Cyber Security legislation in the United States varies by state and industry massively. This article aims to act as a resource for US businesses to understand their legal obligations, the industry best practices and what to do if you suffer a data breach or cyber scam.
This article was a collaborative effort between TurgenSec and several industry experts. It was published on the 22nd of October 2019, please note that legislation may have changed since then. This article will be updated to best reflect the current legislation. See the below update log:
- 22nd October 2019 – Article Published
- 3rd November 2019 – Scraping Information Added
Different laws and obligations apply if you are a UK based business. We have another article covering the UK obligations. It can be found here.
Disclaimer: The advice and guidance in this article should not be considered legal advice and you should always consult with your solicitor or legal representation before taking any actions.
The existing legislation on cyber security varies by state and industry. California currently (16th October 2019), has the most advanced data privacy and cyber security legislation in place.
Although it is not a legal requirement to abide by these laws if you are not in California, the legislation falls in line with the current trend for federal legislation and the rest of the country will likely catch up soon.
For this reason it is strongly advised that you adhere to the Californian standards.
The CCPA and other California privacy laws are what business owners need to look toward today to stay out of hot water.KJ Dearie | Privacy Consultant at Termly
Due to the industry by industry nature of the legislation covering cyber security we are putting together an industry by industry guide on industry specific cyber security issues. If you are an expert in an industry specific cyber security issue and are happy to share your expertise (we will credit you), then please email [email protected] with the subject line: USA Cyber Security Legal Advice | Industry.
Client care information
Legal obligations of business to care for client information
According to the Gramm-Leach-Bliley Act, the Fair Credit Reporting Act, and the Federal Trade Commission Act and others, businesses are required to provide “reasonable security” for sensitive information, although it’s not laid out exactly what these security measures must entail.
The Gramm-Leach-Bliley applies only to businesses in the financial sector, while the Health Insurance Portability and Accountability Act regulates the healthcare and health industry. There are also a number of state regulations that are going to differ based on where your business operates.
Federal regulations you should know
This bill was created to regulate the healthcare and health insurance industry to protect users’ Personally Identifiable Information from theft and fraud. The bill also addresses limits on health insurance and set standards for electronic health care transactions.
This act regulates the financial services industry and makes sure that they protect client information.
This act applies to government agencies and requires the development and implementation of mandatory policies, principles, standards, and guidelines on information security”. State Regulations Some states have come up with cybersecurity laws of their own, with California leading the way with the following acts: Notice of Security Breach Act: Requires any company that has personal information of California citizens to disclose details of a security breach, if it occurs. Personal information refers to the citizen’s name, financial information, driver’s license number and social security number.
Any business that owns or maintains personal information of California residents must maintain a “reasonable level of security”, which extends to their business partners as well. Again, this bill leaves a lot of room for interpretation.
Businesses in California must dispose of all records of customers’ personal information by shredding or erasing the documents, making them “unreadable or undecipherable”. This bill goes into effect in 2020 and also requires that manufacturers of Internet of Things devices put reasonable security measures in their device. Some other states with cybersecurity laws of their own include Illinois and Massachusetts.
Government Subcontractor Legislation
Federal Acquisition Regulation 52.204-21 Basic Safeguarding of Covered Contractor Information Systems
Companies that are subcontractors for the U.S. federal government should be aware of “Federal Acquisition Regulation 52.204-21 Basic Safeguarding of Covered Contractor Information Systems” which requires federal contractors to implement 15 security controls from the NIST SP 800-171 framework. In the future this requirement is expected to cover all 110 NIST SP 800-171 controls, for now however, there are only 15.
Cybersecurity Maturity Model Certification (CMMC)
Companies that are subcontractors for the U.S. Department of Defense (DoD) should prepare for the new Cybersecurity Maturity Model Certification (CMMC) which is to begin appearing in defense contract request for proposals (RFPs) in 2020. All companies working with the DoD will need to be certified by an independent third-party, unlike previous DoD requirements that relied on self-attestation for compliance.
This new DoD regulation will impact over 300,000 companies that make up the defense industrial base.
Best Practice: California Legislation
Until we see further federal data privacy legislation passed in the US, the law to comply with is the California Consumer Privacy Act (CCPA).
The four driving tenants of the CCPA are: transparency, accountability, user control, and nondiscrimination.
Accountability over data safety is the most progressive concept introduced to US cybersecurity legislation by the CCPA. Data breaches and cyber hacks have long been a threat to businesses and consumers alike.
But now, with the shifting legal landscape introduced by the CCPA, companies are subject to fines, lawsuits, and other penalties for failing to protect the data they collect and store.
User control and nondiscrimination — as core concepts of the CCPA — work hand-in-hand. Companies need to allow consumers greater control over their data by implementing systems in which users can opt out of the sale of their data. Furthermore, consumers have the right to request access to and deletion of the personal information that has been collected from them.
Not only do companies need to establish systems of allowing users to act upon their rights, but businesses are no longer allowed to discriminate against consumers who choose to act upon their data privacy rights.
But the new age of data privacy, and the laws that govern it, is only beginning — complying with the CCPA is the first step any US company should take in preparation for the stricter and more far-reaching data security laws on the horizon.
