The United States generally addresses cybersecurity through sector-specific statutes, regulations and private industry requirements.
At the federal level, numerous agencies impose cybersecurity standards through a variety of regulatory and enforcement mechanisms. For example, the Gramm-Leach-Bliley Act (GLBA) and the Health Insurance Portability and Accountability Act (HIPAA) (and implementing regulations and agency guidance) require entities in the financial services and health sectors, respectively, to employ technical, administrative and physical safeguards to protect customer information from unauthorised access or use. Several states have also implemented financial or health sector cybersecurity requirements. Perhaps most notably, the New York Department of Financial Services (NYDFS) has issued cybersecurity requirements for financial services companies licensed under New York law.
The Federal Information Security Management Act (and implementing guidance) establishes cybersecurity standards for federal government agencies and their contractors. The Federal Risk and Authorization Management Program (FedRAMP) is a government-wide programme that provides a standardised approach to security assessments, authorisation and continuous monitoring for companies providing cloud services to federal civilian agencies. Provisions of the Department of Defense (DoD) Defense Federal Acquisition Regulations Systems (DFARS) mandate the use of cybersecurity-related contract clauses in nearly all DoD contracts and subcontracts. The DFARS regulations include requirements with respect to security controls and cyber incident reporting. The Federal Acquisition Regulations (FAR) Council has also issued its own rule, which is intended to prescribe ‘the most basic level’ of safeguards for acquisitions by US federal executive agencies when a contractor’s information systems may contain ‘Federal contract information’. The FAR rule requires contractors to implement a set of safeguards that are a subset of those required under the DFARS rule.
The Federal Trade Commission (FTC) is the main federal consumer protection agency responsible for enforcing the FTC Act’s prohibition on ‘unfair and deceptive acts or practices’. Using this authority, the FTC frequently enforces minimum security requirements with respect to entities collecting, maintaining or storing consumer’s personal information. In June 2015, the FTC issued ‘Start with Security’ guidance, which identifies the FTC’s lessons learned from over 50 data security enforcement actions brought by the FTC since 2001. This guidance advises companies to incorporate a series of 10 lessons learned, ranging from authentication controls to network segmentations. In mid-2018, a federal appellate court vacated an FTC order issued against a company for allegedly ‘unreasonable’ security practices in violation of the FTC Act. The court held that the FTC’s order had failed to direct the company to cease committing any specific unfair acts or practices and instead imposed only the general requirement that it maintain a ‘comprehensive information security program that is reasonably designed to protect the security, confidentiality, and integrity of personal information collected from or about consumers’. Although the court avoided the broader issue of whether the alleged security failings constituted ‘unfair’ business practices under the FTC Act, the decision raised questions about parts of the FTC’s prior data security consent orders and may cause the FTC to shift its approach for future data security enforcement actions.
The Sarbanes-Oxley Act of 2002 (and implementing regulations) requires publicly traded companies to maintain a system of internal controls over financial reporting. Regulatory guidance states that ‘[m]anagement’s evaluation of the risk of misstatement [of financial reports] should include consideration of the vulnerability of the entity to fraudulent activity . . . and whether any such exposure could result in a material misstatement of the financial statements.’ To meet these requirements, companies are audited to determine the extent to which they maintain a series of IT ‘general controls’ on systems designated as related to financial reporting. In early 2018, the Securities and Exchange Commission (SEC) approved an interpretive release updating guidance on public company disclosures and other obligations concerning cybersecurity matters. Much of the guidance is devoted to reiterating and expanding upon earlier staff guidance, which was issued to assist companies in assessing what disclosures might be required about cybersecurity risks or incidents. The new guidance further illustrates potential disclosures that companies should consider, stresses the importance of cybersecurity policies and procedures, and discusses the application of disclosure controls and procedures, insider trading prohibitions, and selective disclosure prohibitions in the cybersecurity context. Recognising that the cybersecurity landscape continues to shift, the SEC’s chair noted that the SEC ‘will continue to evaluate developments in this area and consider feedback about whether any further guidance or rules are needed’.
Some subject-matter specific cybersecurity standards focus narrowly on a single constituency or a single government agency. For example, the Veterans Affairs Information Security Enhancement Act, passed in 2006 as part of the Veterans Benefits, Health Care, and Information Technology Act, requires the Department of Veterans Affairs (VA) to implement agency-wide information security procedures to protect sensitive personal information held by the VA and VA information systems. The Food and Drug Administration (FDA) has issued guidance on considerations for the post-market management of cybersecurity in medical devices. The guidance states that medical device cybersecurity is a shared responsibility among stakeholders, including healthcare facilities, patients, providers and manufacturers of medical devices. It recommends that companies address cybersecurity vulnerabilities during the design and development of medical devices, and also states that manufacturers should address cybersecurity vulnerabilities after medical devices have entered the market. The FDA recently issued a draft revised version of the premarket guidance, as well as a cybersecurity ‘playbook’ for healthcare delivery organisations focused on promoting cybersecurity readiness.
There have also recently been numerous legislative proposals to regulate the security of certain sectors, including the automotive sector, data brokers, certain energy companies and internet of things manufacturers.
In addition to the sector-specific regulations described above, a handful of states have adopted general security requirements that apply to companies conducting business in their state, collecting personal information about residents or citizens of their states, or both. A primary example is the Massachusetts Standards for the Protection of Personal Information of Residents of the Commonwealth. These regulations require companies collecting personal information about Massachusetts residents to develop written information security programmes containing administrative, technical and physical safeguards. Other states have enacted narrower requirements, such as security requirements for particularly sensitive information (eg, payment card data, mental health information) and secure disposal requirements for electronic or paper media containing sensitive personal information.
In the criminal context, the Computer Fraud and Abuse Act (CFAA) outlaws intrusions into or interference with the security of a government computer network or other computers connected to the internet. In addition, several federal surveillance laws prohibit unauthorised eavesdropping on electronic communications, which can limit a variety of cybersecurity activities. For example, the Electronic Communications and Privacy Act (ECPA) prohibits unauthorised electronic eavesdropping. The Wiretap Act prohibits the intentional interception, use or disclosure of wire, oral or electronic communication, unless an exception applies. The Stored Communications Act (SCA) precludes intentionally accessing without authorisation a facility through which an electronic communication service is provided and thereby obtaining, altering or preventing authorised access to a wire or electronic communication while it is in electronic storage.
Beyond regulatory standards, many organisations are subject to voluntary standards or are required by contract to comply with cybersecurity requirements. Of particular note, the payment card industry in the United States establishes its own cybersecurity standards (the Payment Card Industry Data Security Standards (PCI-DSS)) that apply to merchants or vendors that process payment card data. The federal government has also focused substantially in recent years on the establishment of voluntary cybersecurity requirements, particularly for critical infrastructure entities, which are generally entities that provide vital services to a large part of the population. In 2013, President Obama issued Executive Order 13636, ‘Improving Critical Infrastructure Cybersecurity’ to establish a process for the government to create voluntary cybersecurity standards applicable to critical infrastructure entities. Pursuant to this Executive Order, the National Institute of Standards and Technology (NIST) issued a voluntary ‘Cybersecurity Framework’, which provides a risk-based approach to cybersecurity, and references various national and international standards. NIST’s role in facilitating and supporting the development of the Framework was codified in the Cybersecurity Enhancement Act of 2014. President Trump’s cybersecurity Executive Order 13800, ‘Strengthening the Cybersecurity of Federal Networks and Critical Infrastructure,’ requires federal agency heads to implement the NIST Cybersecurity Framework, further encouraging broad adoption of the voluntary risk-based standard.
Back to top