Cybersecurity Threats and U.S. Regulation: There’s More at Risk Than You Think

Damages to companies from a cybersecurity attack can already be costly and wide-ranging, but a patchwork of cyber-related regulations in the United States can also put companies at risk of hefty civil penalties for non-compliance. The federal government has been particularly busy this year, placing a strong focus on combating potential cyber threats to the country’s infrastructure.  Additionally, many pre-existing laws have been updated to include cybersecurity and privacy provisions, and regulatory agencies are rushing to release guidance on how to comply.

Recent Attacks Changing the Landscape

A drastic uptick in attacks is mostly to blame. In July of this year, Howard University faced a ransomware attack causing it to cancel all classes, seek FBI and D.C. government assistance and begin the process of implementing online safety measures. This came on the heels of a cyberattack in April and subsequent ransom demand in May involving Colonial Pipeline Co., which led to a shutdown of the entire pipeline. The resulting  gas outages wreaked havoc throughout the southern and eastern U.S. With FBI assistance, Colonial ultimately paid the hackers, an affiliate of a Russia-linked cybercrime group known as DarkSide, a USD 4,400,000 ransom. Prior to the Colonial attack, the SolarWinds intrusion campaign compromised nine U.S. agencies and dozens of private organizations, Microsoft Exchange server vulnerabilities were hacked and a cyberattack was carried out in Florida seeking to compromise a water treatment plant.

New Federal Regulations

With cyberattacks growing in frequency and sophistication, the current U.S. administration responded by signing into law 12 May 2021 an Executive Order on Improving the Nation’s Cybersecurity. The Order, inter alia, places new cyber security demands on parties contracting with government agencies as well as the agencies themselves. It also establishes a Cyber Security Review Board (Board) consisting of Federal officials and representatives from private-sector entities who will review and assess significant cyber incidents. The Board has been likened to the current National Transportation Safety Board (NTSB).  

Under the supervision of the Department of Homeland Security (DHS), the federal government also maintains the Cybersecurity and Infrastructure Security Agency (CISA), which was established in November 2018 as part of the Cybersecurity and Infrastructure Security Agency Act of 2018. CISA’s role is to work with the public and private sectors to identify and help mitigate cyber threats through sharing of information, reporting and providing assistance.  In June, the CISA created a website that catalogues “Bad Practices” it deems exceptionally risky to Critical Infrastructure or National Critical Functions (NCF). Additionally, in early October, the Transportation Security Administration (TSA) announced that it will introduce regulations making it mandatory for certain rail transit and U.S. airport and aircraft operators to name a chief cyber official, disclose hacks to the government and create recovery plans to be utilized if an attack occurs.

Existing Federal Law Changes

The federal government has also updated many existing laws to include cybersecurity provisions or streamline privacy provisions. One such law is the Health Insurance Portability and Accountability Act (HIPAA) of 1996, which now requires covered entities and their business associates to disclose any data breach to those affected by such breach, the U.S. Department of Health and Human Services (HHS) and, if the breach involves more than 500 individuals, a prominent media outlet serving the jurisdiction in which the breach occurred. Delays in reporting a breach can be quite costly with the maximum penalty for a violation being USD 1,500,000 or more if the delay is more than a year.

Another existing law is the Children’s Online Privacy Protection Act of 1998 (COPPA). COPPA sets out rules for internet services that are directed to children under 13 years old. In July, the Federal Trade Commission (FTC) announced updates to COPPA’s Frequently Asked Questions (FAQs) which now incorporate the holding of a 2019 YouTube settlement defining the “directed to children” standard and duties of “mixed audience” sites and services. The FAQs were also updated to include Internet of Things (IOT) devices, e.g. connected toys, smart speakers and voice assistants as subject to COPPA. COPPA penalties can also be hefty. In 2020, the FTC alleged the operators of a coloring book application, the app’s parent companies and the CEO and Managing Director were collecting personal information from children under the age of 13. In a settlement, the company agreed to a USD 4,000,000 penalty; however, the penalty will be suspended upon payment of USD 150,000 due to an inability to pay.

On the financial side, other existing federal laws include the Gramm-Leach-Bliley Act of 1999 (GLBA), which regulates how financial institutions use customer information, and the Sarbanes Oxley Act of 2002, which requires companies to implement internal security controls. The Securities and Exchange Commission (SEC) has released guidance regarding cybersecurity and disclosure measures and, in 2017, established a “Cyber Unit” that identifies and enforces cyber standards.

New State Regulations

Some individual states have similarly passed cybersecurity regulations. New York was ahead of the game when it implemented the New York Department of Financial Services (“NYDFS”) Cybersecurity Regulation (23 NYCRR 500) on 17 March 2017 (with full implementation 1 March 2019 due to transition period for select requirements), which sets requirements for financial institutions and financial services companies. It has 23 sections in total and requires covered entities to develop a cybersecurity policy and incident response plan, notify the department of any data breaches within 72 hours, prepare annual reports regarding cybersecurity risks and preventative measures and manage authorized users and third-party vendor risks. On 30 June 2021, NYDFS issued Ransomware Guidance for companies to utilize to reduce the risk of a ransomware attack and, earlier in the year, issued a Cyber Insurance Risk Framework (Framework) to assist insurance carriers in managing their cyber insurance risk. California created new requirements under its California Consumer Privacy Act (CCPA) and California Privacy Rights and Enforcement Act (CPRA) (to go into effect in January 2023). This summer, Connecticut enacted a law which provides a safe harbor for covered entities that create and comply with a written cybersecurity program. The law lists acceptable frameworks for such a program, and companies can avoid punitive damages for alleged failures to implement cybersecurity controls by utilizing one of the frameworks. Further, Connecticut shortened its breach notification deadline and broadened its definition of “personal information” that can trigger a data breach reporting requirement. Texas and Nevada also updated existing laws to reflect new data breach reporting requirements. 

Failure to comply with certain of these state laws, such as 23 NYCRR 500, can result in costly civil penalties. For example, in March, NYDFS imposed a USD 1,500,000 civil penalty on a licensed mortgage bank for not reporting a cybersecurity event. In April, NYDFS fined National Securities Corporation, a licensed insurance company, USD 3,000,000 after the company failed to report cyber breaches that occurred between 2018 and 2020.

Conclusion

The focus on cybersecurity is not expected to slow down. A quick internet search of cybersecurity rules and regulations results in dozens of legislative update articles regarding new cybersecurity bills that will be law soon. It is therefore imperative that businesses remain alert to both existing rule changes as well as new laws regarding cybersecurity and privacy in their particular sector.

Further information about Cyber Risks.