Laws and Regulations | Cybersecurity Policy

Slide 1 of 14 | CSP-W3-01 | Week 3

Laws and Regulations
CFAA, HIPAA, GDPR, Global Landscape

CFAA • HIPAA • GDPR • US Sectoral Laws • State Laws • Federal Legislation • International Frameworks • Cybercrime Treaties • Enforcement • Emerging Issues

Technology moves at the speed of innovation. Law moves at the speed of politics. The gap between those two speeds is where breaches happen, fines are levied, and careers are made or destroyed. This deck maps the legal landscape that every cybersecurity professional must navigate -- from the 1986 CFAA to the 2024 EU AI Act. You cannot write policy, advise executives, or architect defenses without understanding the laws that define what is required, what is prohibited, and what happens when things go wrong.

14 Slides CSP-W3-01 Week 3 CIS2208 -- Cybersecurity Policy

Slide 2 of 14

Why Cybersecurity Law Matters

Liability, compliance, enforcement, and the cost of getting it wrong.

Liability

Organizations have a legal duty of care to protect data. Failure to implement reasonable security measures creates liability -- negligence claims, class action lawsuits, regulatory fines. The Equifax breach cost $700M+ in settlements. T-Mobile paid $350M. These are not abstractions; they are balance-sheet events that destroy companies.

Compliance

Compliance is the minimum legal bar, not the security goal. HIPAA, PCI DSS, SOX, GDPR -- each mandates specific controls, documentation, and audits. Non-compliance is not just a fine; it is evidence of negligence in a courtroom. Compliance programs cost millions per year, but the cost of non-compliance is orders of magnitude higher.

Enforcement

Regulators have teeth. The FTC has brought 80+ data security enforcement actions. GDPR fines have exceeded $4B total since 2018. The SEC now requires material cyber incident disclosure within 4 business days. State attorneys general can (and do) bring independent enforcement actions, creating a multi-front regulatory battlefield.

Criminal Penalties

Beyond civil liability, cybersecurity law carries criminal penalties. CFAA violations can result in prison time. HIPAA willful neglect carries fines up to $1.5M per violation category per year. Insider threats, unauthorized access, and data theft are federal crimes. Executives can face personal criminal liability for coverups (Uber CISO case, 2022).

The Compliance-Security Gap

Being compliant does not mean being secure. Target was PCI DSS compliant when it was breached in 2013. Equifax had a CISO and a security program. Compliance creates a floor, not a ceiling. Effective cybersecurity policy must go beyond checkbox compliance to address actual risk -- but the law defines the minimum, and falling below it creates immediate legal exposure.

Slide 3 of 14

Computer Fraud and Abuse Act (CFAA, 1986)

The foundational US federal computer crime statute -- powerful, broad, and deeply controversial.

18 U.S.C. 1030(a)(1)

Unauthorized access to national security information. Espionage-level offense. Penalties up to 10 years (first offense), 20 years (subsequent).

18 U.S.C. 1030(a)(2)

Accessing a computer to obtain information from financial institutions, government, or any protected computer. The most commonly charged provision. Covers everything from database intrusions to scraping.

18 U.S.C. 1030(a)(5)

Knowingly causing damage to a protected computer. Covers malware distribution, DDoS attacks, ransomware deployment, and data destruction. Up to 10 years imprisonment.

18 U.S.C. 1030(a)(7)

Threatening to damage a computer or release stolen data for extortion. Directly targets ransomware operators and data extortion schemes. Penalties up to 5 years.

"Exceeds Authorized Access"

The most debated phrase in cybersecurity law. Does a Terms of Service violation equal a federal crime? Van Buren v. United States (2021) narrowed interpretation -- accessing data for improper purpose is not criminal if you had authorized access to the system.

"Protected Computer"

Defined so broadly (any computer used in interstate or foreign commerce) that it covers essentially every internet-connected device. A smartphone, IoT thermostat, or cloud VM all qualify. This gives the CFAA near-universal jurisdiction.

