In the USA, cybersecurity is governed by a crazy quilt of generally applicable federal laws, sector-specific federal laws, generally applicable state laws and sector-specific state laws, as well as common law norms that have evolved from court decisions. Generally applicable federal laws govern information sharing with the government and particular acts such as computer hacking or the unlawful interception of electronic communications, while other federal laws dictate specific rules that are applicable only to certain companies in critical infrastructure sectors.
State laws have a similar combination of general and sector-specific laws governing cybersecurity. California, for example, has its own financial services privacy law, the California Financial Information Privacy Act (CalFIPA), and medical information privacy law, the California Confidentiality of Medical Information Act (CMIA).
However, companies outside of critical infrastructure sectors such as finance and medicine are guided by generally applicable reasonable security and data breach notification statutes in state law. These laws hinge on the types of personal information that should be protected. Such statutes generally eschew the broad definitions of personal data contained in the General Data Protection Regulation (GDPR) – and, more recently, the California Consumer Privacy Act (CCPA) – in favour of key pieces of personal information such as a first name and last name in combination with another identifier (eg, social security number or financial account number).
Even the CCPA, which generally applies a broad definition of personal information for its privacy provisions, employs this narrower definition of personal information in the section providing a private right of action for victims of a data breach that is “a result of the business’s violation of the duty to implement and maintain reasonable security procedures and practices appropriate to the nature of the information”. These state definitions of personal information have expanded over time, with states increasingly including categories such as medical information, biometric information, and username and password.
Additional details about some of the most significant US cybersecurity laws are provided below.
Federal Trade Commission (FTC) Act
The closest the USA comes to an overarching cybersecurity law is Section 5 of the Federal Trade Commission (FTC) Act, which prohibits unfair or deceptive acts or practices affecting commerce. The FTC has interpreted Section 5 as imposing a de facto reasonable security standard on organisations conducting business in the USA. Section 5, however, does not apply to most not-for-profit organisations or businesses overseen by some other federal regulators, such as most financial services and much of the healthcare sector.
The FTC may bring two types of actions when enforcing Section 5. First, it may bring an enforcement action against an act or practice that it deems “unfair” in violation of Section 5. Unfair practices are those that are likely to cause substantial injury to consumers, which the consumers cannot reasonably avoid, and which are not offset by benefits to consumers or competition – for example, a failure to maintain reasonable cybersecurity. The FTC’s other principal type of enforcement action under Section 5 is against deceptive statements to consumers – for example, the FTC may allege that a company’s promises about security in its privacy notice are deceptive where the FTC believes a business has failed to live up to those promises.
The FTC Act does not include authority to impose monetary penalties in the first instance, so FTC settlements are typically limited to requirements that companies adopt particular security practices. Such practices may include, for example, commitments to routinely audit the company’s cybersecurity programme and regularly report on their compliance to the FTC. Many of these requirements can themselves be quite onerous and costly.
Even though the FTC Act does not provide for fines, in cases where it deems the violation particularly egregious, the FTC may nevertheless seek monetary penalties, sometimes relying on other statutes within its purview. Additionally, although monetary penalties are not included as relief under the FTC Act, once a company enters into a settlement with the FTC, the terms of the settlement may subject the company to future monetary penalties for alleged violations of the order. In one notable example, Facebook entered into an FTC settlement in 2012, in which Facebook promised not to misrepresent certain privacy practices; in 2019, the FTC alleged that Facebook had violated that order, and Facebook ultimately entered into a USD5 billion settlement with the FTC.
Sector-Specific Federal Laws
Sector-specific laws apply to many organisations, including the following:
Penalties vary by statute. Civil penalties for unknowing HIPAA violations can range from USD100 to USD50,000 per violation, with the potential for criminal penalties as well.
Other key laws at the federal level include the Computer Fraud and Abuse Act (CFAA), which prohibits several computer crimes, including hacking. Depending on the violation alleged, the CFAA authorises criminal penalties of between one and 20 years of imprisonment, as well as a private cause of action.
The Electronic Communications Privacy Act (ECPA) prohibits certain access to data in transit or when held by a stored communications provider or remote computing service, such as a cloud provider. Criminal penalties range up to five years' imprisonment, and a civil cause of action exists.
Numerous state laws also impose cybersecurity obligations that protect the personal information of their residents. Every state has some form of unfair or deceptive acts or practices statute, with similar obligations to Section 5 of the FTC Act. Several states have also adopted statutes requiring reasonable security, with state laws in Massachusetts, Nevada, and New York establishing more specific security requirements, such as encryption of any personal information transmitted over public networks or wirelessly.
All 50 states, Washington DC and the US territories have also adopted laws requiring notification to individuals and in some cases regulators in the event of a data breach. Notably, however, these data breach notification laws – as well as the reasonable security laws described above – apply to a narrow subset of information, typically including a name in combination with another element like social security number or other government identifier, financial account or credit card number, or, increasingly, health or biometric information.
Penalties for violations of state cybersecurity laws vary by state, with actual damages typically available along with, in some cases, statutory damages. The New York Stop Hacks and Improve Electronic Data Security (SHIELD) Act creates potentially significant statutory damages of up to USD5,000 per violation of the law’s reasonable security requirement. Attorneys general typically interpret a “violation” to mean each impacted individual in an incident, and so such statutory damages can be potentially very substantial; however, regulators will typically settle for well below the theoretical maximum penalty. The California Consumer Privacy Act (CCPA) creates a private right of action with statutory damages of up to USD750 per consumer whose personal information is accessed without authorisation due to a failure by a business to maintain reasonable security procedures.
