The United States cyber security laws and privacy system is arguably the oldest, most robust and effective in the world. The State's privacy system relies more on post hoc government enforcement and private litigation. Currently, cyber security regulation comprises of directives from the Executive Branch and legislation from Congress that safeguards information technology and computer systems.
Federal Government Regulation
There are three main federal cybersecurity regulations:
– 1996 Health Insurance Portability and Accountability Act (HIPAA)
– 1999 Gramm-Leach-Bliley Act
– 2002 Homeland Security Act, which included the Federal Information Security Management Act (FISMA)
These three regulations mandate that healthcare organizations, financial institutions, and federal agencies should protect their systems and information. However, these rules are not foolproof in securing the data and require only a “reasonable” level of security.
For example, FISMA, which applies to every government agency, “requires the development and implementation of mandatory policies, principles, standards, and guidelines on information security”.
But, these regulations do not address numerous computer-related industries, such as Internet Service Providers (ISPs) and software companies. Furthermore, the vague language of these regulations leaves much room for interpretation.
Recent Federal Laws
In a recent effort to strengthen its cyber security laws, the federal government is introducing several new cyber security laws as well as amending the older ones for a better security ecosystem. Below are a few of them:
Cybersecurity Information Sharing Act (CISA)
Its objective is to improve cybersecurity in the United States through enhanced sharing of information about cybersecurity threats, and for other purposes. The law allows the sharing of Internet traffic information between the U.S. government and technology and manufacturing companies. The bill was introduced in the U.S. Senate on July 10, 2014, and passed in the Senate October 27, 2015
Cybersecurity Enhancement Act of 2014:
It was signed into law December 18, 2014. It provides an ongoing, voluntary public-private partnership to improve cybersecurity and strengthen cybersecurity research and development, workforce development and education and public awareness and preparedness.
Federal Exchange Data Breach Notification Act of 2015:
This bill requires a health insurance exchange to notify each individual whose personal information is known to have been acquired or accessed as a result of a breach of security of any system maintained by the exchange as soon as possible but not later than 60 days after discovery of the breach.
National Cybersecurity Protection Advancement Act of 2015:
This law amends the Homeland Security Act of 2002 to allow the Department of Homeland Security’s (DHS’s) national cyber security and communications integration center (NCCIC) to include tribal governments, information sharing, and analysis centers, and private entities among its non-federal representatives.