Cybersecurity law is a highly dynamic field that encompasses legal, policy, and technical considerations. Firms increasingly seek cybersecurity specialists with knowledge in regards to these laws and regulations that regulate these fields.
An effective path toward becoming a cybersecurity legal specialist involves earning a Juris Doctorate (J.D.) degree and passing the state bar exam, followed by enrolling in an LLM program (LLM is preferred) – typically this approach suits lawyers in early to mid career with available time and finances.
Federal Information Security Management Act (FISMA)
FISMA was passed into law in 2002 and remains one of the cornerstones of cyber security legislation in the U.S. It requires every federal agency to create, document, and implement a comprehensive information security program in order to safeguard both sensitive data as well as systems which support operations and assets.
FISMA provides a framework to protect government information, operations, and digital assets against natural disasters or human-caused threats. Last revised in 2014, this law applies to both private and public organizations; federal agencies; contractors; vendors.
To comply with FISMA, agencies must maintain an inventory of their information systems and identify integration between systems as well as assess risk associated with each one.
Security assessments help organizations determine whether their information systems meet their requirements for information security and ensure there are enough controls in place to protect the information stored there. If not, organizations must put measures in place before processing any data or using software applications.
FISMA violations could bring many consequences, such as congressional censure, reduced federal funding, reputational harm and loss of future contracts as well as weaker cybersecurity infrastructure.
Compliance with FISMA can give companies doing business with federal agencies a distinct competitive edge when trying to gain new contracts from them, as well as help prevent data breaches and improve incident response plans.
Sarbanes Oxley Act (SOX)
SOX (Sarbanes Oxley Act) is a set of legal standards regulating how companies report their financial transactions. Introduced in 2002 following high-profile corporate fraud scandals involving Enron, Tyco, and WorldCom, SOX was designed to enhance reporting practices while rebuilding trust between businesses and their communities.
SOX mandates that companies adhere to certain standards to ensure accurate finances and secure information from being compromised or misused, with this standard enforcement by the Securities and Exchange Commission (SEC).
Due to SOX regulations, companies must establish and implement an internal control framework in order to oversee the management of their finances. Although this can be expensive initially, the long-term savings can make up for it by ensuring their records remain accurate and secure.
SOX compliance may not be required of every company, but may be essential if planning an IPO. Furthermore, SOX helps shield a business against cyber attacks by making employees aware of any threats and providing resources necessary for mitigation.
An organization meeting SOX compliance requirements for cybersecurity must regularly update network, application, firewall, database, and operating system administrator passwords in order to prevent unauthorized access to sensitive data structures and track any changes made that might indicate fraudulent activity.
SOX also mandates that companies document procedures for handling whistleblowers, which is especially essential in private companies as any form of retaliation against them can lead to criminal penalties.
Companies subject to SOX compliance guidelines should seek the advice of a cybersecurity consultant when developing their cybersecurity program in order to comply with these standards and protect employees, customers and financial information from threats.
New York State SHIELD Act
The New York State SHIELD Act places many obligations upon organizations that own or license computerized private information about New York residents, as well as increasing the types of data that require notification if breached, such as biometric information generated through facial recognition software or otherwise; email addresses with passwords; Social Security numbers; driver’s license or non-drive ID card numbers; account numbers containing debit/credit card data with or without security/access codes.
The New York SHIELD Act will go into effect on March 21, 2020 and covers businesses that collect personal information from New York residents as well as those that exchange it among themselves and business partners. Unfortunately, its requirements do not exempt those maintaining public information from being subject to its requirements.
As such, businesses should perform regular audits to assess if any New York resident personal information could fall under these new laws and to promptly identify who to notify in case of breaches. By maintaining regular checks, businesses will stay organized and be better positioned to comply with them quickly if any incidents arise that necessitate reporting them.
Keep in mind that this law does not create any exemptions for small businesses – an important change from previous privacy legislation.
New York law mandates that businesses issue data breach notifications to both affected New York residents and the New York State Attorney General within an established timeframe, including all relevant information that enables recipients to understand what has occurred and its effects. If more than 5,000 residents were affected by an incident, consumer reporting agencies must also receive notice of said data breach.
European Union General Data Protection Regulation (GDPR)
GDPR, or General Data Protection Regulation, was officially implemented across European Union member countries on May 25, 2018 replacing Data Protection Directive from 1995 with stringent new rules to safeguard customer information.
EU officials claim GDPR was designed to safeguard citizens’ rights and foster an economy characterized by smart decisions by businesses. Businesses will have to ensure adequate safeguards are in place before using data for any purpose; meeting this standard will force many of them to invest in new systems and processes.
Survey results among CEOs revealed that technology, online retail and software firms were among those most likely to be affected by changes. Such organizations will need to put new data security policies in place as well as educate employees about compliance with law.
Under GDPR, everything from an individual’s IP address and cookies will be considered personal data, meaning companies will need to safeguard this data just as they would protect their name, address and Social Security number.
However, GDPR also mandates that an entity assess whether its processing activities fall within its jurisdiction on an individual basis. It applies only to entities established within the EU who process personal data pertaining to data subjects residing within it; or monitor behavior taking place within it.
Under the GDPR, each EU member state has its own supervisory authority for data protection – or Data Protection Authorities (DPAs), responsible for upholding local GDPR requirements and publishing guidance to assist companies understand their obligations. Furthermore, an EU-wide Data Protection Board (EDPB) helps ensure consistent interpretation of law across Europe; composed of representatives from each DPA as well as one European Commission representative.
Federal Action Regulation System (FARS)
The Federal Acquisition Regulation (FAR) serves as the main set of rules governing procurement by the United States Government of goods, services and construction projects for their various government agencies – from military units and NASA space programs to civilian agencies and civilian agencies.
FAR applies to information systems accessed and used by contractors performing government contracts, and serves as a key regulatory tool that helps companies establish and implement security policies.
This rule establishes the minimum safeguarding standards that a contractor should abide by to safeguard information systems that process, store or transmit information provided by or for the Federal Government or other entities for contract performance where its sensitivity/impact level does not justify higher levels of protection. These include training sessions on information system safeguarding; penetration or vulnerability testing and evaluation reports; detection reporting responding and responding to security incidents as well as encryption at rest cybersecurity insurance and incident response coordination coordination.
Section 4 of this executive order mandates DHS to recommend to the FAR Council contract language that would require suppliers of software available for purchase by agencies to meet requirements issued under this executive order and attest their compliance. Once DHS makes such recommendations, the FAR Council will review and amend as necessary to ensure contractors’ information systems are protected against cyber threats.
The Executive Order also instructs DHS to create a framework that supports incident response and data sharing between vendors and agencies, in particular those contracted with them. These efforts aim to ensure companies collect and preserve data on all systems; (2) share it as related to confirmed or potential cyber incidents with agencies contracted with; and (3) collaborate on responding to confirmed or potential incidents through coordinated responses such as installing technical updates into systems. This portion of this order remains open in FAR case 2021-017 with its Notice of Proposed Rulemaking period closing April 2022.