3 Cyber Laws

[Najla Ondik]

ICLGCybersecurity Laws and Regulations - USA Chapter covers common issues in cybersecurity laws and regulations, including cybercrime, applicable laws, preventing attacks, specific sectors, corporate governance, litigation, insurance, and investigatory and police powers.

18 U.S.C. 2512 criminalises the manufacture, distribution, possession, and advertising of wiretapping devices, which would include many such tools. Conspiracy to commit an offence is often separately subject to criminal sanction. Whether distribution of hacking tools would constitute a crime would depend on whether the actor intended for them to be used for illegal purposes. If there were evidence of criminal intent, a person may be liable for aiding and abetting the violation of the CFAA, 18 U.S.C. 1030(a)(5)(A), or related computer crime laws. With respect to federal statutes, aiding and abetting is subject to the same sentence as commission of the offence.

As with distribution, mere possession of hacking tools would be difficult to prosecute in the absence of intent to use them for illegal purposes or related conspiracy. If there were evidence of criminal intent or conspiracy and some overt act taken towards that end, a person may be liable for an attempt to violate the CFAA, 18 U.S.C. 1030(a)(5)(A), or related computer crimes laws. With respect to federal statutes, attempt is subject to the same sentence as commission of the offence.

Yes. Unsolicited penetration testing could constitute a violation of the CFAA and state laws if the tester obtains data as a result or causes damage. To the extent information was obtained from the systems tested, such testing could violate 18 U.S.C. 1030(a)(1) (national security information, imprisonment up to 10 years), (2) (obtaining information, imprisonment up to one year, or five if aggravating factors apply), or (3) (government computers, imprisonment up to one year). If the penetration tester causes damage, e.g. by impairing the integrity or availability of a system or data, the action could constitute a violation of 18 U.S.C. 1030(a)(5).

Any other activity that adversely affects or threatens the security, confidentiality, integrity or availability of any IT system, infrastructure, communications network, device or data

The U.S. Department of Justice has released a policy statement to the effect that it will no longer prosecute ethical hackers. The nature of the crime, whether it was intentional or unintentional, whether it was committed for economic benefit or malice or ethical hacking, and the number of past offences may impact the severity of any penalty. The existence of a robust corporate compliance programme, as well as cooperation with law enforcement, may help to mitigate any penalty or influence prosecutorial discretion.

All 50 U.S. states plus Washington, D.C. and three federal territories have in place data breach notification laws, and the SEC has recently adopted a final rule requiring that, from December 18, 2023, public companies report material cybersecurity incidents in a Form 8-K within four business days from the date on which the incident was determined to be material. Smaller reporting entities have until June 2024 to comply.

Yes, all 50 U.S. states, Washington, D.C. and three federal territories have requirements for the reporting of Incidents, and most of these statutes require reporting to state regulators. The nature and scope of the information that is required to be reported varies by state or territory. For example, California requires the following information in notices sent to individuals: (1) the name and contact of the reporting person; (2) a list of the types of personal information breached; (3) the date of the breach (or estimated range); (4) whether notification was delayed by a law enforcement investigation; (5) a general description of the breach incident (if possible); and (6) toll-free numbers and addresses of the major credit card reporting agencies.

Timeframes for reporting vary by state or agency, with most requiring notification around the same time that individuals are notified (or sometimes in advance). Vermont requires any notification to its Attorney General to be sent within 15 days. Covered financial institutions are required to report breaches to the New York Department of Financial Services within 72 hours. At the request of law enforcement agencies, however, some notifications may be delayed.

The regulator varies by sector, law and state. The FTC is the principal U.S. federal privacy regulator covering most for-profit businesses not overseen by other regulators. The SEC regulates many financial institutions, and the OCR is primarily responsible for enforcing HIPAA. CISA plays an increasingly significant role in protecting U.S. critical infrastructure, and its role in notification has and will continue to be expanded through the regulatory process implementing CIRCIA. State Attorneys General have broad authority regarding enforcement of cybersecurity matters. California has a first-in-the-nation regulator, the California Privacy Protection Agency, dedicated to privacy regulation and enforcement. In addition, federal and state regulators in particular sectors, such as insurance, have further enforcement powers.