As a common law system, the US approach to cybersecurity also includes an important role for the federal and state judiciary in developing common law norms, such as negligence and trespass, and applying them to complex cybersecurity issues. For instance, whether a given set of security practices is reasonable will ultimately be adjudicated in the courts, using norms informed by the common law as well as the interpretation of the relevant statutes.
Some significant aspects of the US cybersecurity regime are subject to industry self-regulation, most notably the Payment Card Industry’s Data Security Standard (PCI-DSS), which dictates the protections required for payment cards in much more detail than any federal or state law.
The National Institute of Standards and Technology (NIST) is part of the Department of Commerce which has developed a Cybersecurity Framework that, while nominally voluntary for the private sector, has inspired several regulatory models that dictate the particular manner in which the US government assesses the cybersecurity of itself, its contractors, and the sub-contractors of its contractors, as well as those companies that are in various critical infrastructure sectors.
Regulatory enforcement of cybersecurity is both general and sector-specific in the USA. Some principal regulators include the following.
Federal Trade Commission (FTC)
The FTC asserts the broadest authority among federal regulators over for-profit businesses not otherwise subject to another regulatory authority. As discussed in 1.1 Laws, the FTC enforces its unfair and deceptive acts and practices jurisdiction, which it interprets as including unreasonable security practices resulting in substantial injury.
The financial services sector is overseen by numerous regulators depending on the type of entity supervised and the financial product or service. These include the Commodity Futures Trading Commission (CFTC), the Consumer Financial Protection Bureau (CFPB) and the Federal Trade Commission (FTC). Self-regulatory agencies such as the Financial Industry Regulatory Authority (FINRA) and National Futures Association (NFA) have also issued rules applicable to cybersecurity.
The Securities and Exchange Commission (SEC) – and, specifically, its Office of Compliance Inspections and Examinations (OCIE), which has authority over certain registered advisers, broker-dealers and funds – has taken a leading role in promoting cybersecurity measures in the financial services sector. While the SEC has brought certain administrative enforcement actions, some of its most notable engagement has been through OCIE cybersecurity market conduct reviews (sometimes called “sweeps”). OCIE has listed cybersecurity as one of its top examination priorities since 2013 and has issued numerous guidance documents describing measures it views as elements of a robust cybersecurity programme.
The Department of Health and Human Services (HHS) – and, in particular, its Office of Civil Rights (OCR) – is responsible for enforcing HIPAA. OCR will investigate complaints and data security breaches with the potential to enforce both civil and, in some instances, criminal penalties. OCR is also tasked with conducting periodic audits of compliance by covered entities and their business associates.
At the state level, numerous regulators also come into play. State attorneys general play a leading role in enforcing cybersecurity laws across sectors, often joining together in multi-state groups to investigate companies experiencing data breaches. State departments of insurance oversee the cybersecurity of their regulated entities.
A particularly notable state regulator is the New York Department of Financial Services (NYDFS), which enforces a comprehensive regulation imposing specific cybersecurity requirements on its regulated entities (banks, credit unions and insurers, among others).
Specific investigative procedures vary by agency, and it is important to be aware of the rules and manner of practice before each regulator. Most regulators will typically begin with the issuance of a voluntary request for information or a mandatory Civil Investigative Demand (CID) or subpoena. Often companies are allowed or encouraged to make presentations to the regulator to discuss the regulator’s concerns and the company’s practices; this often leads to informal resolutions. Where the agency determines that violations have occurred, it may pursue administrative remedies that can be, but rarely are, challenged in court.
The USA is a federal system, with subnational state and even local laws playing important roles in establishing cybersecurity requirements, as described more fully in 1.1 Laws.
At the multi-national level, the USA participates in efforts to co-ordinate responses to cybercrime. The USA ratified the Budapest Convention, the first cybercrime treaty, aimed at harmonising national laws on cybercrime and increasing transnational co-operation. The USA has also entered into Mutual Legal Assistance Treaties (MLATs) on a bilateral basis with other nations to facilitate co-operation, though some of the mechanisms contemplated by these treaties can be slow to implement.
Due to delays and difficulties associated with MLATs, among other things, the USA enacted the Clarifying Lawful Overseas Use of Data (CLOUD) Act. The CLOUD Act creates a mechanism for the executive branch to enter into treaties with foreign governments to expedite the cross-border flow of data in response to law enforcement requests for electronic data held by providers in foreign jurisdictions. The first CLOUD Act treaty was entered into between the USA and UK in 2019.
Relations with the European Union have focused on the adequacy of US privacy laws, which led to a Safe Harbor and Privacy Shield agreement, both of which were invalidated by the Court of Justice of the European Union. The USA has also spearheaded the APEC Cross-Border Privacy Rules (CBPR) System, which is an effort to create a level international playing field by establishing internationally recognised standards.
Since 2018, the Cybersecurity and Infrastructure Security Agency (CISA) has led efforts to co-ordinate the US government’s approach to cybersecurity as well as its outreach to private companies.
Many private organisations participate in Information Sharing and Analysis Centers (ISACs) or Information Sharing and Analysis Organizations (ISAOs), which share threat intelligence, including from government sources. Financial services organisations may, for example, participate in the Financial Services Information Sharing and Analysis Center (FS-ISAC), a non-profit entity created by industry participants that also co-operates closely with the Department of Treasury. In total, 25 sector-specific ISACs are currently members of the National Council of ISACs, covering sectors ranging from the Automotive ISAC to the Elections Infrastructure ISAC.
The creation of these organisations was encouraged by the 1998 Presidential Decision Directive/NSC-63 on Critical Infrastructure Protection. Following up on the success of these efforts, a 2015 executive order further directed the Director of Homeland Security (DHS) to strongly encourage the development and formation of ISAOs.