The Aaron Swartz Controversy

In 2011, MIT researcher Aaron Swartz was charged under the CFAA with 13 felony counts for bulk-downloading academic articles from JSTOR via MIT's network. Prosecutors sought 35 years in prison and $1M in fines -- for downloading articles from a service his institution already paid for. Swartz died by suicide in 2013. The case became a lightning rod for CFAA reform, exposing how the statute's broad language enables prosecutorial overreach. "Aaron's Law" reform bills have been introduced repeatedly but never passed.

Security Research Implications

The CFAA's breadth creates a chilling effect on legitimate security research. Bug bounty programs exist partly to create explicit authorization that avoids CFAA exposure. The DOJ issued a 2022 policy memo stating it would not prosecute good-faith security researchers -- but a policy memo is not law, and the next administration can reverse it. Researchers still face legal risk for vulnerability disclosure, port scanning, and web scraping.

Slide 4 of 14

HIPAA -- Health Insurance Portability and Accountability Act

The US standard for protecting health information -- three rules, 20+ years of enforcement, billions in fines.

18 PHI Identifiers

Names, dates, SSN, phone, email, medical record numbers, device identifiers, biometrics, photos, IP addresses, URLs, and any other unique identifying number. If you can link it to a patient, it is PHI. De-identification requires removing all 18 identifiers or expert statistical certification.

Security Rule Safeguards

Administrative: risk analysis, workforce training, contingency plan. Physical: facility access controls, workstation security, device disposal. Technical: access controls, audit logs, integrity controls, transmission security. Most requirements are "addressable" (implement or document why an alternative is equivalent).

Penalty Tiers

Tier 1 (did not know): $100-$50K per violation. Tier 2 (reasonable cause): $1K-$50K. Tier 3 (willful neglect, corrected): $10K-$50K. Tier 4 (willful neglect, not corrected): $50K per violation, up to $1.5M per category per year. Criminal penalties up to 10 years imprisonment for wrongful disclosure with intent to sell.

Slide 5 of 14

GDPR -- General Data Protection Regulation

The EU regulation that reset global privacy expectations. 4% of worldwide annual revenue fines. Extraterritorial reach.

Seven Principles of GDPR

01

Lawfulness

Fair, transparent processing with legal basis

02

Purpose Limitation

Collect for specified, legitimate purposes only

03

Data Minimization

Adequate, relevant, limited to necessary

04

Accuracy

Keep data accurate and up to date

05

Storage Limit

Keep only as long as necessary

06

Integrity

Ensure security of processing

07

Accountability

Demonstrate compliance

DPO Requirement

Data Protection Officers are mandatory for public authorities, organizations whose core activities involve large-scale systematic monitoring, or large-scale processing of special category data. The DPO must report to the highest management level and cannot be dismissed for performing their duties.

72-Hour Breach Notification

Controllers must notify the supervisory authority within 72 hours of becoming aware of a personal data breach (unless unlikely to result in risk). Data subjects must be notified "without undue delay" if high risk. The clock starts at awareness -- not discovery of the full scope.

Fines: Up to 4% Global Revenue

Two tiers: up to 10M EUR or 2% for administrative failures; up to 20M EUR or 4% of worldwide annual turnover for violations of data processing principles, conditions for consent, or data subject rights. Amazon fined 746M EUR (2021). Meta fined 1.2B EUR (2023). These are existential numbers.

Slide 6 of 14

US Sectoral Approach

No comprehensive federal privacy law. Instead, a patchwork of sector-specific statutes that each protect a different slice of data.

GLBA (Gramm-Leach-Bliley Act, 1999)

Requires financial institutions to explain information-sharing practices and safeguard sensitive data. The Safeguards Rule mandates written information security programs, risk assessments, encryption of customer data in transit and at rest, and MFA for anyone accessing customer information. FTC enforces for non-bank institutions.

