Is a Cybersecurity Program Required by Law?

Cybersecurity is more important now than ever. The cyber threat landscape is constantly evolving, and threat actors are only getting smarter, faster, and more sophisticated. To respond to this, Congress and various federal agencies are constantly updating laws and regulations to keep up. So, is a cybersecurity program required by law? The short answer: it depends on your firm, but likely yes. Let’s dive a little deeper.

Understanding Risk

One of the first things that should be determined by a business when setting out to design a cybersecurity program is the organization’s risk associated with IT. Understanding the risk a business carries is a crucial part of determining how to assess, respond, and monitor that risk. Having a greater knowledge about the type of risks or risk factors provides organizations with insights on potential threat sources and what those threat actors intend to gain from an attack.

A risk assessment is the process a firm uses to understand their risk. Risk assessments, as defined by the National Institute of Standards and Technology (NIST), are “the process of identifying risks to organizational operations (including mission, functions, image, reputation), organizational assets, individuals, other organizations, and the Nation, resulting from the operation of an information system.”

Risk assessments can be conducted at various levels of the risk management hierarchy as shown in Figure 1.

One component of the risk management hierarchy is organizational risk. Tier 1 Organization risk assessments are designed to support organizational strategies, policies, guidance, and processes for handling risk. Tier 1 assessments address financial risks, compliance risks, regulatory risks, reputational risk, and contractual risks.

Let’s look at the current legal environment that may influence or drive regulatory and compliance risk within this tier.

Legal Environment

The legal environment has been changing rapidly in recent years, and certain laws require specific firms to have a cyber plan. Among the word salad jumble of legislative acronyms that play in this space include HIPAA, HITECH, FCRA, GLBA, FFIEC, FERPA, PPRA, GDPR, LMNOP, etc. The good news is that for the most part, these laws are attribute-specific, so by knowing some attributes of a firm, we can reasonably understand the federal (state and local laws are a whole separate discussion) regulatory environment. Let’s dive in.

Health Laws

Health Laws such as The Health Insurance Portability and Accountability Act of 1996 (HIPAA) and the subsequent Health Information Technology for Economic and Clinical Health Act (HITECH) require firms to have a cybersecurity plan.

HIPAA is a federal law designed to protect sensitive protected health information (PHI) from being disclosed without patient consent.

HITECH increased the scope of privacy and security protections required under HIPAA compliance by providing defined privacy and security requirements, clear enforcement and increasing potential liability of non-compliance.

The Department of Health and Human Services (HHS) issued the HIPAA Privacy Rule and HIPAA Security Rule to enforce HIPAA requirements. The goal is to ensure health information is properly protected while enabling the necessary flow of health information to provide high quality health care and promote the public’s well-being. Those that must comply to HIPAA and HITECH include healthcare providers who electronically transmit health information, health plans, healthcare clearinghouses, business affiliates that act on behalf of a covered entity such as: claims processing, data analysis, utilization review, and billing.

Interestingly enough, healthcare providers that do not bill insurance fall outside of the scope of HIPAA.

A foundational step to HIPAA compliance is the risk assessment requirement outlined in section § 164.308(a)(1)(ii)(A). Organizations can determine the most appropriate way to achieve compliance; however, HHS recommends following NIST guidelines including the NIST Special Publication 800-30 Guide for Conducting Risk Assessments.

Critical Infrastructure

The Strengthening American Cybersecurity Act of 2022 was unanimously passed in the midst of the Russian invasion of Ukraine. The act established minimum reporting requirements, which require critical infrastructure firms to report any sizeable cyber incidents to Cybersecurity and Infrastructure Agency (CISA) within 24 to 72 hours. This act applies to firms that fall in the following classifications:

• Chemical
• Commercial Facilities
• Communications
• Critical Manufacturing
• Dams
• Defense Industrial Base
• Emergency Services
• Energy
• Financial Services
• Food and Agriculture
• Government Facilities
• Healthcare and Public Health
• Information Technology
• Nuclear Reactors, Materials, and Waste
• Transportation Systems
• Water and Wastewater Systems

Financial Laws

The Fair Credit Reporting Act (FCRA) was enacted to ensure the accuracy, fairness, and privacy of consumer information in consumer reporting agency files. Information is constantly being acquired about consumers, and the FCRA helps consumers by regulating the use and accessibility of information in a consumer’s credit report. Later, the Fair and Accurate Credit Transactions Act (FACTA) was added as an amendment to FCRA to protect consumers from identify theft.

The FCRA applies to any person or firm that uses consumer credit report information to determine an individual’s eligibility for products, services, or employment.

