A Short & Happy Guide to Privacy and Cybersecurity Law
Author:
Garon, Jon M.
Edition:
1st
Copyright Date:
2020
11 chapters
have results for cybersecurity
Chapter 7. Data Breach Notification Laws 23 results (showing 5 best matches)
- Like the state disclosure laws, the underlying goal for the SEC is most likely to push companies to invest in cybersecurity before incidents occur and remind the corporate executives that the consequences for cybersecurity breaches may include insider trading review and other serious consequences to the organization. The SEC focus on cybersecurity should help motivate corporate executives to invest in the physical and technological safeguards essential to good cybersecurity hygiene and to invest their time and effort in the administrative safeguards so that cybersecurity is a priority in every publicly traded company.
- Ohio has enacted a safe harbor into its law to promote good data security practices. Among the ways to be protected by the Ohio safe harbor, a company must “create, maintain, and comply with a written cybersecurity program that contains administrative, technical, and physical safeguards for the protection of personal information and that reasonably conforms to an industry recognized cybersecurity framework. . . .” The statute also provides details on what such a cybersecurity program would look like.
- As the concerns about cybersecurity have increased, the SEC has also become increasingly active in addressing cybersecurity concerns among financial institutions and for the “issuers,” public companies that issued securities on a public market and have their stocks traded on national security exchanges. Noting the significance of data security risks, the SEC published guidance stating “that it is critical that public companies take all required actions to inform investors about material cybersecurity risks and incidents in a timely fashion, including those companies that are subject to material cybersecurity risks but may not yet have been the target of a cyber-attack.”
- Under the SEC regulations, companies must adopt appropriate security procedures, publish adequate privacy policies, and inform the public of material risks to their cybersecurity. Although Congress did not adopt a new law directly related to cybersecurity for a publicly traded company, the SEC required that such a company “consider the adequacy of their cybersecurity-related disclosure” when meeting their disclosure requirements under the Securities Act and Securities and Exchange Act.
- the adequacy of preventative actions taken to reduce cybersecurity risks and the associated costs, including, if appropriate, discussing the limits of the company’s ability to prevent or mitigate certain cybersecurity risks;
- Open Chapter
Chapter 10. Sectoral Privacy: Banks, Financial Institutions, and Lending Activities 34 results (showing 5 best matches)
- protection. As concerns about cybersecurity increased in the past decade, many federal agencies have expanded the regulatory obligations to provide robust cybersecurity and to increase corporate transparency about cybersecurity issues.
- For the purposes of data privacy and securities regulations, the regulatory focus has been on the duties of publicly traded companies. The Securities and Exchange Commission (SEC or Commission) has stated that “cybersecurity risks pose grave threats to investors, our capital markets, and our country. . . . It is critical that public companies take all required actions to inform investors about material cybersecurity risks and incidents in a timely fashion, including those companies that are subject to material cybersecurity risks but may not yet have been the target of a cyber-attack.”
- Since 2011, the SEC has required companies to provide public information on cybersecurity risk and security incidents. The SEC acknowledged that data security was not listed in the text of the legislation, but since significant cybersecurity risks and known security incidents were material to the investors regarding the financial status of the company and its managerial operations, reporting companies were required to provide meaningful information.
- Public companies generally resisted the obligation to report on cybersecurity risks, with most providing only the vaguest of disclosures. Some companies believed the background risks of cybersecurity were everywhere, so that it was not a material factor for any particular company. Other companies asserted that providing any form of detailed information would only assist criminal actors in their efforts to hack the public companies.
- the adequacy of preventative actions taken to reduce cybersecurity risks and the associated costs, including, if appropriate, discussing the limits of the company’s ability to prevent or mitigate certain cybersecurity risks;
- Open Chapter
Chapter 1. Introduction 12 results (showing 5 best matches)
- Cybersecurity can be thought of as the reasonable duties that an enterprise must undertake to assure that the information it has collected is not misused by individuals within the enterprise or by outside third parties. Cybersecurity requirements outline the steps needed to assure the continued confidentiality, integrity, and availability of the data.
- Administrative safeguards are the third feature of an effective cybersecurity plan. These are the policies and practices that assure an enterprise operates its cybersecurity policy in a strategic and effective manner. Administrative safeguards require that cybersecurity is a top priority within the enterprise, receiving sufficient funding and staffing to carry out the objectives. Administrative safeguards establish the policies that require up-to-date software upgrades needed to eliminate known vulnerabilities; train all personnel on the best practices regarding authentication; keep access of sensitive information to the smallest group of employees needed to use that information; require procedures for the termination of personnel so that accounts are closed promptly; and take other steps so that the physical and technological safeguards are followed carefully and risks are mitigated to the greatest extent possible.