FERPA (1974)

Protects student education records at institutions receiving federal funding. Parents (or students over 18) have the right to inspect, request amendment, and control disclosure. Schools cannot release records without consent, with limited exceptions (directory information, judicial orders, health/safety emergencies).

COPPA (1998)

Regulates collection of personal information from children under 13 by websites and online services. Requires verifiable parental consent before collection. FTC has levied major fines: TikTok ($5.7M, 2019), Epic Games ($275M, 2022). Now under pressure to extend protections to teens (KOSA, state laws).

ECPA (1986) + SCA

Governs government access to electronic communications. Three parts: Wiretap Act (real-time interception), Stored Communications Act (stored data), Pen Register Act (metadata). Written before cloud computing -- law enforcement access to cloud-stored email is governed by a statute that predates the web. Carpenter v. United States (2018) added 4th Amendment protections for cell-site location data.

Slide 7 of 14

State-Level Privacy and Breach Laws

50 states, 50+ breach notification laws, and an accelerating wave of comprehensive privacy statutes.

CCPA/CPRA (California, 2018/2020)

The de facto national standard. Applies to businesses collecting data of California residents with $25M+ revenue, 100K+ consumer records, or 50%+ revenue from selling personal information. Rights: know, delete, opt-out of sale, non-discrimination, correct, limit sensitive data use. CPRA created the California Privacy Protection Agency (CPPA) -- the first dedicated state privacy enforcement body. Private right of action for data breaches. $7,500 per intentional violation.

The State Privacy Wave

Following California's lead, 15+ states have enacted comprehensive privacy laws as of 2025: Virginia (VCDPA), Colorado (CPA), Connecticut (CTDPA), Utah (UCPA), Iowa, Indiana, Tennessee, Montana, Texas, Oregon, Delaware, New Hampshire, New Jersey, Maryland, and Minnesota. Each has different thresholds, definitions, and enforcement mechanisms. No two are identical, creating a compliance nightmare for national organizations.

Compliance Challenge

A single data breach affecting customers in multiple states triggers parallel notification obligations with different deadlines, content requirements, and recipient lists. Some states require notification to the state AG within 30 days; others have no AG notification. Some define "personal information" to include login credentials; others do not. Organizations must build breach response playbooks that satisfy the most restrictive requirements across all applicable jurisdictions simultaneously.

The Federal Preemption Debate

A federal comprehensive privacy law could preempt (override) the state patchwork, creating uniform national standards. The American Data Privacy and Protection Act (ADPPA) advanced further than any previous attempt in 2022 but stalled over preemption scope and private right of action. California opposes preemption that would weaken CCPA/CPRA. Industry wants preemption to simplify compliance. This tension remains unresolved.

Slide 8 of 14

Federal Cybersecurity Legislation

FISMA, CISA, and CIRCIA -- the federal framework for securing government systems and critical infrastructure.

FISMA (2002, updated 2014)

Federal Information Security Modernization Act. Mandates cybersecurity programs for all federal agencies. Requires annual security assessments, continuous monitoring, and incident reporting. NIST develops the standards (SP 800 series); OMB oversees compliance; CISA provides operational assistance. Every federal system must be categorized (FIPS 199), receive baseline controls (SP 800-53), and undergo assessment and authorization (A&A).

CISA Act (2018)

Established the Cybersecurity and Infrastructure Security Agency within DHS. CISA is the operational lead for federal civilian cybersecurity and critical infrastructure protection. Runs the National Cybersecurity Protection System (NCPS/Einstein), coordinates vulnerability disclosure, issues binding operational directives (BODs) to federal agencies, and operates the Joint Cyber Defense Collaborative (JCDC) with private sector partners.