The DHS has instituted a Cyber Information Sharing and Collaboration Program (CISCP), through which it shares unclassified threat intelligence information via public-private networks in the critical infrastructure sector. Additionally, the United States Computer Emergency Readiness Team (US-CERT) provides national threat intelligence and works to assist critical infrastructure in responding to cybersecurity threats. DHS also operates an Automated Indicator Sharing (AIS) capability that shares real-time threat indicators and defensive measures.
The FBI and other elements of the Intelligence Community likewise share information with private sector companies through a variety of programmes such as the FBI’s InfraGard private-sector partnership programme.
The USA currently follows a largely sectoral/subnational (state-based) model for enforcement, although some agencies have broad authorities. As noted, the FTC is the principle federal cybersecurity regulator, enforcing its unfair and deceptive acts and practices requirements pursuant to Section 5 of the FTC Act. Likewise, CISA and NIST provide guidance and assistance across the federal government and sectors of US industry, often using a voluntary, co-regulatory approach.
Other federal regulators operate on a sectoral enforcement basis, with agencies like the SEC, in particular OCIE, reviewing cybersecurity compliance for regulated advisers and broker-dealers, and similarly, HHS, in particular OCR, providing oversight over healthcare entities.
Numerous state cybersecurity requirements are also in place. Data breach notification laws are now in place in all 50 US states, as well as in Washington DC and three US territories. On top of those data breach laws, multiple states also have additional security requirements. Most of these states require some version of “reasonable” security, though some have more express requirements. Massachusetts was the earliest state to adopt specific security requirements by regulation, including, among other things, the development of a written information security programme and encryption of all covered data on mobile devices and transmitted across public networks.
In recent years, New York has adopted more specific cybersecurity laws and regulations. The NYDFS adopted some of the strictest requirements for organisations under its supervision. These include data breach notification within 72 hours, penetration testing, and multi-factor authentication. This law has spread throughout the insurance sector, which is subject primarily to state oversight. The New York SHIELD Act adds a reasonable security requirement along with specific measures that will satisfy that requirement, which may be interpreted by regulators or plaintiff’s attorneys as the appropriate standard of security.
The year 2020 saw further significant developments in US cybersecurity law. A host of pandemic-related cybersecurity issues arose, including, most distressingly, a series of ransomware attacks on hospitals and other parts of the healthcare system, which challenged the willingness of regulators to find the victim institute at fault for failing to stop a given cyber-attack. Some of the other key highlights are as follows.
The FTC continued to assert its regulatory oversight authority. In one significant settlement, the FTC imposed requirements on Zoom to enhance its security practices and maintain a comprehensive information security programme. The implications of such a settlement exceed the immediate prescriptive requirements of the settlement itself, as the FTC may use such settlements to enforce future compliance. Facebook, for example, paid a USD5 billion settlement in 2019 not because it violated a specific law, but because it allegedly violated the terms of a prior FTC order.
Federal legislation passed in 2020 will create new standards for Internet of Things (IoT) devices, specifically requiring NIST to create standards for IoT devices and prohibit the federal government from procuring devices that do not meet these standards.
The California Consumer Privacy Act (CCPA) became operational on 1 January 2020, and enforcement began in August 2020. While many organisations focus on the CCPA’s privacy requirements, one of its most significant features is the creation of a private right of action for individual plaintiffs in the event certain personal information is compromised as a result of a business’s failure to maintain reasonable security measures. Statutory damages in these actions range from USD100 to USD750 per consumer per incident.
In November 2020, California voters also approved the California Privacy Rights Act (CPRA). Beginning in 2023, the CPRA expressly specifies that breaches of personal information subject to the CCPA’s private right of action may not be cured through the implementation of security measures. The law authorises the California Attorney General to issue regulations requiring businesses whose processing of personal information presents a significant risk to the privacy and security of individual’s personal information to perform a cybersecurity audit on an annual basis. These regulations are required to be issued prior to 1 July 2022, with enforcement commencing the following year.
The NYDFS brought its first cybersecurity enforcement action in August 2020, arguing that First American Title Insurance Company (First American) violated regulations issued by NYDFS by failing to fix a vulnerability first identified by First American in 2018. Violations of NYDFS’s cybersecurity regulations are punishable by up to USD1,000 per violation or up to USD5,000 per intentional violation. NYDFS asserts that each unauthorised disclosure of non-public personal information constitutes a separate violation, which could create the potential for substantial damages.
The New York SHIELD Act went into effect in March 2020. The law expands New York’s breach notification and data security requirements, requiring notice based on the compromise of biometric information or usernames and passwords, among other things. It also imposes a requirement to provide reasonable security for certain categories of personal information, which can be achieved by adhering to specific data security requirements. While that safe harbour may provide some protections, it may also be used to establish what is meant by “reasonable” security, so organisations should carefully review to ensure they meet the standards set out in the Act.
The District of Columbia also amended its data breach notification law to add new cybersecurity requirements, including the expansion of its definition of personal information and imposing a “reasonable” security standard.
State privacy and cybersecurity bills in other states continue to advance in 2021, including potential legislation in Virginia, as well as Maryland, Michigan, Minnesota, Texas, Florida, and even traditionally less progressive states such as Mississippi, North Dakota and Oklahoma. Companies should carefully monitor these developments.
A Federal Privacy Law?
Rapid advancement of aggressive data protection laws in at least a dozen states has increased attention on the prospect of a federal data protection law, which could include national breach notification or security requirements. A bill introduced by four Republican Senators in autumn 2020, for example, would have created a national reasonable security requirement for the protection of covered data. Disagreements over issues such as pre-emption of state laws and whether to include a private right of action have long stalled passage of such legislation; however, it is possible that with single-party control of the US presidency, the House, and the Senate (albeit by narrow margins in both the House and Senate), these issues could be resolved.