Protecting your business if you fall victim to a cyber scam
What should you do if your business has fallen victim to a cyber scam?
If your business falls victim to a cyber scam, first cut off all contact with the scammer and cease any payments. Next, contact the financial institution you sent the money through to let them know. They will most likely help you to shut down the card that you used.
Finally, report the scam to one of three major credit reporting agencies, either Equifax, Experian or TransUnion. You can also contact the Federal Trade Commision or your regional Census Bureau, but it will depend on the type of scam.
To find the right place to report each scam, see this article from the United States federal website: https://www.usa.gov/stop-scams-frauds. If any customer data was compromised, make sure to alert them of the security breach.
What are your legal obligations?
Your legal obligations depend on what state you’re in. For example, in California, if any personal information of customers was compromised (i.e names, addresses, phone numbers, etc), then you’re legally obligated to alert your customers. However, this isn’t true for every state.
What are some steps you can take towards protecting your business from cyber scams?
To protect your business from cyber scams, learn how to recognize phishing links (you can test out links to see if they’re legitimate by using https://www.psafe.com/dfndr-lab/).
In general, it’s good to avoid clicking on links or emails from people you don’t know, as they often lead to phony websites in which you input personal information. The same principles for protecting customer information apply to preventing cyber scams, like using password managers and authentication to ensure that the right person is accessing each account, and storing data in encrypted cloud servers.
Businesses should train employees on how to use the above cybersecurity measures like password managers, VPNs, authentication methods, etc.
Inexperienced or unsophisticated employees are actually the primary cause of most security breaches, so it’s important to focus on training as well as software.
See our further resources and reading for more information how to put into practice the above guidance. Click here to jump to further resources and reading.
Practical steps for businesses
Businesses can employ password managers, encrypted cloud storage, and VPNs to protect their client and customer information legally.
You should also be adding two or multi-factor authentication to make sure that only authorized users are accessing accounts.
Data on paper
As far as any data on paper goes, paper should be shredded or blacked out before being placed in the trash. For example, pharmacists must black out any customer information before throwing away prescription or medical papers.
Protecting your business if you fall victim to a data breach
What should you do if your business has fallen victim to a data breach?
The first step is to identify a breach has occurred. Employees and team members should be instructed in advance to be aware of any anomalies.
If someone does notice an anomaly, it should be reported to the IT department. If a small company with no internal IT department (as many business happen to be), report it to the individual who handles IT. Or, if no-one else, report it to the CEO equivalent.
Once a breach has been identified or suspected, the major critical sections should be locked down. Hopefully, the office has already implemented a backup plan with rolling backups. This will allow reconstruction of individual critical computers and company wide servers and files.
But, whether or not this preventative measure has occurred, one should disconnect from the Internet as much as possible until the data breach has been secured.
Of course, a significant amount of data breaches may also involve malware. So, it would be important to have up to date antivirus software running.
Next, if one has obtained insurance against a data breach, the insurance company should be informed promptly. Sometimes, there may be a time limit on when to inform it.
If the company has legal counsel, they should inform legal counsel.
Depending on the nature of the breach and the harm, notice to customers should be contemplated. But, the advice of legal counsel and the insurance company should be obtained before such notice.
And, it may be necessary to know the full extent before doing so. Other times, such as where customer financial data has been compromised, it may be that immediate notice should be sent to mitigate the potential harm such customers might feel.
This all should be memorialized in an action plan. There exist a number of resources online.
What are some steps you can take towards protecting your business from data breaches?
- Identify all computers and electronic devices connected to the network
- Secure all networks
- Do not use WIFI or do not allow customers to use the same wifi on the network
- Install antivirus from reputable company on all computers and devices, schedule maintenance
- Have a backup plan
- Though I am not a fan of sensitive documents on the cloud, a secure encrypted zip file of backup data could be maintained or a backup made and stored offsite (so as not on the same network)
- Develop a Data Breach Action Plan
- Obtain Data Breach insurance with a company who provides information on preventative measures
- Encrypt sensitive data
- If it looks like an intrusion, treat it like one (eg don’t pass it off as an anomaly)
- Inform those who need to know internally asap
- Disconnect from the outside as soon as possible
- Isolate the nature of the breach or intrusion
- Inform insurance company and/or legal counsel
- Run checks (contemporaneously with other items)
- Check backups (making sure backups become disconnected)
- Follow steps in action plan
- Determine whether notice should be sent to customers
Companies that offer Cyber insurance
AIG offers identity theft insurance that’s actually included on Premium plans with the password manager Dashlane. Find out more here.
If you have had a good or bad experience with a cyber insurance company, please let us know and we will add it to the article – full credit will be provided. Email our editor on [email protected] with the subject Cyber Insurance.
Industry Specific Cyber Security Issues and Guidance
The below advice is from Rhonda Rees who runs the Rhonda Rees Public Relations Company, and has had first hand experience with cyber security in the publishing industry.
According to the Association of American Publishers, the publishing industry as a whole had lost $80 to $100 million dollars to online piracy annually. From 2009 to 2013, the number of e-book Internet piracy alerts that the Authors Guild of America had received from their membership had increased by over 300%. During 2014, that number doubled.