The Gramm-Leach-Bliley Act (GBLA) requires financial institutions to explain their information sharing practices to their customers and to safeguard sensitive data. Financial institutions are any type of company that offers consumers financial products or services like loans, financial advice, investment advice, or insurance. The Federal Trade Commission (FTC) Safeguards Rule implements sections 501 and 505(b)(2) of the GLBA which provides standards to protect the security of customer information. Firms covered by the GLBA include:

• Banks, savings and loans, credit unions
• Insurance Companies
• Securities Firms
• Personal Property or Real Estate Appraiser
• Automobile Dealerships
• Financial Career Counselor
• Check Printers and Sellers
• Check Cashing Businesses
• Tax Preparation Businesses
• Real Estate Settlement Businesses
• Mortgage Brokers
• Investment Advisory Companies
• “Finders” (bringing together one or more buyers and sellers of any product or services)

The Safeguards Rule requires companies to develop, implement, and maintain an information security program to protect “nonpublic personal information (NPI) about a customer of a financial institution,” according to the Safeguards Rule. A company’s security program must have administrative, technical, and physical safeguards in place and be written to fit the complexity of businesses activities, personal information, and size.

The Federal Financial Institutions Examination Council (FFIEC) is comprised of five banking regulators that prescribe uniform principles, standards, and report forms to promote uniformity in the supervisions of financial institutions. All federally supervised financial institutions, including holding organizations and subsidiaries, must comply with FFIEC. Domain 1 of the FFIEC Security Rule is entirely focused on the establishment and ongoing management of a cyber program for firms that fall under FFIEC.

Publicly Traded Firms

The Security Exchange Commission (SEC)’s Cybersecurity and Resiliency Observations guidance by the SEC’s Office of Compliance Inspections and Examinations (OCIE) recently proposed rule changes to cybersecurity risk management, strategy, governance, and incident disclosure for public companies. This changed the requirement for public breach disclosure from being simply required by privacy laws (i.e., when personally identifiable information is stolen) to also include when a breach impacts a publicly traded company’s non-PII. This increase in visibility increases the liability associated with the risk of a breach to corporate reputations and intangible costs on top of explicitly requiring firms to report about their policies and procedures used to identify and manage cyber risks.

Commerce

Section 5 of the Federal Trade Commission Act (FTC Act) prohibits deceptive business practices that are in or may affect commerce. Practically every company website you visit has a privacy notice or policy published on the first page (as required by separate laws), and many firms include a statement to the effect of “we have cybersecurity controls in place to protect your personal information” (which, again, are required by other laws).

If a firm makes a public claim to have a cybersecurity program in their privacy policy and then doesn’t do what they claimed, that is considered a deceptive business practice under Section 5 of the FTC Act and is subject to enforcement by the FTC.

Education Laws

The Family Educational Rights and Privacy Act (FERPA) governs the access to educational information and records by public entities. Its purpose is to protect the privacy of students and their education records. This federal law grants parents the right to access their children’s educational records until the child has reached the age of 18 or attends school beyond the high school level. Parents have the ability to inspect education records maintained by the school, request corrections if they believe the information to be inaccurate, and release any information with written approval.

Similarly, the Protection of Pupil Rights Amendment (PPRA) provides students and their parents certain rights regarding student participation in surveys, inspection of instructional material, physical exams, collection of personal information, and disclosure and use of personal information.

Although FERPA and PPRA do not explicitly require a cybersecurity program, meeting the technical requirements associated with management of the privacy and breach reporting concerns are practically impossible to do without the establishment of a formal program, creating a “de-facto” cybersecurity law.

International Laws

The General Data Protection Regulation (GDPR) has been touted as the “toughest privacy and security law in the world.” This regulation was drafted and passed by the European Union (EU) but applies to organizations anywhere that collect data related to people in the EU. The purpose is to protect people’s right to privacy, especially when it comes to personal data, and to establish principles and practices that must be adhered to or else risk substantial fines (up to 4% of worldwide revenues).

While GDPR does not include a specific set of controls for compliance, it is similar to other privacy legislation in that it is nearly impossible to maintain compliance without a fully developed cybersecurity program.

State Laws

The California Consumer Privacy Act (CCPA) of 2018 enhances privacy and consumer protection rights for the residents of California. All companies that serve the people of California must comply with the CCPA law. Several states have their own privacy laws similar to California, and all 50 states have similar cyber breach reporting requirements. Meeting all of these requirements is nearly impossible without a formal plan in place.

reach out to our experts today
to get started Safe . Secure .
Compliant . Gray Analytics keeps you and your operation safe from today's biggest cyber threats.

Why Gray Analytics?

Having a grasp on the cyber laws, compliances, and requirements is foundational for ensuring that an appropriate cyber program is developed to reduce the risk of litigation and fines for non-compliance. Gray Analytics provides end-to-end cybersecurity and compliance consulting services that are customized based on our clients’ unique cyber goals and requirements. Ensuring full compliance based on your firm’s legal requirements is one of the foundational goals of a cyber program and its themes can be seen throughout many of the policies and procedures of a well developed program.