Most business owners have little to no idea about the cybersecurity Laws & Regulations that take place around the world (mainly in the US). Therefore, 2020 has been full of hacking-related news headlines.

We could say Governments aren’t raising enough awareness of civilians. But you should start taking them more into account (as a norm) due to its consequences.

In one way or another, passing cybersecurity laws & regulations are synonymous with significant fines expenses. 

Is this what you want?

Cyber-activities Penalized by Law (Hacking)

Of course, I know the word “Hacking” sounds bad, negative, or evil to you.

But what considering that there is an “Ethical” side of hacking, what are the activities that can get you or them penalized by Law?

  • System and Data breaching (Accessing, modifying, or deleting without consent).
  • Economic & Corporate espionage.
  • Identity Theft.
  • Copyright Infringement (Unauthorized publication of 3rd-party content).
  • Criminal infringement of copyright.
  • Fake News.
  • Website crashing (as DOS or DDoS attacks).

It makes sense that without the right Laws & Regulations in place, all of it would pass unnoticed. But, we can start changing that, today and now) though awareness of the issue.

Several nations have started to establish measures to control it.

For example, the US government spends $19 Billion every year on cybersecurity.

What do these measures (Laws & Regulations) I’m talking about, consist of? 

Let’s review 7 of them, shall we?

DISCLAIMER: The information provided on this website does not, and is not intended to, constitute legal advice; instead, all information, content, and materials available on this site are for general informational purposes only.  Information on this website may not constitute the most up-to-date legal or other information.  This website contains links to other third-party websites.  Such links are only for the convenience of the reader, user or browser; MyITGuy and its members do not endorse the contents of the third-party sites. 

Readers of this website should contact their attorney to obtain advice with respect to any particular legal matter.  No reader, user, or browser of this site should act or refrain from acting on the basis of information on this site without first seeking legal advice from counsel in the relevant jurisdiction.  

1) GDPR (General Data Protection Regulation) 

The European Union took a leading role with the application of the GDPR requirements. It aims to protect personal data from consumers all across the US nations. 

These are some of the privacy requirements that the General Data Protection Regulation asks for: 

  • Requiring the consent of subjects for data processing.
  • Anonymization of collected data to enhance privacy.
  • Providing data breach notifications.
  • Safely handling the transfer of data across borders.

Basically, they set up standards for companies to follow while handling EU citizen’s data.

This is not only positive for consumers alone, but business owners from member states can save a lot of time by following consistent descriptions of the data protection law. 

And yes, you read right. 

Anyone that offers goods and services inside the Schengen zone has to follow it.

This change made a huge impact on how things work globally. 

But it doesn’t stop there. The SAs are capable of auditing companies to make sure improvements are made on deadlines. They have enough power to ensure data is stored or erased or blocked entirely if needed.

Data controllers can apply penalties (based on the circumstances) that may be around 2% to 4% of the total global annual turnover.

2) CPA (California Consumer Privacy Act)

The California Consumer Privacy Act was Inspired by the GDPR and built on similar compliances. In this case, they give power to consumers to decide which information business owners collect, and which doesn’t.

They now possess the right to…

  • Know what personal data is collected from them, and how it will be used/shared.

  • Erase their collected personal information (with only a few exceptions).

  • Non-discrimination for exercising their CCPA rights.

And before you assume this isn’t directed to you or your business (because you aren’t locating inside California), then let me tell you that outsider companies must follow the requirements as well.

More specifically, if you follow the following criteria (at least one): 

  • If your business generates annual gross revenue in excess of $25 million.
  • If your business handles data of more than 50,000 California residents annually.
  • If your business gets 50% percent of its annual revenue by selling the personal information of California residents.

3) Computer Fraud & Abuse Act 

This 1st federal computer fraud law was enacted in 1986, to address computer hacking.  

It has been amended a couple of times since that moment, the most recent being in 2008. 

The CFAA tries to cover a wide range of unethical practices, but its main focus relies on unauthorized computer access to data. 

Among such fraudulent activities, you can find espionage, ransom, and direct damage to computers or victims themselves. 

It also promotes the application of security controlling and monitoring best-practices, to avoid third-party damages caused through your own computing resources. 

4) FTC’s “Start with Security” Guidance 

More than law or regulation itself, these are guidelines that the Federal Trade Commission has developed from over 50 data-security lessons/actions. 

It was first prepared in 2001, to provide mass awareness about Cybersecurity measures.

If you don’t know them, the FTC is the main agency responsible for consumer protection and prohibition of deceptive acts concerning the collection, maintenance, and storage of consumer’s private data.

5) Health Insurance Portability and Accountability Act (HIPAA) 

The Health Insurance Portability and Accountability Act (also known as HIPAA) was created to protect the personal information stored by healthcare organizations. 

You probably don’t know about this, but health records were filed as paper records. And you guessed it, that’s not an efficient way to access or transfer patient information.

A change was needed. But companies found ways to capitalize/exploit the problem.  Funny enough, most of the solutions offered afterward lacked safe cybersecurity laws, regulations, and practices.

Government regulations as HIPAA were the new security standards that we all needed:

  • It modernized healthcare data processing and storing.
  • It provided equality of protection for all health-related organizations.
     
  • It battled against healthcare insurance unethical limitations.

6) Gramm-Leach-Bliley Act (GLBA) 

Also known as Glass–Steagall Act or the Financial Services Modernization Act of 1999.

Its sole purpose was to prevent banks from selling insurances or security-related packs.  

Although this might not seem connected with hacking and cybersecurity itself, the GLBA did put a lot of pressure over abusing financial institutions to protect customer’s information. 

The rules book was, for the first time in many years, against them: 

  • New bank’s employees have to sign a confidentiality pledge and provide background information (if they’ll have access to customer’s data).

  • Computer screens require inactivity locks and frequently-changed strong passwords.

  • Employee’s security training and constant reminding of policies (data and devices encryption)

  • New policies for the security of remote work, and security violations through discipline.

7) Homeland Security Act 

The Department of Homeland Security (DHS) was established in 2002, just after several terrorist attacks were executed (as the World Trade Center bombing).

New cybersecurity laws and regulations were signed and different standards/methods were promoted by the government of George W. Bush: 

  1. Data Protection by categorization. 
  2. Minimum baseline controls.
  3. Improve controls through Risk-assessment procedures.
  4. Keep track of the Security Plans.
  5. Apply proper controls to information systems.
  6. Assess the effectiveness of the security controls after implementation.
  7. Determine agency-level risk to the mission or business case.
  8. Authorize the information system for processing.
  9. Monitor the security controls continuously.

Are These Laws Enough?

It’s well-known that cybersecurity laws did not hold much weight. They only kept a watch over copyright protection. But the type of cyber-crimes happening today is more harmful.

Cybersecurity laws and regulations are there to protect you and other civilians from cybercriminal activity and corporate governance.

And this won’t stop anytime soon: The increase of threats will bring new legislative actions. 

Being said, there’s an important question to refrain: Are these Laws enough?

You cannot gamble on your business assets. Neither with your happiness or peace of mind.

Let’s fix that right now

Our experts will take care of your entire cybersecurity system (implement it you haven’t).