US Cybersecurity and Data Privacy Laws

CFTC: The Commodity Futures Trading Commission Derivatives Clearing Organizations Regulation:

• 17 CFR Part 39, Subpart B
• 17 CFR 39.18 – System safeguards

Applicability:

The CFTC Regulation applies to derivatives clearing organizations. These entities act as a medium for clearing transactions in commodities for future delivery or commodity option transactions. There are about 27 worldwide. These markets are at the heart of the global financial system.

Penalties and enforcement:

SEC regulation S-ID is subject to the same penalty as S-P. Civil fines for violating this Regulation can be up to $1,098,190 or triple the monetary gain. This rule can be enforced by an SEC action or by FINRA.

If this is accurate, please apply the same edits from earlier regarding the increase in the penalty.

How to comply with CFTC:

To protect themselves, derivatives clearing organizations must develop an extensive and robust information security program that includes the following:

• An annual compliance report that must be sent to the board and CFTC
• Vulnerability testing of independent contractors twice every quarter
• Internal and external penetration testing at least annually
• Control testing once every three years
• Annual security incident response plan testing
• Annual enterprise technology risk assessment (ETRA)

CMMC: Cybersecurity Maturity Model Certification

• CMMD Draft

The Cybersecurity Maturity Model Certification (CMMC) is a certification and compliance process developed by the Department of Defense (DoD). It is designed to certify that contractors have the controls in place to protect sensitive data. Announced on June 13, 2019, The Cybersecurity Maturity Model Certification (CMMC) is the new approach by the Department of Defense (DoD) to create a unified cybersecurity standard and properly secure their supply chain and the Defense Industrial Base (DIB).

According to the lastest update, starting in 2020, companies will need to begin the journey towards CMMC compliance in order to conduct business with the DoD. It’s estimated that between 2020 – 2026 all DIB organizations will become compliant with the new CMMC framework. Following that plan, as of July 2020 CMMC requirements have started to appear in some of the latest government requisitions, forcing suppliers and their subcontractors to look for ways to meet the requirements, or fail to be able to participate on the bids.

Applicability:

Keeping confidential government/military information secure from prying eyes is critical to our national sovereignty and economy. Even if that has been the expectation for some time, companies that process sensitive government data (whether directly or as a sub-contractor in the supply chain) have only been required to “self-attest” to their conformance with relevant DFARS/NIST SP 800-171 guidance… until now.

The self-attestation approach hasn’t worked very well, as evidenced by notable breaches of critical government information. This has driven the U.S. Department of Defense (DOD) and other government agencies to mandate a higher level of attestation; the Cybersecurity Maturity Model Certification (CMMC).

Penalties and Enforcement:

CMMC certification will be an absolute requirement to bid on DoD RFPs and/or have a contract awarded. For many SMBs impacted by the CMMC, DoD contracts make up a substantial percentage of their revenue—making CMMC certification a “go big or go home” proposition.

How to Comply with the CMMC model:

The CMMC model is composed of five levels of compliance. Companies (and their subcontractors) must meet a specific levels of security compliance depending on the contract that they are trying to bid for. The five levels are:

1. Level 1: Basic Cyber Hygiene.
2. Level 2: Intermediate Cyber Hygiene.
3. Level 3: Good Cyber Hygiene
4. Level 4: Proactive Cyber Hygiene
5. Level 5: Advanced/Progressive Cyber Hygiene

COPPA: Children’s Online Privacy Protection Act

15 U.S. Code Chapter 91

16 CFR Part 312

COPPA is a privacy and cybersecurity law designed to protect children from internet predators and other internet threats.

Applicability:

COPPA applies to websites and online services that are directed at children under the age of 13. It also applies if the operator of the site has actual knowledge that children under the age of 13 are using a website. The purpose of the Act is to regulate how these websites collect, use, and/or disclose personal information from and about children.

Penalties and enforcement:

The Act is enforced by the FTC. Fines have been increasing, with the largest fine to date reaching $5.7 million.