CIRCIA (2022)

Cyber Incident Reporting for Critical Infrastructure Act. Requires critical infrastructure entities to report significant cyber incidents to CISA within 72 hours and ransomware payments within 24 hours. Covers 16 critical infrastructure sectors. CISA is finalizing implementation rules (expected 2025-2026). Creates the first mandatory federal incident reporting framework for the private sector.

Executive Orders

EO 14028 (May 2021) -- "Improving the Nation's Cybersecurity." Mandated zero trust architecture for federal agencies, software supply chain security (SBOMs), endpoint detection and response, MFA everywhere, and encryption of data at rest and in transit. Set aggressive timelines that reshaped federal IT procurement overnight.

NIST Cybersecurity Framework

Not legislation, but the de facto standard referenced by most US cybersecurity regulations. CSF 2.0 (2024) added the Govern function. Five (now six) core functions: Govern, Identify, Protect, Detect, Respond, Recover. Voluntary for private sector but increasingly mandated by contract, regulation, and cyber insurance requirements.

SEC Cyber Disclosure Rules (2023)

Public companies must disclose material cybersecurity incidents on Form 8-K within 4 business days of determining materiality. Annual 10-K filings must describe cybersecurity risk management, strategy, governance, and board oversight. Makes cybersecurity a boardroom issue with securities law consequences for inadequate disclosure.

The Regulatory Stack

A single healthcare company might simultaneously be subject to HIPAA (HHS), FTC Act Section 5 (FTC), state breach notification laws (50 state AGs), SEC disclosure rules (if publicly traded), FISMA (if a federal contractor), PCI DSS (if processing payments), and CIRCIA (if critical infrastructure). Compliance is not a single standard -- it is a stack of overlapping, sometimes conflicting requirements that demand specialized legal and technical expertise.

Slide 9 of 14

International Regulatory Landscape

Every major economy now has cybersecurity and data protection legislation. Compliance is a global problem.

EU NIS2 Directive (2024)

Network and Information Security Directive 2 replaces NIS1 with expanded scope covering 18 sectors, mandatory incident reporting within 24 hours (early warning) and 72 hours (full notification), supply chain security requirements, and personal liability for senior management. Member states must transpose into national law. Covers "essential" and "important" entities with different oversight regimes.

China's Three-Pillar System

Cybersecurity Law (2017): network security, critical infrastructure, data localization for CII operators. Data Security Law (2021): data classification, cross-border transfer restrictions, national security reviews. PIPL (2021): personal information protection modeled partly on GDPR but with significant state access carve-outs. Together, these give the Chinese government comprehensive authority over all data within its borders and extraterritorial claims over data involving Chinese citizens.

Cross-Border Data Transfer

Moving data across borders is now a legal minefield. GDPR requires "adequacy decisions" or Standard Contractual Clauses (SCCs) for transfers outside the EEA. The EU-US Data Privacy Framework replaced Privacy Shield (invalidated in Schrems II). China requires security assessments for cross-border transfers of important data. India's DPDP allows transfers to approved countries. A global company must navigate an ever-shifting matrix of bilateral agreements, adequacy findings, and transfer mechanisms.

Slide 10 of 14

Cybercrime Treaties and International Cooperation

Cybercrime is borderless. International law enforcement cooperation is not. Treaties attempt to bridge this gap.

Budapest Convention (2001)

Council of Europe Convention on Cybercrime -- the first and most widely adopted international treaty on cybercrime. 68+ parties (including the US) as of 2025. Harmonizes criminal law definitions across signatories: illegal access, interception, data interference, system interference, misuse of devices, computer-related fraud and forgery. Establishes a 24/7 network of contact points for rapid cross-border law enforcement cooperation. The Second Additional Protocol (2022) adds provisions for direct cooperation with service providers in other countries, emergency disclosure, and joint investigation teams.

