Cyber security has been a concern for the government and private sector for over a decade. The growth in the Information Technology sector in the United States has given rise to cyber crimes that leave huge losses in their wake.
Data breaches have gained more attention in the news with each breach seemingly being larger than the ones that came before it. The cost of the data breaches have increased considerably with the record breaking breaches occurring in 2017 at Equifax and Uber leaking information on more than 200 million American citizens.
The United States cyber security regulation comprises of directives from the Executive Branch and legislation from Congress forcing companies and organizations to protect their systems and information from cyber-attacks such as viruses, phishing, denial of service (DOS) attacks, unauthorized access (stealing intellectual property or confidential information) and control system attacks.
There are three main federal cybersecurity regulations:
- 1996 Health Insurance Portability and Accountability Act (HIPAA)
- 1999 Gramm-Leach-Bliley Act
- 2002 Homeland Security Act, which included the Federal Information Security Management Act (FISMA)
These three regulations mandate that healthcare organizations, financial institutions, and federal agencies protect their systems and information requiring a “reasonable” level of security.
For example, FISMA, which applies to every government agency, “requires the development and implementation of mandatory policies, principles, standards, and guidelines on information security”.
But, these regulations do not address numerous computer-related industries, such as Internet Service Providers (ISPs) and software companies and the vague language of these regulations leaves much room for interpretation.
In a recent effort to strengthen its cyber security laws, the federal government has introduced several new cyber security laws as well as amended older ones attempting to create a better security ecosystem. Below are a few of them
- Cybersecurity Information Sharing Act (2015) allows the sharing of Internet traffic information between the U.S. government and technology and manufacturing companies.
- Cybersecurity Enhancement Act (2014) provides an ongoing, voluntary public-private partnership to improve cybersecurity research and development, workforce development, education and public awareness.
- Federal Exchange Data Breach Notification Act (2015) requires a health insurance exchange to notify each individual whose personal information is known to have been compromised no later than 60 days after discovery of the breach.
- National Cybersecurity Protection Advancement Act (2015) This law amends the Homeland Security Act (2002) to allow the Department of Homeland Security’s (DHS’s) national cybersecurity and communications integration center (NCCIC) to include private entities among its non-federal representatives.
While adhering to the above laws and guidelines and regulations will ultimately reduce liability, the most effective way to prevent a breach is with an active monitoring policy. Cyber criminals are sophisticated in their approach to attack, so it is advisable that organizations become proactive about the security of their data performing regular checks on their systems to identify any vulnerabilities and address them immediately.