How to comply with the COPPA

• Company must provide a reasonable means for a parent to review the personal information collected from a child, and enable them to refuse to permit its further use or maintenance
• Company can not make the child’s participation in a game, the offering of a prize, or another activity cannot be a condition for a child to provide information
• Company must provide reasonable procedures to protect the confidentiality, security, and integrity of personal information collected from children

Consumer Privacy Protection Act of 2017

• H.R. 4081

The proposed Consumer Privacy Protection Act of 2017 has been designed to ensure the privacy and security of sensitive personal information, to prevent and mitigate identity theft, to provide notice of security breaches involving sensitive personal information, and to enhance law enforcement assistance and other protections against security breaches, fraudulent access, and misuse of personal information.

Applicability:

It will apply to organizations that collect, use, access, transmit, store, or dispose of sensitive personally identifiable information of 10,000 or more US citizens during any 12-month period.

Penalties and enforcement:

Civil penalty fines will not exceed $5 million unless the violation is found to be willful or intentional, in which an additional $5 million can be imposed.

DFAR: Defense Federal Acquisition Regulation

48 CFR 252.204-7012

DFAR is a cybersecuirty regulation that applys to the US Department of Defense (DoD) contractors. If you conduct business directly or indirectly with the US Government, this regulation applies to you.

Applicability:

This regulation applies to US Department of Defense (DoD) contractors. It requires contractors and subcontractors that possess, store, or transmit “covered defense information” to provide adequate security to safeguard the covered defense information on unclassified information systems.

Penalties and enforcement:

Failure to comply may result in debarment. Even if your subcontractor is the one that fails to comply, that can result in your company being banned from conducting business again with the DOD.

How to comply with DFAR:

Unlike many other cybersecurity laws, the Regulation mandates compliance with a specific cybersecurity standard: the National Institute of Standards and Technology (NIST) Special Publication (SP) 800-171, “Protecting Controlled Unclassified Information in Nonfederal Information Systems and Organizations” (see Appendix D of NIST 800-171 for reference to other cybersecurity frameworks, including ISO 27001).

How to comply with the DFAR

• The Regulation’s requirement extends mandatory compliance to all subcontractors
• The Regulation provides a detailed process for investigating cyber incidents and reporting them to the DoD and the prime contractor (or next higher-tier subcontractor), including protecting and preserving evidence that includes malware for possible forensic analysis

ECPA and SCA: Electronic Communications Privacy Act and Stored Communications Act

• 18 U.S. Code Chapter 119
• 18 U.S. Code Chapter 121

The Electronic Communications Privacy Act (ECPA) together with the Stored Communications Act (SCA), also known as the Wiretap Act, are privacy statutes.

Applicability:

Originally designed to limit warrantless surveillance, these acts forbid the intentional use, disclosure, or access to any wire, oral, or electronic communication without authorization.

Penalties and enforcement:

The acts provide criminal penalties that could be used to jail malicious hackers. They also provide a private right of action against the perpetrators (individuals or companies) of these acts.

Both the SCA and ECPA authorize equitable relief, damages, punitive damages, attorney’s fees, and costs, so compliance with these statutes should be considered by all organizations, not just law enforcement agencies. There are business and intra-family exceptions, but these must be used cautiously.

Both statutes require intentional violation. But if the statutes are violated, and if the plaintiff or the plaintiff’s class can prove measurable damages, the liability could be very large.

There are also state laws that go further. The ECPA requires one-party authorization. Ten states require both parties to consent. A recent example of the potential impact of these laws is a lawsuit by a Lyft driver and his class, which are suing Uber for intentionally accessing information with Uber’s Hell software. There are damages for the entire class as well as punitive damages that could easily be in the millions. This is far greater than any criminal or civil fine.