Encryption remains a hot topic in the USA, especially as the Court of Justice of the European Union’s Schrems II decision seems to encourage organisations to use it to combat potential US government access to personal data. Law enforcement, however, argues that organisations encrypting data should create back doors to provide law enforcement access to some information transmitted in the commission of a crime and to better protect the American people. Privacy advocates and some technology companies argue that encryption is an important tool for resisting government snooping.
Internet of Things Security
California passed the first in the nation IoT law in 2018, which went into effect in January 2020. With the continued boom in IoT devices along with increased bandwidth, cybercriminals may attempt to exploit these devices, either to steal personal information or to co-ordinate denial-of-service attacks on other organisations. These risks may increase focus on IoT security. NIST has already been charged with creating standards for IoT security, and such security issues may gain new traction in 2021.
New State Laws
Even if no federal data protection law is passed, we are likely to see additional efforts at the state level to adopt stricter data protection laws. Washington state, for example, has come close to passing a data protection bill in each of the last two years, only to come up against legislative deadlines. A bill was once again introduced this year that would, among other things, require companies falling within its scope, including service providers, to implement reasonable security procedures.
Please see 1.1 Laws.
Please see 1.2 Regulators.
The Cybersecurity and Infrastructure Security Agency (CISA) is the closest body to a single overarching cybersecurity agency in the USA, although authority remains scattered across several agencies. For a discussion of regulatory enforcement agencies, please see 1.2 Regulators. DHS has been tasked with co-ordinating cybersecurity threat intelligence sharing, as described more fully in 1.5 Information Sharing Organisations.
The USA does not currently have a Data Protection Authority in the EU sense, although the FTC has some aspects of one. Please see 2.2 Regulators.
Multiple financial services and other sectoral regulators exists. Please see 2.2 Regulators.
Please see 2.2 Regulators.
In general, cybersecurity frameworks such as NIST and ISO 27001 are consulted by US organisations and considered authoritative (or at a minimum persuasive) in benchmarking cybersecurity controls. The Federal Financial Institutions Examination Council (FFIEC) adapts the NIST framework to financial services, while the Cybersecurity Maturity Model Certification (CMMC) provides a standard for the defence-industrial base, which is consistent with the NIST framework. Ohio’s Data Breach Act expressly provides an affirmative defence based on adherence to such frameworks, as well as, among others, to the Payment Card Industry Cybersecurity Standards (PCI-DSS).
Other relevant controls include the 20 Critical Security Controls (CSCs) issued by the Center for Internet Security (CIS), which the California Attorney General’s 2016 California Data Reach Report defines as the minimum standard for reasonable security. The controls include identifying the hardware and software connected to a network, implementing secure configurations, limiting administrator privileges, assessing and patching vulnerabilities, securing critical assets, putting in place key defensive measures, blocking vulnerable access points, monitoring accounts and network audit logs, and training, testing and planning.
NIST is a common framework applied in the USA, and variants of NIST are becoming essentially mandatory in the financial services and defence sectors. Nonetheless, some organisations, particularly those with more of an international presence, frequently certify to ISO 27001. As noted in 3.1 De Jure or De Facto Standards, other frameworks may provide an affirmative defence under Ohio law, and the California Attorney General’s office has specifically referred to the CISA’s CSCs.
Data security laws in the USA generally refer to some version of reasonable security, which to some degree is informed by common law norms of negligence. Various agencies, interpreting dozens of statutes, articulate specific requirements for particular sectors or states; often the result is a complex tangle of legal requirements that must be synthesised for interstate, cross-sector and international computer systems. At the federal level, for example, the FTC interprets its “unfairness” authority to require that regulated entities put in place appropriate security procedures. The HIPAA security rule imposes general requirements, including ensuring the confidentiality, integrity and availability of electronic PHI, identifying reasonably anticipated threats, and ensuring compliance from employees and other members of the organisation’s workforce. Some states and sectoral-specific laws have more detailed requirements – as detailed below.
Please see 1.4 Multilateral and Subnational Issues.
Affirmative security requirements vary by sector and state, based on dozens of different laws. Please see 1.1 Laws and 3.3 Legal Requirements.
As discussed in 9.2 Public Disclosure, public companies are required to disclose material cybersecurity incidents. This includes not only the theft of personal data but also other business data, to the extent access to or theft of such data would be material to the company.
Additionally, while most security statutes and data breach notification laws in the USA relate to personal information, the NYDFS regulation also applies to business information that would cause a material business impact to the covered organisation if subject to public disclosure.
CISA, created by the Cybersecurity and Infrastructure Security Agency Act, is the federal agency responsible for critical infrastructure protection. Other federal guidance has been issued respecting particular sectors, including the chemical, electrical and transportation sectors.
Hackers responsible for denial-of-service attacks may be subject to criminal enforcement under US laws, including the CFAA. Businesses whose endpoints may be used by hackers to propagate these attacks may be subject to various security requirements; however, no victim (either the subject of the attack or a business whose systems were compromised to effect such an attack) has thus far been subject to enforcement action.
Internet of Things (IoT)
The California Internet of Things (IoT) Law, SB 327, became effective on 1 January 2020 and requires the manufacturer of a connected device to include reasonable security features that are appropriate to the nature and function of the device and the information it collects. The law provides that for devices that authenticate outside of a local area network, it is a reasonable security feature if either any pre-programmed password is unique to each device or if a new means of authentication is generated before access is granted to the device for the first time.
Pursuant to the federal IoT Cybersecurity Improvement Act of 2020, the director of NIST will develop, in consultation with private industry, cybersecurity guidelines for all IoT devices used in government contracts.