The United States has no single framework for non-compliance with notice requirements, and penalties will depend heavily on the relevant law and regulator, many of which pursue violations as unfair or deceptive trade practices. In addition to regulatory penalties, private plaintiffs may file actions alleging non-compliance with relevant laws. For example, the CCPA provides for statutory damages of between $100 to $750 per consumer and per Incident in the event of a data breach caused by the failure to have in place reasonable security measures.

Yes, the CISA Law provides a clear exception to the ECPA and creates broad authorities to monitor network traffic, and employers can generally monitor employee communications where they first provide transparent notice of the monitoring and obtain consent from their employees.

Public companies are required to publicly report material cybersecurity risks, including material past Incidents. Even if a past Incident is not material, companies should consider them in evaluating their disclosures regarding cybersecurity. The SEC has increased its enforcement activity regarding public company disclosures in recent years. For example, the SEC alleged that Pearson plc, a London-based education company, made misleading disclosures regarding cybersecurity risks as hypothetical when it had recently been made aware of a breach. The SEC has issued rules and guidance regarding the factors public companies should report with respect to cybersecurity. Private companies do not have the same public disclosure obligations but may need to inform potential investors or purchasers regarding past Incidents or cybersecurity risks.

Organisations that publicly announce Incidents involving a large amount of Personal Information will often confront class action litigation filed by plaintiffs whose information was impacted by the Incident. Typically, these actions involve several theories, including breaches of express or implied contracts, negligence, other common law tort theories, violations of federal or state unfair or deceptive acts or practices statutes, or violations of other state and federal statutes, such as the CCPA.

In addition to establishing the elements of their claims, plaintiffs filing in federal court are required to show that they suffered injury-in-fact sufficient to establish standing. Even where an injury alleged is sufficient for standing, it may not be sufficient to state a claim for damages. Some damages theories that plaintiffs attempt to assert, with varying success, include risk of future identity theft, credit-monitoring costs, other costs related to mitigating risks related to an Incident and overpayment for the products and services associated with the Incident.

Plaintiffs may also allege securities fraud. To do so, plaintiffs must allege that the company made materially false or misleading statements, typically regarding the state of its cybersecurity posture, and that the company knew about the falsity of such statements.

As noted, the public announcement of an Incident will frequently result in class actions and other lawsuits being filed against the impacted organisation. Hundreds of actions have been filed over the years; some recent prominent examples include the following:

The CCPA creates a data breach right of action for California residents with statutory penalties of $100 to $750 per consumer and per Incident if plaintiffs prove that the impacted business failed to implement and maintain reasonable and appropriate security practices.

In some states, defendants may assert the economic loss doctrine, which generally provides that contracting parties seeking damages for purely economic losses must seek damages in contract rather than in tort.

Law enforcement retains numerous powers to investigate Incidents. In addition to standard warrant and subpoena powers, law enforcement may seek records stored by electronic communication services or remote computing services through the Stored Communications Act, intercept communications in transit through the Wiretap Act or obtain dialling or routing information through the Pen Register statute. The CLOUD Act authorises law enforcement to access certain information held by a United States-based service provider, even if the data is located in another country.

Federal regulatory authorities such as the FTC, SEC and OCR have powers to investigate Incidents within their respective jurisdictions. State regulators may also investigate Incidents to determine whether any state laws were violated.

This chapter has been written by a member of ICLG's international panel of experts, who has been exclusively appointed for this task as a leading professional in their field by Global Legal Group, ICLG's publisher. ICLG's in-house editorial team carefully reviews and edits each chapter, updated annually, and audits each one for originality, relevance and style, including anti-plagiarism and AI-detection tools. This chapter was copy-edited by Jenna Feasey, our in-house editor.

3a8082e126