Management, compliance & auditing

U.S. privacy and cybersecurity laws — an overview

John Bandler
September 20, 2022 by
John Bandler

Information security professionals can improve themselves and their ability to serve their organizations by learning about the laws applying to privacy and cybersecurity.

In earlier articles, I discussed why infosec pros should learn about the law, the foundations of U.S. law, and the Certified Information Privacy Professional (CIPP)/U.S. learning path. Now it is time to zoom in on privacy law.

Privacy vs. cybersecurity

Privacy intersects significantly with cybersecurity. The quick general takeaway is that every privacy law impacts cybersecurity. For example, all these laws recognize that consumer data should be held with a reasonable degree of security to prevent breaches or leaks and require notification of any data breaches. This Venn diagram shows how they intersect.

Privacy vs. Information Security and Cybersecurity

Copyright John Bandler 2022. All rights reserved.

The intersection of the two circles is not to scale — it is probably a greater overlap, but it is not a science.

As many readers will appreciate, cybersecurity and information security are about protecting an organization's information assets, keeping data and systems secure and ensuring their confidentiality, integrity and availability. Organizations in some regulated sectors may be legally required to take measures to protect and keep systems running. Other laws and regulations may require notification after certain personal data breaches or require consumer data to be secured with reasonable cybersecurity. 

Organizations may hold personal data of consumers, customers, clients and employees. This data is regulated by privacy laws that include the above provisions (breach notification and reasonable cybersecurity) plus consumer notice and choice. 

There are four main types of privacy:

  • Information privacy (data privacy)
  • Communications privacy
  • Territorial privacy 
  • Bodily privacy

Our primary focus is on information privacy—consumer data and how it is collected, stored, used and shared. This emerging area of law gives consumers rights and imposes obligations on organizations. One part of privacy is cybersecurity for consumer data plus breach notification. Other aspects of privacy include consumer notice and choice, privacy practices and the collection, use and sharing of data. 

Federal vs. state 

It is often said that U.S. privacy and cybersecurity law is a patchwork of different rules from many places and with varying applicability. Some come from the federal government and some from the fifty states, plus districts and territories.

Federal laws and regulations may apply generally throughout the country or only to specific sectors, such as finance or health. The Federal Trade Commission (FTC) Act protects consumers against unfair or deceptive trade practices, which provides certain privacy protections for consumers, but it is not a dedicated privacy law. 

No generally applicable federal law specifically extends privacy rights to consumers or requires security measures or data breach notifications. Bills have been submitted on these issues, but none have passed yet. Some federal laws and regulations pertain to regulated sectors, such as finance, health, and education.

Each state can pass laws relating to data breach notification, cybersecurity and privacy, and many have chosen to do so. California, Connecticut, Virginia and others have enacted comprehensive privacy laws. Every state has data breach notification laws, and many require specific cybersecurity measures. 

Organizations need to evaluate what federal and state laws apply to them.

Law vs. regulation

Here’s the difference between a law and a regulation and how they relate.

A law is passed through the legislative process. After being approved by the legislature, it goes to the executive (president or governor), who signs it into law.

Some laws create a regulator (e.g., the FTC, Federal Deposit Insurance Corporation (FDIC), or Department of Health and Human Services, and empower the regulator to issue more detailed rules or regulations and enforce them. GLBA and HIPPA are federal privacy-related laws allowing a regulator to create more detailed regulations. A regulated organization must comply or face the consequences such as monitoring, fines, or loss of the license needed to operate. 

There are many federal and state regulators. States license hospitals, banks and other businesses; with those licenses comes the responsibility to comply with the state rules, including those on privacy.

Should we panic and feel overwhelmed or learn, synthesize and improve?

We have a large and complex patchwork of laws and regulations on privacy and cybersecurity from state and federal governments. Even experienced lawyers might feel overwhelmed, but they should not, and neither should you.

We need to keep our eyes on the spirit of these legal requirements and try in good faith to comply and continually improve with effective management, protection, and transparency. I suggest four main points:

  • Inform consumers about their data— what is collected, stored, shared, and used. Give them choices. Keep your promises.
  • Protect consumer data from breaches and leaks.
  • Protect your organization’s information assets.
  • Continually improve.

Once we master these concepts, we can start looking at each applicable law or regulation in more detail and how to synthesize various legal requirements for compliance and protection.

Conclusion

Privacy intersects with cybersecurity, and we look to a mixture of federal and state laws and regulations. By looking at the big picture and the spirit of the laws as guides, we protect our organizations and comply with emerging requirements. The next step is diving into legal requirement details to ensure legal compliance and good business practices.

For more details on privacy, look at my Infosec CIPP/US certification learning path. And, if you are working on a privacy or cybersecurity document project, my learning path on policies and procedures is coming soon.

John Bandler
John Bandler

John Bandler is a lawyer, consultant, speaker, teacher, and author in the areas of cybersecurity, cybercrime, privacy, investigations, and more. He is the founder of Bandler Law Firm PLLC and Bandler Group LLC, legal and consulting practices that help organizations and individuals with cybersecurity, the prevention and investigation of cybercrime, privacy, legal compliance, and more.

John has expertise in many subjects, holds a number of certifications, and is a prolific writer and speaker. He is the author of Cybersecurity for the Home and Office, a comprehensive guide to understanding and improving information security. His second book is Cybercrime Investigations, an extensive resource regarding the law, technology, process, and skills for the investigation of cybercrime. John has authored many articles on a range of topics, teaches students at the undergraduate, graduate, and law level, and provides training for professionals.

Before entering private practice, John served in government for more than twenty years as a prosecutor, police officer, and military officer. John was hired as an assistant district attorney at the New York County District Attorney’s Office by the legendary Robert M. Morgenthau, where he investigated and prosecuted the full range of offenses including traditional crime, cybercrime, the global trafficking of stolen data, and virtual currency money laundering. Before that, he served for eight years as a state trooper in the New York State Police, assigned to a busy patrol station providing full services to the local community. He also served in the Army Reserves.