Supply chain risk is a factor in federal contracting. CISA has within its mandate addressing supply chain risk. In the defence sector, Defense Federal Acquisition Regulation Supplement (DFAR) clause 239.730 authorises the Department of Defense (DoD) to manage supply chain risk. The DoD may opt against using sources that do not meet its standards for managing supply chain risk.
Other Data or Systems
Please see 1.1 Laws and 1.2 Regulators.
All 50 US states, Washington DC and three US territories have some form of breach notification law; no one standard exists for breach notification in the USA. In general, a security incident is potentially reportable if there is acquisition of personal information (specifically, see 5.2 Data Elements Covered). In some states, access to personal information alone, without proof that the personal information was taken by an unauthorised actor, is sufficient to potentially trigger notification. Good faith but unauthorised access to or acquisition of personal data by an employee generally does not trigger notification.
Some federal sector-specific laws also require notification for certain security incidents and may sometimes override state rules. HIPAA, for example, may require notification in the event of a security incident impacting PHI and generally does not pre-empt state breach notification laws, although some states waive application of their data breach laws where HIPAA applies.
The data elements covered by US state breach notification laws vary by state. Some states, such as Pennsylvania, focus principally on government or financial identifiers, potentially requiring notice where the first name (or first initial) and last name are compromised along with data elements like social security number, driver’s licence number, or financial account information together with the required security code that would allow access to a financial account. Increasingly, state breach notification laws are covering additional information, such as health or medical information, biometric information, as well as username and password combinations.
HIPAA covers PHI, which is health information processed by HIPAA-covered entities or their business associates, and includes individually identifiable health information, such as demographic data, medical histories, test results, insurance information and other similar information used to identify a patient or healthcare provider.
Most US data breach notification statutes are agnostic as to the type of system potentially impacted, but instead turn on the type of data – whether it is in electronic or paper form and includes the elements described in 5.2 Data Elements Covered about a resident of the state. Again, there are state-by-state variations. For example, 11 states potentially require notification in the event that paper, not just electronic, records are compromised.
HIPAA applies only to the systems of covered entities and their business associates.
The US Food and Drug Administration (FDA) is the primary regulator for medical devices, and works with federal government agencies, members of the private sector, device manufacturers, and others to protect the security of medical devices. The FDA has issued guidance on security requirements for medical devices and issues cybersafety communications if it identifies vulnerabilities that could pose risks to existing products. Device manufacturers are required to follow federal quality system regulations (QSRs), which include the obligation to address cybersecurity risks, and also to report to the FDA when their device may have caused or contributed to death or serious injury, or may have malfunctioned in a way that could cause death or serious injury in the future.
CISA has issued best practices for industrial control system cybersecurity, but it is focused primarily on critical infrastructure. In addition, sector-specific regulators for the various industries that depend on SCADA systems have set requirements for those particular industries.
Please see 4.5 IoT, Supply Chain, Other Data or Systems.
Reporting to individuals under US state breach notification laws turns on the unauthorised acquisition of – or in some cases, access to – certain data elements, as summarised in 5.1 Definition of Data Security Incident or Breach and 5.2 Data Elements Covered. Timing of notices varies by state and sector, with Colorado, Florida and Maine requiring notice within 30 days of discovery of the notifiable event, while the NYDFS requires notice in 72 hours and one banking agency (the FDIC) recently proposed a 24-hour notice requirement.
Reporting triggers to state regulators, typically the state attorneys general, vary widely by state, with some states requiring notice to attorneys general in the event that even one state resident’s personal information is compromised, while others are triggered only when the number of individuals passes a certain threshold (California, for example, requires notification only if 500 or more of its residents are receiving notice), and some states (such as Michigan and Pennsylvania) do not require notice to regulators at all. As with individuals, the timing of notification varies by state, with many states requiring notification to regulators at or before the date notices are sent to individuals.
Some states require notification to credit reporting agencies (CRAs) in the event that a specified number of their residents are notified. For example, New York requires reporting to the big three CRAs – Equifax, Experian and TransUnion – in the event that 5,000 or more New York residents are to be notified. Increasingly, customer contracts will also include notification requirements, sometimes with time periods as short as 24-48 hours, or “immediately.”
Under HIPAA, notification to OCR is required within 60 days of the end of the calendar year in which a breach is discovered for breaches involving PHI of fewer than 500 individuals and without unreasonable delay in matters involving more than that number (and in no event more than 60 days).
Consideration of the risk of harm to individuals is the majority rule in the USA and is allowed in at least 30 of 50 US states, as well as under HIPAA, before notification is required.
When relying on risk of harm to assert that notice is not required, reporting of the rationale for the determination is required to the attorney general under Florida and Vermont law, and record-keeping is required in several other states.
The Cybersecurity Information Sharing Act (CIS Act) and ECPA permit companies to monitor network traffic for information security purposes and to adapt certain defensive measures. The CIS Act also provides liability protection for organisations conducting such monitoring or deploying such defensive measures on their systems in compliance with the Act. Defensive measures may not destroy, provide unauthorised access to, or otherwise harm information systems that do not belong to the private entity deploying the measures or another entity that has consented to the deployment of such measures.
Email monitoring is generally permissible where an employer has provided notice to and obtained the consent of its employees for such monitoring. Consent is considered valid even if the employee must consent or lose their job. Absent notice and consent, employees may assert tort law claims alleging that the employer violated their reasonable expectation of privacy in the emails, although such claims may be pre-empted by the CIS Act.