UN Cybercrime Treaty (2024)

After years of negotiation, the UN adopted its first cybercrime convention in 2024. Broader scope than Budapest, covering content-related offenses and expanded surveillance powers. Controversial: human rights organizations warn it could be used to criminalize legitimate security research, protect authoritarian surveillance, and suppress dissent. Russia and China pushed for broader state powers; Western nations sought narrower scope with human rights safeguards. The final text is a compromise that civil society groups have called "a threat to global privacy and security."

MLATs

Mutual Legal Assistance Treaties are bilateral agreements for evidence sharing between countries. Process is notoriously slow -- average 10 months for a request. The CLOUD Act (2018) allows US law enforcement to compel US-based tech companies to produce data regardless of where it is stored, and creates executive agreements for reciprocal access with foreign governments.

Interpol / Europol

Interpol's Cyber Fusion Centre coordinates international cybercrime operations. Europol's European Cybercrime Centre (EC3) has led major takedowns: Emotet botnet, EncroChat encrypted phones, Hive ransomware. Joint operations increasingly involve simultaneous arrests and infrastructure seizures across 20+ countries.

Attribution Problem

International law requires attribution to hold states accountable, but technical attribution is probabilistic, not certain. Nation-state actors use false flags, compromise infrastructure in third countries, and operate through criminal proxies. The Tallinn Manual attempts to apply existing international law to cyber operations, but there is no consensus on when a cyberattack constitutes an "armed attack" triggering the right to self-defense under the UN Charter.

The Jurisdiction Gap

A ransomware gang operating from Russia attacks a hospital in Florida, using infrastructure rented in the Netherlands, with ransom payments flowing through cryptocurrency mixers registered in the Seychelles. Which country has jurisdiction? All of them -- and effectively none of them. International cybercrime cooperation depends on political will, and many cybercriminal safe havens have no incentive to cooperate. This jurisdictional gap is the single biggest structural obstacle in cybercrime enforcement.

Slide 11 of 14

Enforcement Agencies and Mechanisms

Who enforces cybersecurity law, how they do it, and why it matters for every organization.

FTC: The De Facto Regulator

The FTC uses Section 5 of the FTC Act ("unfair or deceptive practices") as a general-purpose data security authority. No specific cybersecurity statute needed -- if your security practices are unreasonable and you said otherwise, the FTC can act. Consent orders require 20-year compliance programs. Landmark cases: Wyndham Hotels, LabMD, CafePress, Chegg. The FTC's 2023 Health Breach Notification Rule update extended its reach to health apps and wearables not covered by HIPAA.

State AG Multi-Front Attacks

State attorneys general can enforce state breach notification laws, consumer protection statutes, and in some states (like California), specific privacy laws. Multi-state coordinated actions combine the resources of 30+ state AG offices into a single investigation. Examples: Equifax ($575M, 50-state settlement), Anthem ($115M, 43-state settlement), Google ($391M location tracking, 40 states). State AGs move faster than federal agencies and face fewer political constraints.

Personal Liability Trend

Enforcement is shifting from just fining companies to holding individuals accountable. The SEC charged SolarWinds CISO Timothy Brown with fraud for misleading investors about security practices. Former Uber CISO Joseph Sullivan was convicted of obstruction and misprision of felony for concealing a data breach. EU NIS2 enables personal liability for senior management. The message is clear: cybersecurity is now a personal liability issue for executives and security leaders.

Slide 12 of 14

Emerging Legal Issues

AI regulation, encryption backdoors, Section 230, and cyber insurance -- the legal frontier.

AI Regulation

The EU AI Act (2024) is the world's first comprehensive AI law, creating a risk-based framework: unacceptable risk (banned), high risk (strict requirements), limited risk (transparency), minimal risk (unregulated). US approach is executive order + sectoral guidance (no federal AI law). Key cybersecurity intersections: AI-powered attacks, deepfake fraud, automated vulnerability exploitation, and AI systems as targets. Who is liable when an AI system makes a decision that harms someone? Existing law has no good answer.