How to comply with the ECPA and SCA:

• Company policies should prohibit recording or disclosing any oral or electronic communications without obtaining consent from both parties
• Company policies should prohibit surveillance of non-employees unless there is consent
• Policy still allows for company surveillance of employees, including video and email interception of employees, if there is a valid business reason for doing so

FDA: Regulations for the Use of Electronic Records in Clinical Investigations

21 CFR Part 11

The Food and Drug Administration (FDA) Regulations for the Use of Electronic Records in Clinical Investigations is a cybersecurity law.

Applicability:

It applies to organizations involved in clinical investigations of medical products, including sponsors, clinical investigators, institutional review boards (IRBs), and contract research organizations (CROs).

Most, if not all, of these people and organizations are also health care providers, so their operations would most likely fall under the HIPAA rules as well. The Regulations concern the IT systems of these organizations, including any electronic systems used to create, modify, maintain, archive, retrieve, or transmit records used in clinical investigations.

Penalties and enforcement:

The Regulations are enforced by the FDA, which will conduct investigations and audits. Since these records are to be used for validating the research by the FDA, the Regulations are geared more toward the integrity part of the confidentiality, integrity, availability triad.

How to comply with FDA:

In order to comply with this regulation, organizations are required:

• Systems ensure accuracy, reliability, and consistent performance
• Limiting system access to authorized individuals
• Maintain secure audit trails
• Establishing and adhering to written policies that hold individuals accountable
• Implement regular training for all parties that will have access to the electronic records

FPA: Privacy Act of 1974

• 5 U.S.C. ch. 5 § 552a

The Privacy Act is a privacy act for US federal agencies.

Applicability:

The FPA applies only to agencies of the US Federal Government. It governs the collection, maintenance, use, and dissemination of personally identifiable information about individuals that is maintained in systems of records by federal agencies.

It prohibits the disclosure of information from a system of records controlled by the federal agency without the written consent of the subject individual, unless the disclosure is permitted under one of 12 statutory exceptions.

Until recently, it only applied to lawful residents of the US but, it was amended by the Judicial Redress Act, which allows citizens of ‘covered countries’ as determined by the Attorney General, with the agreement of the Secretary of State, the Secretary of the Treasury, and the Secretary of Homeland Security, to sue in a federal court for willful disclosures of personally identifiable information by a federal agency.

According to the European Commission, “The EU-US Umbrella Agreement, entered into force on 1 February 2017. To finalize this agreement, the US Congress adopted a new law, the US Judicial Redress Act, which extends the benefits of the US Privacy Act to Europeans and gives them access to US courts.”

Since the FPA is limited to the US government, and since it does not preclude §702 of the FISA, it does not stop either the US National Security Agency (NSA) or private companies from obtaining, disclosing, or transferring personally identifiable information that is expressly prohibited by the GDPR.

Penalties and enforcement:

Covered persons, which includes lawful residents of the US and citizens of certain foreign countries designated by the US Secretary of State, may sue in a US federal district court for actual damages or $1,000 (whichever is greater), attorney fees, and court costs. The court may also require the federal agency to amend or correct any information on file concerning the covered person.

How to comply with the FPA:

All US federal agencies must:

• Not disclose any record that is contained in a system of records by any means of communication to any person, or to another agency, without a written request from, or the prior written consent of, the individual to whom the record pertains
• Allow any individual to gain access to their record or to any information pertaining to them that is contained in the system, and permit them and, if they request, a person of their own choosing to accompany them, to review the record and have a copy made
• Maintain any record concerning any individual, making reasonable efforts to ensure such records are accurate, relevant, timely, and complete
• Assure fairness in any determination relating to the qualifications, character, rights, or opportunities of, or benefits to, the individual

FTC: Federal Trade Commission Act §5

• 15 U.S. Code § 45

FTC Act Section 5 is both an information security regulation (which requires appropriate cybersecurity measures) and a privacy law.

Applicability:

The law applies to almost every organization in the US with the exception of banks and common carriers.

Penalties and enforcement:

The FTC is not shy about imposing civil liabilities, which have even reached $5 billion in the recent case concerning Facebook. It might seem odd that a law passed in 1914 to prohibit unfair or deceptive acts is one of the major sources of cybersecurity and privacy law in the US.