Privacy laws such as the CCPA have the potential to impact a business’s ability to protect the security, integrity and confidentiality of its data and systems. For example, hackers may seek to fraudulently use certain data subject rights to gain access to personal information that could subsequently be used for phishing or other illegal purposes. That risk emphasises the need for organisations responding to such requests to have in place robust procedures for verifying the identity of individuals seeking to avail themselves of privacy rights.
With that said, the CCPA, and regulations adopted by the California Attorney General, take into account some cybersecurity risks. For example, under the CCPA, service providers are generally not allowed to use the personal information of California residents for purposes other than providing specified services to a business. Regulations issued by the California Attorney General, however, make an exception for uses to detect data security incidents or protect against illegal activities.
Certain federal agencies are required to disclose non-confidential threat intelligence information with the private sector. For examples of such disclosure obligations, please see the response to 1.5 Information Sharing Organisations.
Private organisations are generally not required to disclose threat intelligence information with regulators. However, companies may be required to provide access to other information to facilitate government cybersecurity investigations. For example, the Communications Assistance for Law Enforcement Act (CALEA) requires certain telecommunications organisations to create mechanisms for law enforcement to conduct certain approved surveillance activities. ECPA likewise anticipates certain lawful government requests for access to electronic communications.
For examples of voluntary information sharing organisations, please see 1.5 Information Sharing Organisations. The CISA also creates pathways for information sharing, including by exempting threat intelligence information from disclosure under the Freedom of Information Act (FOIA).
The FTC and state attorneys general are some of the primary cybersecurity enforcers in the USA. The FTC in particular has played a key enforcement role, bringing more than 70 lawsuits alleging inadequate protection of personal information as of February 2020. Some key recent FTC enforcement action includes its USD5 billion 2019 settlement with Facebook that, among other things, required the social media giant to implement a comprehensive data security programme. In November 2020, the FTC settled an action with Zoom alleging deceptive statements regarding its security features, including that meeting recordings were encrypted when they could in fact remain unencrypted for up to 60 days before being transferred to a secure server.
State attorneys general also continue to play significant roles in enforcement. Among other recent settlements, state attorneys general, working together in a multi-state investigation and enforcement involving 43 state attorneys general, settled with Anthem for USD39.5 million over a 2014 data breach involving the records of approximately 80 million individuals, and entered a USD17.4 million settlement with Home Depot over that company’s well-publicised 2014 payment card breach.
Please refer to 8.1 Regulatory Enforcement or Litigation.
As has been noted, regulators – including the FTC, other federal regulators, and state attorneys general – may seek to enforce unfair or deceptive acts and practices statutes, typically requiring a showing that a company made a false or misleading statement (potentially including through omissions) about its cybersecurity practices, or some general unfairness related to the same. Some statutes enforced by regulators may include data breach notification statutes requiring notice within specified timeframes or security statutes generally requiring some form of reasonable security, though in the case of some states more specific measures are entailed.
Private plaintiffs may pursue numerous theories in litigation related to the unauthorised access or access of personal information, including the following.
This requires proof either of an express contractual promise or an “implied contract” to protect personal information. The latter theory receives mixed treatment in the courts, with some courts finding that transactions do not carry with them promises to protect certain information, including payment card information, while others find a duty to protect certain sensitive information.
Private plaintiffs frequently allege that a breached organisation was negligent in failing to protect their personal information. To establish this allegation, plaintiffs must prove that the organisation had such a duty, and failure to do so is often a basis for dismissal. Some recent decisions have nonetheless found duties to protect certain sensitive information. For example, the Pennsylvania Supreme Court held in Dittman v UPMC that employers had a duty to protect their employees’ sensitive personal information in some circumstances.
Consumer protection statutes
As with regulators, private plaintiffs may sometimes bring claims alleging unfair or deceptive acts or practices. “Unlawfulness” may be an additional theory under such actions, requiring proof not of any false statement or general unfairness, but instead the violation of a particular law.
Public companies (and their directors and officers) experiencing a data breach may also face allegations under various securities laws. These include derivative actions under which shareholders will assert that the directors and officers of a corporation breached their fiduciary duties by committing gross mismanagement, wasting corporate assets, or failing to adequately oversee corporate operations. These claims may often be dismissed, however, because plaintiffs must first establish either that they asked the board of directors to bring such a suit and the board wrongfully disagreed or found that it would be futile to make such a request.
One common defence to data breach lawsuits brought by private plaintiffs is that the plaintiffs lack “standing,” – ie, that the suit is not properly presented before the court. In US federal courts, standing requires proof of, among other things, injury in fact, meaning the assertion of a cognisable injury to the plaintiffs. That injury must be sufficiently concrete; in other words, it must actually exist. The U.S. Supreme Court has held that a real risk of harm may satisfy that standard in some situations.
Since most individuals whose personal information is potentially accessed will suffer no such injury, however, plaintiffs have historically struggled to meet the requirements for standing. However, some more recent cases have begun to reverse that trend, and US courts are currently divided on the question.
Private litigation is a significant threat related to cybersecurity incidents in the USA, often relying on the causes of action described in 8.3 Applicable Legal Standards. Some significant litigations include the following.
Equifax, one of the big three US credit reporting agencies, experienced a data breach impacting the records of approximately 150 million US individuals in 2017. Equifax faced both regulatory enforcement and private litigation. The agency settled these claims in a settlement of up to USD700 million. Separately, a class action alleging fraudulent statements in Equifax’s public securities filings settled for USD149 million.
Yahoo! finalised its settlement in the consumer class action In re Yahoo! Inc. Customer Data Sec. Breach Litig. in August 2020. The settlement resolved the claims of approximately 194 million class members, requiring Yahoo! to pay USD117 million. The settlement covered several alleged data breaches occurring between 2013 and 2016. Separately, in 2019, the former directors and officers of Yahoo! agreed to a USD29 million settlement in a derivative action alleging that they had breached their fiduciary duties by failing to adequately protect customer data. The SEC also obtained a USD35 million penalty.
