January 30, 2020 Practice Points

A Very Brief Introduction on Cybersecurity Regulations/Standards: Part 1

Two standards and regulations that you should learn if you are interested in cybersecurity and privacy.

By Leonard Wills

As data breaches continually make headlines, cybersecurity issues garner more attention. Organizations must leverage security controls to prevent, detect, mitigate, and respond to cybersecurity incidents. Below you can find two cybersecurity standards/regulations that individuals interested in cybersecurity and privacy should learn. To use auditor lingo, these standards/regulations consist of security controls—among other controls—that safeguard personal identifiable information and information systems.

Security controls can be categorized as preventive, detective, and corrective. Preventive controls consist of prevent cyberattacks from a malicious actor (e.g. encryption). Detective controls consist of controls that detect and report occurrences of malicious acts (e.g. intrusion detection system). Corrective controls are controls that minimize the impact of a threat or attack (e.g.  disaster/ business recovery plan).

Gramm-Leach-Bliley Act

Gramm-Leach-Bliley Act (GLBA), also known as the Financial Modernization Act of 1999, is federal law that requires financial institutions to explain their information-sharing practices to their customers and to protect their customer’s private information.  

The GLBA requires the Consumer Financial Protection Bureau (CFPB), the Securities and Exchange Commission, the Commodity Futures Trading Commission (CFTC), and the Federal Trade Commission (FTC) to promulgate regulations to safeguard nonpublic personal information (NPI). NPI consists of any “personally identifiable financial information”—not “publicly available”—leveraged to provide financial services or products regarding individuals collected by financial institutions.

Under GLBA, the term “financial institutions” has a broad definition. “Financial institutions” entails entities that “significantly engaged” in “financial activities.” The FTC also interpreted financial institutions as nontraditional financial institutions such as entities that provide “financial data processing and transmission services, facilities (including hardware, software, documentation, or personnel) data bases, advice, or access to these by technological means.” Additionally, entities registered with the SEC—such as brokers, dealers, investment companies, and investment advisers—must also comply with certain sections of GLBA.

GLBA also requires the FTC and SEC to implement standards, while other agencies have the option of issuing guidance. The SEC released the Procedures to Safeguard Customer Records and Information (the SEC Safeguard Rule) in 2002 and the FTC Safeguard Rules were released in 2003. The Safeguard Rules require financial institutions to develop, implement, and maintain a comprehensive information security program. This program includes some of the following: identify and assess risk to customer information, design and implement a safeguard program, and evaluate and adjust the program in light of relevant circumstances. 

Health Insurance Portability and Accountability Act

Health Insurance Portability and Accountability Act of 1996 (HIPAA) required the Secretary of the U.S. Department of Health and Human Services (HHS) establish regulations for the privacy and security of identifiable health information known as protected health information (PHI).  The Office for Civil Rights (OCR) within HHS enforces the Privacy and Security Rules.

PHI entails “individually identifiable health information” that relates to (1) the individual’s past, present, or future physical or mental health or conditions; (2) the provision of health care to the individual; or (3) the past, present, or future payment for the provision of the of health care to the individual, and that identifies the individual or for which there is reasonable basis to believe it can be used to identify the individual.

HIPAA applies to “covered entities” and their “business associates.” A covered entity consists of a health care provider, health plan, or a health care clearinghouse. Business associates assist with the covered entities health care activities and functions. Covered entities must have a written business associate contract or other arrangements to ensure that the business associates comply with HIPAA.

HIPAA has two rules covered entities and business associates must follow to safeguard PHI: the Privacy Rule and Security Rule. The Privacy Rule establishes national standards for the protection of PHI. The Security Rule, establishes a nation set of security standards for protecting PHI that is held or transferred in electronic form. The Security Rule operationalizes the protections in the Privacy Rule by addressing the technical and non-technical safeguards covered entities must have to protection individuals’ “electronic protected health information.”

Leonard Wills is a presidential management fellow in Washington D.C. 


Copyright © 2020, American Bar Association. All rights reserved. This information or any portion thereof may not be copied or disseminated in any form or by any means or downloaded or stored in an electronic database or retrieval system without the express written consent of the American Bar Association. The views expressed in this article are those of the author(s) and do not necessarily reflect the positions or policies of the American Bar Association, the Section of Litigation, this committee, or the employer(s) of the author(s).