If your business has an online presence – even a relatively small one – it may be wise to familiarize yourself with some of the numerous cybersecurity laws in the U.S. (and around the world, if you’re doing business globally) that cover internet, data security, and privacy. Here, we’ll focus on laws in the United States, but if your website has frequent visitors based in Europe and/or you are regularly engaging online with international customers, the team at ATB also encourages you to familiarize yourself with the General Data Protection Regulation, better known as GDPR.
The 1974 Privacy Act is the foundation for all future privacy laws in the United States. While the Privacy Act seemed sufficient for several decades, once the internet became prevalent, it also became clear that a new definition of privacy was required that specifically addressed electronic communications.
There are four primary cybersecurity laws that every business and individual using the internet today should be familiar with, which outline your rights as both a consumer and business.
- Electronic Communications Privacy Act (ECPA) – Passed in 1986, this law remains on the books today. Though a lot has changed over the past 30 years, particularly as it relates to technology and cybersecurity concerns, how the government is allowed to access personal and business digital communications is unchanged. At its core, this law allows for law enforcement to gather electronic communications with a subpoena, and a warrant is not required if the items in question are 180 days or older.
- Computer Fraud and Abuse Act (CFAA) – Also originally a product of the late 1980s, CFAA has been amended a number of times, including, most recently, in 2008 by the Identity Theft Enforcement and Restitution Act. Although the subsequent amendments have refined the role of CFAA, its primary purpose is to make it a crime to access and subsequently share protected information.
- Cyber Intelligence Sharing and Protection Act – An amendment to the National Security Act of 1947, which did not cover cybersecurity, this law primarily covers how information regarding potential cyber threats may be shared with the federal government.
- Children’s Online Privacy Protection Act (COPPA) – At its core, this act requires websites that collect any information on children under the age of 13 to comply with the Federal Trade Commission (FTC) rules. This gives the FTC power to review websites and determine if they are suitable for children and can also make rulings about data collection practices that may intentionally (or inadvertently) involve minors.
These and other data privacy and cybersecurity laws continue to be a hot topic in Washington D.C. (and around the world), and our IT security experts encourage all small and medium-sized business owners to at least familiarize themselves with them and have a basic understanding of your rights and responsibilities.
To learn more about the implications cybersecurity laws may have on your business, or to request an evaluation of current practices, contact our team of cybersecurity services professionals at ATB today.