Anthem, Inc, settled a consumer class action relating to the alleged theft of some financial and medical records of up to 80 million individuals announced in 2015 for USD115 million. The company settled separately with regulators, including a settlement with HHS for USD16 million.
Class action lawsuits are a common feature of US cybersecurity litigation. In addition to some of the defences described in 8.3 Applicable Legal Standards, including standing, a class action may be defeated where plaintiffs fail to prove all of the elements required for certification by the court. Among other things, certification of a class seeking monetary damages requires proof that common questions of law and fact predominate, which can be difficult to prove where most class members will experience limited to no harm, with only a small number experiencing identity theft or other potential actual injury.
Cybersecurity is an increasingly critical part of transactional diligence. Such diligence will assess cybersecurity risks as well as the administrative, technical and physical measures adopted to mitigate those risks. An initial step is to understand the categories and significance of the data the target collects and how they use and share information. Personal data is always a focus, but other types of sensitive data such as confidential information, trade secrets and additional critical data should not be forgotten. Diligence should also ascertain where such data is collected geographically to understand the particular obligations that may ensue.
At the same time, equal weight is placed on the governance structures that are present (or absent) as an indicator of whether the company operationalises its policy commitments.
After conducting an initial assessment of the potential risks associated with the data a target collects and processes, diligence should be conducted on the security controls that are in place. Such diligence may include review of applicable policies and procedures implemented by a target, its governance structure, past data security incidents, audits or other past penetration tests, certifications, or other documented adherence to data security frameworks such as ISO 27001 or NIST.
The company’s understanding and management of its third-party vendor cybersecurity exposures should also be a key aspect of cybersecurity diligence. A company that has substantial controls over the confidentiality, integrity and availability of data within its own network, but fails to analyse and address supply chain and vendor risk, can present significant cybersecurity risk.
Depending on the risks associated with the data processing activities, the size of and other associated factors related to the transaction, a more detailed review may be appropriate, including a deeper dive by cybersecurity practitioners, typically directed by counsel, or even vulnerability scanning or penetration testing. Such forensic reviews are necessarily more intrusive and can be conducted pre-closing or post-closing, taking into account the level of risk.
Public companies are required to notify investors of material risks to their business. Guidance issued by the SEC in 2018 specifically states that such material risks may include cybersecurity risks. Additionally, the SEC guidance notes the importance of timely disclosure regarding material breach incidents. Even where an incident is not considered material, a company should avoid disclosures implying that the company “may” experience breach incidents only in the future when it has already experienced non-material incidents in the past. Such past incidents should also inform the language of any risk factors contained in company disclosures as well as the presence of appropriate insurance protections.
The new Biden Administration appears ready to re-assert a White House National Security Council leadership role to address cybersecurity risk. Previously both Republican and Democrat presidents had supported a key White House cybersecurity position, only to have it eliminated by former President Trump. President Biden’s support for this position – sometimes called the “cyber czar” – may well lead to enhanced federal co-ordination and focus on cybersecurity issues.
In the USA, 2021 holds the promise of many changes in the field of cybersecurity. A new President was sworn in on 20 January 2021, and with the new Administration there are likely to be significant regulatory and potentially legislative developments at the federal level, particularly with respect to cybersecurity in light of the recent Russian attack on the federal government. The most recent Russian supply-chain attack, which resulted in the theft of “red-team” tools from the cybersecurity firm FireEye – coupled with the multiple Russian attempts to alter US elections – will no doubt lead to a robust foreign policy response, likely including the recreation of a "cyber czar" within the White House, and a robust role for a co-ordinated federal response to nation-state attacks.
At the same time, an unlikely alliance of political progressives and right-wing libertarians – opposed to monitoring by government or big business alike – may push USA states to advance privacy and cybersecurity legislation, with the increasing likelihood of state regulatory enforcement as well. All of this is against the background of a global pandemic that has increased cybersecurity risks, particularly phishing and ransomware, as organisations are increasingly operating from a work-from-home model.
Cybersecurity threats continue to proliferate in the USA and across the globe. Particularly in light of COVID-19, cybercriminals are increasingly finding new ways to take advantage of employees and gain access to employer systems through phishing. Many such attacks may lead to the deployment of ransomware, often in conjunction with data exfiltration. "Zero-day attacks" and other exploitation of vulnerabilities remain a threat as well. If not already in place, organisations should implement key cybersecurity measures, including:
At the Federal Level
Federal privacy legislation
The most significant potential legislative development in the USA would be the passage of a federal data protection law. Advocates and industry players alike have long called for such a law without success. Leading into 2020, however, the adoption of significant and demanding new privacy and data security requirements in states across the country – such as the California Consumer Privacy Act (CCPA) and New York Stop Hacks and Improve Electronic Data Security (SHIELD) Act, as well as the likelihood that other states would pass similar legislation – spurred new efforts to create a centralised US data protection framework. Those efforts fell by the wayside as attention understandably shifted to responding to the COVID-19 pandemic. However, with a new year and a new Administration, there is a growing likelihood that Congress may pass data protection legislation.
Significant obstacles remain, chief among them being questions of whether pre-emption by the federal law will invalidate corresponding state laws, whether the USA will hold fast to a sectoral approach to privacy, and whether the federal law will create a private cause of action. If a federal privacy law pre-empts state laws, it is likely that at least some provisions of state privacy laws, like the CCPA, would be invalidated.