How to comply with the FTC:

The problem is that organizations must engage in all “reasonable and necessary” security practices, but these are generally undefined.

The FTC has established a regulation, the Safeguards Rule (16 CFR 314), for companies within its jurisdiction that have to comply with the GLBA. This rule is the same as the Security Rule (see above) and would be a good start to determine a company’s responsibilities under the Act.

GLBA: Gramm-Leach-Bliley Act

• 15 U.S. Code Subchapter I

The Gramm-Leach-Bliley Act (GLBA) is both an information security and a privacy law.

Applicability:

The law applies to financial institutions, but the definition is very broad and includes banks, insurance companies, securities firms, non-bank mortgage lenders, auto dealers, and tax preparers.

There is a Security Rule and a Privacy Rule. The Security Rule (16 CFR Part 314) requires organizations to “develop, implement, and maintain a comprehensive information security program that is written in one or more readily accessible parts and contains administrative, technical, and physical safeguards that are appropriate to your size and complexity, the nature and scope of your activities, and the sensitivity of any customer information at issue.” (15 USC §6801 (a))

Penalties and enforcement:

Penalties for violation could exceed $1 million. There is also the possibility of termination of FDIC insurance, which could mean the end of the business for a financial firm.

HIPAA: Health Insurance Portability and Accountability Act

• 45 CFR Part 160
• 45 CFR Part 164

HIPAA has security, privacy, and breach notification rules.

Applicability:

The law applies to health care providers, health plans, health care clearing houses, and, in certain cases, business associates of these types of businesses called covered entities. As a result, the Act can cover organizations as diverse as health insurance companies and pharmaceutical companies. Unlike other laws, HIPAA has very specific rules to determine compliance.

Penalties and enforcement:

Fines depend on the nature and extent of the violation, as well as the extent to which the organization has attempted to protect information. The largest fine to date was more than $16 million. Fines have been increasing dramatically recently. In 2018 the total number of fines reached a record $28 million.

How to comply with HIPAA:

The confidentiality, integrity, and availability of electronic protected health information (ePHI) be protected. ePHI only consists of individually identifiable health care information that is produced, saved, transferred, or received in electronic form

• ePHI must be protected with administrative safeguards
• ePHI must be protected with physical safeguards
• ePHI must be protected with technical safeguards

The Privacy Rule requires that ePHI can only be used or disclosed in the following cases:

• The individual gives their consent
• For treatment, payment, or health care operations
• Incident to a permitted disclosure
• Public interest

The Breach Notification Rule has specific requirements:

• Individuals to be notified within 60 days of the discovery of a breach
• Notification must include
  • The type of information compromised
  • The steps the individual needs to take to protect themselves
  • A description of what the covered entity is doing to investigate and mitigate the breach
  • Contact information
• Breaches of more than 500 individuals require notification to the media and to the Secretary of Health and Human Services (HHS)
• Breaches of fewer than 500 individuals should be logged and reported to the Secretary of HHS annually

ISO/IEC 27001: Information Security Management

• ISO 27001 Standard

ISO/IEC 27001 specifies a management system that is intended to bring information security under management control and gives specific requirements. Organizations that meet the requirements may be certified by an accredited certification body following successful completion of an audit.

ISO/IEC 27001 is widely known, providing requirements for an information security management system (ISMS), though there are more than a dozen standards in the ISO/IEC 27000 family. Using them enables organizations of any kind to manage the security of assets such as financial information, intellectual property, employee details or information entrusted by third parties.

NIST 800-171

• SP 800-171

The NIST 800-171 refers to National Institute of Standards and Technology Special Publication 800-171, which governs Controlled Unclassified Information (CUI) in Non-Federal Information Systems and Organizations.