- Finally, because the enterprise has the obligation not to sell or disclose the personal information, the enterprise also has a duty to protect the information from accidental disclosures, theft, and third-party publication of the information. The duty to protect the collected personal information from disclosure requires sufficient security to keep the information from loss or theft. As a result, the law of privacy also extends into the law of cybersecurity.
- The Modern Meaning of Cybersecurity
- protection, and use of the personally identifying information, modern privacy law also entails substantial cybersecurity.
- Open Chapter
- Although this book is a short and happy guide to privacy and cybersecurity, it introduces a dizzying array of concepts, laws, regulations, policies, and practices. Nonetheless, there are important general themes that help government, business, and individuals address the rapid changes to privacy policy in the United States and across the globe.
- This last rule is a general matter of sound advice for all business practices. Data privacy and cybersecurity are very complex areas of law and business practice. Clever attorneys and slick business operators can take advantage of the public by saying one thing and doing another. If an approach feels altogether too clever, it probably is and should be avoided. Small business owners should ask themselves if they are proud of each policy the company implements and if a particular policy would be an embarrassment, then the company should adopt a different strategy.
- Open Chapter
Table of Contents 2 results
- The public generally thinks about cybersecurity through its technical safeguards. These are the steps necessary to fight fire with fire: hacking with firewalls. These steps are certainly among the most important, but technical safeguards only work with the appropriate physical and administrative safeguards also in place.
- Planning cybersecurity falls into three broad categories: technical, administrative, and physical safeguards. This approach is based on the “Security Rule” developed by the U.S. Department of Health & Human Services, but the general approach provides an excellent framework for data security at any institution. The goals of the Security Rule model are to assure that all businesses—
- —Every year, another group of children turns thirteen. For some teens, there is an allure to challenging security systems and thumbing their noses to the institutions of society. The goal is the ability to beat systems rather than to do damage or make money. These hackers generally do not intend significant harm, though the consequences of their data intrusions sometimes create substantial harm. A few of these hackers continue through into their twenties but most either transfer their youthful indiscretions into backgrounds in professional cybersecurity or move onto other activities.
- Open Chapter
Bibliography 2 results
- The United States does not have a single privacy or cybersecurity policy that covers all businesses. Even the state laws that have the largest reach often distinguish between for-profit business organizations and nonprofit corporations and government agencies. Many of the strongest data privacy and data security laws in the United States are federal laws and regulations that focus on particular industry sectors or populations. There are laws focused on student records, driver’s licenses, and other narrow uses of information, but these regulations do not have significant scope.
- The area where there has been the greatest bipartisan political support for privacy and cybersecurity regulation has been in the field of child privacy. The Children’s Online Privacy Protection Act (COPPA) has been passed by Congress and updated through the collaboration of Congress and the FTC. This chapter summarizes and explores COPPA and its role in providing privacy protection to children and other consumers.
- In addition to actions against website operators offering content directed at children, the FTC had brought actions against more general website operators including Google and YouTube for advertising and media channels targeting children under 13, and toy manufacturer VTech Electronics for collecting children’s data through its Internet connected line of toys. VTech’s data collection practices were made public after a cybersecurity breach exposed the trove of personal information VTech had been collecting on its customers.
- Open Chapter
Chapter 5. Consumer Privacy 1 result
- The controller of the data collected for processing is required to institute sufficient technical and administrative procedures as required to keep the data secure from accidental disclosure or intentional piracy and theft. Like most data regulations, the law does not specify the particular steps necessary since the technological measures for encryption and data security are rapidly evolving. The nature of these cybersecurity obligations are discussed in the next chapter.
- Open Chapter
- Publication Date: July 13th, 2020
- ISBN: 9781684679836
- Subject: Privacy Law
- Series: Short & Happy Guides
- Type: Overviews
- Description: This efficient book provides an essential introduction to the privacy fundamentals and security essentials that make up the modern economy. Privacy and free speech expert Professor Jon M. Garon has written an essential overview geared to students and entrepreneurs. The book provides a concise overview of privacy from its origins in constitutional and common law through the most important changes in U.S. laws and laws that impact the U.S. from abroad. The book explains privacy and security rules for finance, health care, and business, along with practical advice on running a secure business and keeping oneself safe when online.