patchwork of state and federal requirements for privacy and cybersecurity rules. In earlier articles, I discussed federal and state privacy and security laws, why infosec pros should learn about the law, the foundations of our country’s laws and the CIPP/US learning path for privacy and the leading privacy certification. 

The U.S. government, in theory, is a limited government

In theory, our federal government has limited power with only specifically enumerated abilities. In practice, it has immense authority, including its power over interstate commerce and its ability to tax and spend. 

Our U.S. government has not enacted any laws of general application regarding privacy and cybersecurity, which is one reason states are now creating laws to fill the void. Federal bills (proposed laws) have been put forth, but none have passed yet.

An existing federal consumer protection law has been applied to cybersecurity and privacy, even though it does not mention those terms in the law. There are also sector-specific federal laws and regulations relating to cybersecurity and privacy that apply to industries such as finance and health. 

FTC enforcement and the FTC Act

The Federal Trade Commission (FTC) Act of 1914 established the FTC and has been amended over the years. The FTC is a government agency with some independence from the executive branch since five appointed commissioners run it. The FTC protects consumers against unfair or deceptive trade practices under Section 5 of the FTC Act. While this is not a dedicated privacy law, it has been interpreted and enforced to provide certain privacy protections for consumers and thus is the main federal privacy law of general application.

One takeaway of this legal requirement is that organizations need to make accurate statements to consumers about their cybersecurity and privacy practices (to avoid being “deceptive”), and poor cybersecurity is arguably an “unfair” trade practice.

Federally regulated sectors

The federal government regulates specific sectors and has passed laws relating to privacy and cybersecurity. Those laws may create or empower regulators — the many departments and agencies that oversee the financial sector, health sector, utilities and others. These laws also authorize regulators to create regulations that are essentially more detailed rules. 

Financial sector federal laws

The Gramm-Leach-Bliley Act (GLBA) and Sarbanes–Oxley Act (SOX) are examples of federal laws that led to further regulations which impose requirements upon the financial sector for privacy and information security. The laws and regulations may be updated occasionally, and assorted federal regulators enforce these. These rules protect consumer information from cybercriminals and marketing, and ensure our financial system's resilience, safety and soundness.

Health sector federal regulation

The Health Insurance Portability and Accountability Act (HIPAA) of 1996 and the Health Information Technology for Economic and Clinical Health Act (HITECH) of 2009 are federal laws that impose privacy and security requirements on the health sector. The U.S. Department of Health and Human Services (HHS) is the enforcer here. 

Our health information is among the most private, and HIPAA was one of our country’s first important privacy laws. As a state trooper when HIPAA was passed, I remember the increased need to obtain a written HIPAA waiver from assault victims so that the prosecutor could obtain relevant medical records needed to prove the assault.

Education sector federal rules

Educational information is also highly personal and a target of those who market educational products. The federal Family Educational Rights and Privacy Act (FERPA) provides privacy protections for students and imposes requirements on organizations that collect federal educational funds. Those rules are enforced by the U.S. Department of Education (ED).

Critical infrastructure

Many critical infrastructures are already regulated, including finance, health and utilities; our government recognizes the damage digital attacks can cause to our country. Nation states, cybercriminals and natural disasters threaten our digitally dependent country.

In early 2022 the Cyber Incident Reporting for Critical Infrastructure Act (CIRCIA) was signed into law, empowering the Cybersecurity and Infrastructure Security Agency (CISA) to make regulations and receive cyber reports of cybercrime and incidents. These regulations have yet to be issued.

Get your free course catalog

Get your free course catalog

Download the Infosec Skills course catalog to learn more about these courses — and hundreds more.

Federal privacy and cybersecurity law: One patch of a big quilt

Federal privacy and cybersecurity law is an important part of our evolving framework of legal requirements. Remember, they are one significant part of a large quilt of privacy and cybersecurity law, far from finished, with many holes and ragged edges. So our patchwork is a work in progress and will remain so as society, technology and threats evolve.

We will next turn to state rules and state enforcers. While our federal government is, in theory, “limited,” the states have full powers within their borders — referred to in constitutional law as a general “police power.” 

Despite the word "police," this power extends far beyond law enforcement. States can and have passed general laws on cybersecurity, breach notification and privacy. They also license hospitals, banks, utilities, individuals and more. With a license comes the obligation to comply with specific rules, which often will include privacy and cybersecurity.

For more details on privacy, look at CIPP/US certification learning path. If you are planning a policy, procedure, or another document project for your organization relating to cybersecurity or privacy, stay tuned for my forthcoming learning path on policies and procedures, titled “Corporate Security Policies.” 

John Bandler
John Bandler

John Bandler is a lawyer, consultant, speaker, teacher, and author in the areas of cybersecurity, cybercrime, privacy, investigations, and more. He is the founder of Bandler Law Firm PLLC and Bandler Group LLC, legal and consulting practices that help organizations and individuals with cybersecurity, the prevention and investigation of cybercrime, privacy, legal compliance, and more.

John has expertise in many subjects, holds a number of certifications, and is a prolific writer and speaker. He is the author of Cybersecurity for the Home and Office, a comprehensive guide to understanding and improving information security. His second book is Cybercrime Investigations, an extensive resource regarding the law, technology, process, and skills for the investigation of cybercrime. John has authored many articles on a range of topics, teaches students at the undergraduate, graduate, and law level, and provides training for professionals.

Before entering private practice, John served in government for more than twenty years as a prosecutor, police officer, and military officer. John was hired as an assistant district attorney at the New York County District Attorney’s Office by the legendary Robert M. Morgenthau, where he investigated and prosecuted the full range of offenses including traditional crime, cybercrime, the global trafficking of stolen data, and virtual currency money laundering. Before that, he served for eight years as a state trooper in the New York State Police, assigned to a busy patrol station providing full services to the local community. He also served in the Army Reserves.