As the use of internet technology continues to grow across the globe, so do attempts to access devices through spam, invasive viruses, hacking and other criminal activities. In turn, federal and state laws are created to keep computers, personal information and sensitive data safe from computer crime.
Nationwide, states are focusing more on cybersecurity. Initiatives such as increased funding for improved security, requiring governmental agencies to implement security practices, protecting against threats to critical infrastructure and instituting tough penalties for computer crimes are being passed.
According to the National Conference of State Legislatures, in 2016, 28 states considered laws dealing with cybersecurity. Fifteen of them enacted legislation on security practices in government agencies, cyber and computer crimes and suspensions from the state Freedom of Information Act if information could put critical information or infrastructure in danger.
This year, the New York Department of Financial Services instituted groundbreaking cybersecurity regulation for New York’s financial services industry. The regulation, which took effect March 1, requires financial institutions such as insurance companies and banks to create and maintain a cybersecurity program that protects consumers’ private data.
According to the NCSL, at least 41 states introduced more than 240 bills during 2017 to address cybersecurity. Some of the key areas of legislative activity include:
< Improving government security practices: 42 bills in 20 states, Puerto Rico.
< Commissions, task forces and studies: 29 bills in 16 states, Puerto Rico.
< Funding for cybersecurity programs and initiatives: 27 bills in 14 states.
< Targeting computer crimes: 20 bills in 11 states.
< Restricting public disclosure of sensitive security information: 19 bills in 11 states.
< Promoting workforce, training, economic development: 13 bills in 10 states.
At least 16 states enacted legislation, including Delaware, which passed House Bill 180. The bill updated Delaware’s law regarding computer security breaches by requiring that any person who conducts business in the state and maintains personal information must safeguard that information. It also updates the definition of breach of security by including the unauthorized access, use, modification or disclosure of personal information.
Pennsylvania introduced six bills, of which one was adopted – one that recognized October as Cybersecurity Awareness Month.
CATCHING UP WITH THE THREAT
One of the biggest challenges in fighting computer crimes is the lack of consistency between states, said Greg Porter, cybersecurity instructor at Francis Tuttle Technology Center in Oklahoma City.
“The European Union created a single computer crimes and privacy law – the General Data Protection Regulation – and has put everything under one set of rules,” he said. “In the U.S., we have one set of rules that govern credit cards, one set of rules for health care, one set of rules for corporations. … We have all these different privacy policies, which makes it difficult to legislate on a state level.”
Legislating computer crimes on a state-by-state basis presents its own challenges, Porter said, adding that part of the problem is that legislators are not cybersecurity experts.
“They don’t have the expertise to understand these issues,” Porter said. “A lot the people they consult with have a vested interest and won’t protect your privacy. Also, they may not have the legal authority to enforce state laws. Cybercrimes are not tied to the state – they cross state, national and international borders.”
FEDERAL LAWS LACKING
The United States’ main federal cybersecurity regulations come from the 1996 Health Insurance Portability and Accountability Act; the 1999 Gramm-Leach-Bliley Act, which is the Financial Services Modernization Act; and the 2002 Homeland Security Act, which also includes the Federal Information Security Management Act.
While these mandates cover health care, financial institutions and federal agencies, they require only a “reasonable” level of security, as defined by the Department of Homeland Security. In addition, the regulations do not cover other computer-related businesses such as internet service providers and software companies.
The new laws are a good start, Porter said, but more consistency and education is needed to truly make a difference.
“So much of our lives are tied up and available on the internet,” he said. “I can find out anything about you without your personal consent, and if we start looking at what big companies are gathering about your metadata, it’s scary.”
BridgeTower Media is the parent company of Lehigh Valley Business.