Encryption Backdoors

Law enforcement wants mandated access to encrypted communications (Australia's Assistance and Access Act, 2018; UK Online Safety Act, 2023; proposed US EARN IT Act). Security community's consensus: there is no such thing as a backdoor only law enforcement can use. Any mandated access mechanism is a vulnerability that adversaries will discover and exploit. The Apple-FBI dispute (2016) and ongoing Signal/WhatsApp debates frame this as an irreconcilable conflict between security and surveillance.

Section 230 Reform

Section 230 of the Communications Decency Act (1996) shields platforms from liability for user-generated content. Reform proposals come from both political parties (for different reasons). Cybersecurity implications: platforms currently have legal cover to leave up malicious content, but also have freedom to remove it. Weakening Section 230 could create chilling effects on threat intelligence sharing, vulnerability disclosure platforms, and security research communities.

Cyber Insurance

Cyber insurance is becoming a de facto regulatory mechanism. Insurers now require specific security controls (MFA, EDR, offline backups, patching cadence) as conditions of coverage. Premiums have increased 50-100% since 2020. War exclusion clauses (triggered by nation-state attribution) create coverage gaps -- Merck's $1.4B NotPetya claim was initially denied under a war exclusion (later overturned). Lloyd's of London mandated state-backed attack exclusions starting 2023.

Slide 13 of 14

Key Takeaways

01 The CFAA is the backbone of US computer crime law -- but its broad language creates ongoing controversy around security research, prosecutorial discretion, and the boundary between authorized and unauthorized access. Van Buren narrowed it; reform efforts continue.

02 HIPAA protects health information through three rules -- Privacy (use/disclosure), Security (safeguards), and Breach Notification (60-day reporting). BAAs extend obligations to business associates. Penalty tiers scale with culpability from $100 to $1.5M per category per year.

03 GDPR reset global expectations -- 7 principles, 8 data subject rights, 72-hour breach notification, mandatory DPOs, and fines up to 4% of worldwide annual revenue. Its extraterritorial reach means any organization serving EU residents must comply.

04 The US has no comprehensive federal privacy law -- instead, a sectoral patchwork (GLBA, FERPA, COPPA, ECPA) that leaves gaps. States are filling those gaps, led by California's CCPA/CPRA, creating a fragmented compliance landscape.

05 Federal cybersecurity legislation (FISMA, CISA Act, CIRCIA) establishes requirements for government agencies and critical infrastructure. CIRCIA creates the first mandatory private-sector incident reporting framework. SEC rules make cyber disclosure a securities law issue.

06 The global landscape is converging on GDPR-like models -- but with significant regional variation. China prioritizes state access. Brazil and India are building enforcement capacity. Cross-border data transfer remains legally complex and politically charged.

07 Enforcement is multi-front and increasingly personal -- FTC, SEC, HHS OCR, DOJ, state AGs, and international regulators all have overlapping authority. The trend toward holding individual executives personally liable (Sullivan, SolarWinds CISO) changes the calculation for every security leader.

08 Emerging issues will define the next decade -- AI regulation, encryption policy, Section 230 reform, and cyber insurance as a de facto regulatory mechanism are all active legal battlegrounds with direct cybersecurity implications.

The Bottom Line

Cybersecurity law is not static. It is evolving faster than at any point in history, driven by escalating threats, high-profile breaches, and growing public awareness. Every cybersecurity professional must understand the legal landscape -- not to practice law, but to ensure that technical decisions are defensible, compliant, and aligned with organizational risk tolerance. The cost of ignorance is measured in fines, lawsuits, criminal charges, and careers.

Slide 14 of 14 | Complete

Presentation
Complete

Laws and Regulations -- 14 slides

CFAA • HIPAA • GDPR • US Sectoral Laws • State Laws • Federal Legislation • International Frameworks • Cybercrime Treaties • Enforcement • Emerging Issues

CIS2208 Cybersecurity Policy Week 3