Federal data protection legislation, including breach notification provisions, may also pre-empt the complex web of state data breach notification laws enacted by all 50 states and three US territories, though no proposal to date has included any such notification provisions. Seeking to harmonise privacy legislation across the USA, many in the industry advocate for federal pre-emption, but privacy advocates argue that any federal law should not pre-empt prescriptive state laws.
The compromise that is likely feasible is for corporate interests and public interests to trade pre-emption for a federal cause of action for civil class action remedies, but it remains to be seen whether this is palatable to either side. Doing so would allow plaintiffs’ attorneys to enforce the law in court, increasing the potential risks of non-compliance. At the same time, including a private cause of action could expose companies to opportunistic plaintiffs’ attorneys seeking to maximise their fees without corresponding benefits to data protection.
Infrastructure as a service
While the passage of federal privacy legislation is, at this point, speculative, we know that two important regulatory developments will occur in response to executive orders signed before the change in administration. Executive Order (EO) 13984, signed the day before the inauguration, mandates that the Secretary of Commerce issue regulations for notice and comment within 180 days requiring infrastructure as a service (IaaS) providers to verify the identity of foreign customers. The regulations would cover minimum standards for identity verification and record-keeping requirements. IaaS is a cloud service that provides organisations with server infrastructure, in lieu of having to maintain servers itself.
Additional regulations would authorise the Secretary of Commerce, in consultation with others, to impose special measures on IaaS providers operating in a foreign jurisdiction in which IaaS is offered for malicious purposes, or if there is a pattern or practice of the IaaS provider offering services in the USA for malicious purposes. Lastly, the EO provides for consultation on additional information sharing among IaaS providers.
Internet of Things (IoT)
We may also expect new federal guidelines on Internet of Things (IoT) devices used by federal agencies. The IoT Cybersecurity Improvement Act of 2020 will require the National Institute of Standards and Technology (NIST) to institute guidelines on the use and management of IoT devices by early 2021. These guidelines will be used to update agencies’ policies and procedures and may also have ripple effects on government contractors who may need to comply with the same.
At the State Level
Many key privacy developments in the USA occur not at the federal, but at the state level. Last year alone, in California the CCPA, with its significant privacy and cybersecurity requirements, went into operation, and voters passed the California Privacy Rights Act (CPRA), which will expand upon the CCPA. The New York SHIELD Act became effective, expanding data security requirements and adding the potential for significant statutory damages in the event of a violation. Additionally, states around the country considered new data protection legislation that could significantly expand compliance requirements. Virginia currently appears poised to pass new privacy legislations; other states – including Washington and New York – have bills under consideration, and companies should continue to carefully monitor developments.
The New York Department of Financial Services (NYDFS), with oversight over insurance companies, state-chartered banks and trust companies, and others, has issued some of the most prescriptive cybersecurity requirements in the USA. Among other things, NYDFS regulations require notification to the agency in the event of a data breach within 72 hours of discovery, appointing a chief information security officer, conducting a risk assessment, penetration testing and multi-factor authentication.
The full NYDFS regulations became effective in March 2019. The first NYDFS enforcement action was brought in August 2020, alleging that First American Title Insurance Company failed to address a known vulnerability, potentially resulting in the exposure of bank account and social security numbers. Penalties under the regulations range up to USD1,000 per violation or up to USD5,000 per intentional violation, with most regulators interpreting “violation” as meaning each individual whose information may have been exposed. With NYDFS’s first enforcement action underway, we expect to see continued activity, particularly in light of the potentially significant damages available.
NY SHIELD Act
Coming into effect this past year, the NY SHIELD Act creates new data security and breach notification requirements. The NY SHIELD Act provides for potentially significant statutory damages (up to USD5,000 per violation of the law’s reasonable security requirement). The NY Attorney General has not exercised enforcement power under the statute to date, but we expect to see more active enforcement going forward.
The California Consumer Privacy Act (CCPA) went into operation on 1 January 2020, and instituted a new private right of action for data breaches compromising certain information that result from the failure to implement reasonable security (including statutory damages of up to USD750 per affected individual). This right of action has surprisingly been used on only a limited basis by plaintiffs’ attorneys thus far, perhaps because most data breaches occur years before they are litigated, and the right of action has only been available for a year. All the same, we expect to see increasing focus on this tool going forward.
Additionally, the California Privacy Rights Act (CPRA) expands on the CCPA in certain important respects. Notably, in the field of cybersecurity, it authorises the California Attorney General to issue regulations requiring businesses whose processing of personal information is considered a “significant risk” to the privacy and security of personal information to conduct a cybersecurity audit on an annual basis. Both the meaning of “significant risk” and the requirements of the audit may be determined by the regulations.
States throughout the USA continue to consider the expansion of their data protection regimes, following California and others. For example, Washington state has been expected for the past two years to pass a data protection bill including certain cybersecurity requirements, but these efforts have been foiled by legislative deadlines. However, a third bill, the Washington Privacy Act, is already under consideration.
New York is also considering the New York Privacy Act, a bill that, if passed, would potentially be more expansive than the CCPA. With the SHIELD Act already in effect, New York will certainly be a state to watch in 2021. Meanwhile other states, such as Virginia, Maryland, Michigan, Minnesota, Texas, Florida, and even traditionally less progressive states such as Mississippi, North Dakota and Oklahoma all have active privacy bills.
With a new presidential Administration, US legislative developments should be carefully monitored. While federal legislation may be in the offing, it is likely that, in the short term, companies will need to comply with a hodgepodge of state laws and regulations, as well as federal laws applicable to specific sectors or the FTC’s general unfair or deceptive practices jurisdiction. At the core of these laws remains the concept of reasonable security, an amorphous concept, which requires periodic review of a company’s cybersecurity practices to ensure they are in line with industry practices as well as applicable regulatory guidance.