 
This publication provides federal agencies with a set of recommended security requirements for protecting the confidentiality of CUI when such information is resident in nonfederal systems and organizations; when the nonfederal organization is not collecting or maintaining information on behalf of a federal agency or using or operating a system on behalf of an agency; and where there are no specific safeguarding requirements for protecting the confidentiality of CUI prescribed by the authorizing law, regulation, or governmentwide policy for the CUI category or subcategory listed in the CUI Registry.

The security requirements apply to all components of nonfederal systems and organizations that process, store, or transmit CUI, or that provide security protection for such components. The requirements are intended for use by federal agencies in contractual vehicles or other agreements established between those agencies and nonfederal organizations.

EU-US Privacy Shield

• Privacy Shield Regulation

Applicability:

The Privacy Shield was developed to protect EU residents’ data held and processed by organizations in the US. The protection of an individual’s data in the US does not come anywhere near what the EU considers adequate.

Since an enormous quantity of data is exchanged between the US and the EU, the US government and EU commissioners came up with a method to circumvent the previous Data Protection Directive with a program called Safe Harbor.

The Safe Harbor agreement was overturned on October 6, 2015 by the European Court of Justice (ECJ), so the EU commissioners and US government had to act quickly to come up with an alternative that would meet the requirements of the EU’s General Data Protection Regulation (GDPR). The European Commission adopted the EU-US Privacy Shield framework on July 12, 2016, and it came into effect the same day. In April 2017, the European Parliament’s Civil Liberties, Justice, and Home Affairs Committee (LIBE Committee) narrowly voted in favor of a resolution declaring the Privacy Shield inadequate, and it is reviewed annually to ensure that EU concerns are addressed.

Penalties and enforcement:

Non-compliance with the GDPR can lead to fines of up to 4% of annual global revenue or €20 million – whichever is greater.

How to comply with the EU-US Privacy Shield:

To self-certify to the Privacy Shield, a company must undertake the following:

• Confirm that the organization is eligible. Most companies outside of the financial sector are
• Develop a Privacy Shield-compliant privacy policy statement and make sure that the organization’s privacy policy conforms to the Privacy Shield principles
• Identify the organization’s independent recourse mechanism to enforce the privacy policy
• Make sure that the privacy policy is publicly available
• Make sure the organization has a compliance verification mechanism
• Designate a contact within your organization regarding the Privacy Shield
• Submit your organization’s self-certification to the Department of Commerce

Sarbanes-Oxley Regulation:

• 15 U.S. Code Chapter 98

The Sarbanes-Oxley (SOX) requires organizations to prove their cybersecurity credentials.

Applicability:

SOX applies only to public companies. Generally, a public company is one that is listed on a public stock exchange.

The purpose of the legislation and regulations are to make sure these companies produce accurate financial statements from public companies.

Penalties and enforcement:

SOX has very tough penalties. Unlike many other cybersecurity or privacy statutes, SOX has criminal penalties. In theory, a CEO or CFO can be liable for maximum penalties of $1 million and 10 years’ imprisonment for a false certification, and $5 million and 20 years for a willfully false filing.

SEC Regulation S-P: Privacy of Consumer Financial Information and Safeguarding Personal Information

• 17 CFR Part 248, Subpart A

The SEC rule 30, which is part of Regulation S-P (17 CFR 248.30), is an information security regulation that requires appropriate cybersecurity measures.

Applicability:

SEC rule 30 applies to US and foreign brokers, dealers, investment companies, and investment advisers that are registered with the SEC. These organizations could also be subject to the concurrent jurisdiction of the New York Department of Financial Services (NYDFS) cybersecurity regulations (23 NYCRR 500). Under SEC rule 30, organizations must adopt written policies to safeguard customer records and protect against unauthorized access.

Penalties and enforcement:

Civil fines for violating this regulation can be up to $1,098,190 or triple the monetary gain. This rule can be enforced by an SEC action or by the Financial Industry Regulatory Authority (FINRA). FINRA is a private corporation that acts as a self-regulatory organization for the financial industry. It has the contractual power to fine its members.