By the end of 2015, there were nearly 2.2 billion visits to illegal book sites. According to a report by IB Times, in the UK, a fast growing sector for illegal e-books is Google’s own ‘Play’ app store, with e-book piracy becoming proliferated through this medium. In 2016, 2017-2019 the numbers were even higher than that. I can offer specific tips and information as to how to handle such a cyber attack.
Many of these cyber criminals are located in foreign countries. As a personal example, my award-winning PR book, Profit and Prosper with Public Relations: Insider Secrets to Make You a Success was copyrighted, trademarked and registered in the US. The criminal websites offering free unauthorized copies of it were in the Netherlands, China, Germany, etc.
To be more specific, there are steps that authors and publishers can take if they find themselves the victims of cyber thieves:
- Run regular detailed Google and Bing searches for your book or books, and if something looks strange investigate. Plug in the author’s name, title of the book and the words ‘free downloads’ to see what pops up.
- If you find that your book is listed for FREE on a pirate site do a WhoIs search to discover where to send a DMCA take down notice. (Digital Millennium Copyright Act). Be sure to word it exactly as it needs to be. Check the web for a free example from IP Watchdog.
- You should receive notice from the web hosting company when they remove your information within 24-hours. Just to be sure run another Google and Bing search to be sure that your info has been taken down.
Is Scraping Websites Legal?
Recently, a district court in Washington, D.C. held that using automated tools to access publicly available information on the open Internet is not unlawful.
This is the case even when a website prohibits scraping in its terms of service. The Washington, D.C. court ruled that the ‘Computer Fraud and Abuse Act’ (CFAA) which is a 1986 statute is too vague and does not make it a crime to access information in a manner that the website doesn’t permit.
The act of scraping is merely a technological advance that makes the ability to collect information easier; it is not meaningfully different from using a tape recorder instead of taking written notes. Typically, the information a person scrapes is located in a public forum. Hence, when a scraper attempts to record the contents of public websites for research purposes, they are arguably affected with a ‘First Amendment’ interest.
Web data scraping is not unlawful, but it is always a good idea to be ethical when scraping.
As such, respect the ‘Terms of Service’, read the robots.txt file. It may even be advisable to ask permission to crawl and scrape the website.
Scraping a website so aggressively it could be considered a DDoS attack
A bot that scrapes a website so aggressively that the business suffers a significant financial loss or other damages could absolutely seek a legal remedy against such a perpetrator.
Even though the courts, particularly the 9th Circuit, have construed the CFAA very narrowly, to generally accept for web scraping, there is a limit to this holding. Specifically, it is unlawful to cause criminal damage to a computer or computer system data by gaining access without the proper authorization.
Publication and use of scraped data
First, the legality of how scraped data is used will vary based on the legal jurisdiction where the claim is brought.
The laws of a particular jurisdiction will govern absent a treaty. Denmark law may vary from U.S. law and so application of a sovereign law could potentially lead different outcomes even with similar facts.
However generally, web scraping that involves copying would potentially lead to a claim for copyright infringement. Trademark laws also prevent the reproduction of a website owner’s trademarks without consent.
Finally, database infringement laws generally protect against sensitive data being accessed without permission. There is a whole host of protections for intellectual property and sensitive data that are generally protected via international treaties.
Further resources and reading
- The Biggest Threat to Cybersecurity? Inexperienced Employees (Security Baron)
- Four Common Cybersecurity Myths (Security Baron)
- Most Small Business Underestimate Vulnerability to Cyber Attacks, Says Survey(Security Baron)
- Internet Safety and Security Glossary (Security Baron)
- Test Your Online Security Quiz (Security Baron)
The industry experts who contributed to this article.
This article was written and edited by Nathaniel Fried with industry knowledge from Omer Kaan Aslim (President of Desired Outcomes), Gabe Turner (Director of Content at Security Baron), KJ Dearie (Privacy Consultant at Termly), Charles Lee Mudd Jr (Principal Attorney and Founder at Mudd Law) and David Reischer (CEO/Founder at ProBono.LegalAdvice.com at LegalAdvice.com Corp)
Charles Lee Mudd Jr.
Position: Principal Attorney and Founder at Mudd Law
Charles Lee Mudd Jr. has operated his own law firm since 2001. In the last eleven years, the firm has grown to become an internationally recognized diversified practice providing representation to a clientele comprised of local, national, and international individuals and business organizations.
Omer Kaan Aslim
Position: President of Desired Outcomes
Omer Kaan Aslim is the President of Desired Outcomes, a company providing cybersecurity solutions to organizations seeking to meet U.S. Federal, Department of Defense, and commercial cybersecurity compliance requirements. He has the knowledge and experience to implement an effective cybersecurity program for your company.
Position: Privacy Consultant at Termly
Socials: Termly Twitter
KJ Dearie is a product specialist and privacy consultant for Termly, where she advises small business owners and digital professionals on how to comply with the latest data privacy laws and trends. She’s been published in Business News Daily, Omnisend, ITProToday, MarTechExec, and more.