The 8 Principles of Cyber Security Laws

By Seth Jaffe.

The United States has yet to promulgate a comprehensive federal cyber security law aimed at improving the cyber hygiene of companies serving its citizens. But a collation of industry-specific laws (both federal and state), proposed bills, guidance documents, and cyber strategies yields a fair indication of where our nation is headed. This article attempts to distill the aforementioned into a list of eight principles that will likely find their way into forthcoming federal or state cyber security law.

Principle 1: Conduct a Risk Assessment

As far back as at least the Graham-Leach-Bliley act in 1999, authorities recognized the difficulty in designing a comprehensive cyber program without first identifying assets, understanding vulnerabilities, and forecasting attack vectors. For this reason, cyber laws will undoubtedly require a company to conduct a comprehensive risk assessment at periodic intervals.

For example, the Graham-Leach-Bliley safeguards rule requires a covered entity to “identify and assess the risks to customer information in each relevant area of the company’s operation, and evaluate the effectiveness of the current safeguards for controlling these risks.”

Additional legislation and regulations that include this principle can be found here.

Principle 2: Implement an Information Security Program

Upon completion of the risk assessment, companies will have to fashion an information security program designed to mitigate those risks. This includes authorship and maintenance of a Written Information Security Plan (“WISP”).

As an example, the Colorado Securities Act 3 CCR 704-1 states “A broker-dealer must establish and maintain written procedures reasonably designed to ensure cybersecurity.”

Additional legislation and regulations that include this principle can be found here.

Principle 3: Involve the Board of Directors in Cyber Security Management

Without buy-in from senior management, companies may find themselves culturally constrained when it comes to cyber security. Board of Director involvement can usually be satisfied through implementation of a process to percolate relevant cyber security information to the Board, as well as push decisions down to the company. The Board should have the ability to digest the information, which can be difficult if no members are conversant in cyber security technology; many Boards form a cyber security committee for this purpose.

The proposed Federal Cyber Regulation for Financial Institutions law provides a good example: “The board of directors, or an appropriate board committee, of a covered entity must be responsible for approving the entity’s cyber risk management strategy and holding senior management accountable for establishing and implementing appropriate policies consistent with the strategy.”

Additional legislation and regulations that include this principle can be found here.

Principle 4: Designate an Individual in Charge of Cyber Security

Often referred to as a Chief Information Security Officer (“CISO”), a company must designate an individual with the authority to oversee the security program and the accountability should incidents occur. This CISO need not be an employee of the company, but can be contracted from a third-party provider, such as LEO Cyber Security.

The New York Department of Financial Services Part 500.04 is instructive: “Chief Information Security Officer. Each Covered Entity shall designate a qualified individual responsible for overseeing and implementing the Covered Entity’s cybersecurity program and enforcing its cybersecurity policy (for purposes of this Part, “Chief Information Security Officer” or “CISO”).”

Additional legislation and regulations that include this principle can be found here.

Principle 5: Maintain an Incident Response Program

Organizations in the midst of an incident are notoriously terrible at improvising. Without a comprehensive enterprise cyber crisis management plan, mistakes will be made. Cyber laws will dictate that a company maintains an incident response plan, periodically updates the plan, and tests against the plan at least annually.

South Carolina’s Insurance Data Security Act (following the NAIC model law) states: “As part of its information security program, a licensee must establish a written incident response plan designed to promptly respond to, and recover from, a cybersecurity event.”

Additional legislation and regulations that include this principle can be found here.

Principle 6: Manage Cyber Security of Third-Party Vendors

A recent Soho study concluded that 63% of all data breaches involved the supply chain. Even if that number seems a bit high, regulating authorities are taking note as is evident from two recent settlements related to data breaches caused by a third-party.

Massachusetts 201 CMR 17.03(2)(f) requires companies to “Tak[e] reasonable steps to select and retain third-party service providers that are capable of maintaining appropriate security measures to protect such personal information consistent with these regulations and any applicable federal regulations.”

A number of laws are requiring companies to push cyber obligations on third parties. You can find a list of them here.

Principle 7: Conduct Routine Security Training

A company’s cyber program is oftentimes only as robust as the employees implementing it. A number of statistics put insider threats as a leading cause of data breaches. Whether it is because employees invariably click on suspicious links in emails, use easily defeatable passwords, fail to report malicious or accidental cyber issues, or simply do not practice good cyber hygiene, poorly trained employees are often the weakest link in a cyber security program.

The HIPAA security rule (see page 8377) requires covered entities to “implement a security awareness and training program for all members of its workforce (including management).”

Additional legislation and regulations that include this principle can be found here.

Principle 8: Regularly Update the Program

Authorities recognize that cyber security is a living program, requiring continuous modifications as new threats arise, infrastructure changes, and reorganizations occur. Companies are instructed to modify the program accordingly, but at the very least, it should be reviewed and updated annually.

PCI-DSS 12.1.1 requires entities to “review the security policy at least annually and update the policy when the environment changes.”

Additional legislation and regulations that include this principle can be found here.

As expected, laws and regs change all the time (as an example, there were 244 state cyber bills introduced in 2017 and already 233 as of August 2018), so check the Trello board often and follow my LinkedIn page where I will notify of updates.

Seth is our official rocket scientist in residence. Hailing from NASA’s Mission Control Center, Seth brings a unique perspective to incident response, applying aspects of one of the world’s preeminent emergency operations platforms to cyber response. In addition to twenty-plus years’ of technical experience, Seth was previously a member of the data protection task force at a large law firm, and served as the lead Legal team member of an incident response team at a major U.S. airline. Seth is a certified business continuity professional, and he holds a juris doctorate, which is why he also wears the General Counsel hat at LEO.


Leave a Comment