Cyber Security Legislation

Cyber security legislation exists at the Federal and State level, with State level legislation being more restrictive than Federal regulations. The applicable Federal programs are the CAN-SPAM Act, USA Patriot Act (USAPA), Children’s Online Privacy Act, Fair Credit Reporting Act, Freedom of Information Act and the Gramm-Leach-Billey Act. While all of these acts are considered “Cyber Security” regulations, the two most relevant ones are the Patriot and the Gramm-Leach-Billey Acts.

The Patriot Act of 2001 broadened the scope of electronic surveillance before the Patriot Act electronic surveillance was a tool to be used only against foreign intelligence gathering. The USAPA was widened so that probable foreign surveillance is no longer the only requirement for surveillance. Now, electronic surveillance can be used even in purely criminal cases where it is not probable that intelligence gathering is occurring. It also allowed for up to a year of surveillance without a warrant.

Before the authorization and renewal of USAPA police were required to get a warrant to wiretap or trace someone. This required a panel of Federal judge’s approval. Now all that is required is proof that the data that would be found through this trace would be relevant to the investigation in some way. While this tap would not necessarily include recordings of the conversations, it does include meta-data such as who was called and for how long.

This becomes a cyber security issue with electronic communications. With telecommunications, it is easy to separate the meta-data from the conversation, but with an email this is more difficult. The send and receive addresses are part of an email. To extract the sender data from an email a federal agent would have to have access to the entire email.

While the USAPA does not give unrestricted access to content, only metadata, it is easy to see where the potential for abuse arrives. If an investigator has to see the email to get the sender data they’re looking for, the only thing stopping them from looking at the rest of the email is the good will of the officer who’s doing it. Even a purely electronic system of extracting this sort of data would have to view the contents of the email, which would violate the privacy of the sender.

The Gramm-Leach-Billey Act primarily pertains to the safeguarding of financial data, such as loans and mortgages. It requires that “financial institutions” comply with certain minimal electronic safeguards, or face fines and other punishments. The term “financial institution” covers more than just banks however, it also includes courier services, property appraisers, non-bank lenders and anyone else “significantly engaged in providing financial services or products.”

The Gramm-Leach-Billy act has several requirements that must be met by any business that falls under it. They must: identify risks and assess them; create, maintain and regularly test a cybersecurity program; select service providers who maintain their own cybersecurity program; designate at least one employee to coordinate their cyber security and information security programs; they must keep their program up to date with new or evolving circumstances.

Federal cyber security guidelines are less restrictive than state guidelines, as state legislation can only ever increase regulation not remove it. As part of an ongoing series, will look into and layout how various regulations at the Federal and State level can affect you and your business.