Cyberlaw covers a wide range of topics. It includes data privacy laws that protect personal information from unauthorized access and theft. It also covers intellectual property laws that protect creative works, such as music and writing. It is important to understand the cyber laws that protect your business. This includes the laws related to data breaches, cybersecurity information sharing and protecting infrastructure.
Data Protection Act
As the world moves online, every interaction leaves a digital trail of personal information that evil people can use to steal identities or exploit consumers. As a result, data protection laws as part of the cyberlaw are becoming increasingly important to ensure that companies collect, store and responsibly use personal information. In the United States, federal and state data protection laws provide various layers of protection. The Federal Trade Commission (FTC) is the main enforcement body, with a mandate to protect consumer privacy. Data protection regulations require businesses to disclose their data collection and sharing practices and obtain consent from consumers before collecting PII. They must also limit data collection to what is needed and only share PII with authorized third parties for agreed-upon purposes. They must also minimize the creation of copies of PII to reduce its risks and keep it secure, including performing impact assessments and updating policies as technology changes.
Computer Misuse Act
The Computer Misuse Act (CMA) criminalizes unauthorized access and modification of information stored on a computer system. The act also protects against attacks that cause damage to a computer and makes it an offense to create or distribute malware. A person found guilty of breaching the act may face fines or imprisonment. A recent study emphasized that between 2008 and 2018, the CMA was used to prosecute 422 cybercrimes, with 76 percent leading to a guilty verdict. This suggests the act is an effective tool against cyber criminals, but critics argue that it doesn’t distinguish between “white hat hacking” and the more malicious types of hacking. It also needs to be determined whether the act will allow businesses to use hacking software and tools for their security purposes, as some ‘hacker tools’ are available for sale and are often packaged and distributed to be used for malicious purposes. The CMA was first introduced in 1990 and has been amended several times over the last three decades to address technological advances and changes in processing information.
Payment Card Industry Data Security Standard
The Payment Card Industry Data Security Standard (PCI-DSS) applies when you accept credit card payments. This set of rules enhances consumer security by establishing guidelines for any company that stores, processes or transmits cardholder data or sensitive authentication information. That includes thousands of organizations spanning every industry and even government agencies.
Visa, MasterCard, Discover Financial Services and JCB International formed the PCI Security Standards Council to maintain and manage these security standards. The goal is to reduce the number of cyber fraud incidents in the payment ecosystem. The PCI DSS requires enterprises to have their data systems reviewed by a qualified security assessor to determine compliance.
There are twelve PCI DSS requirements, 78 base requirements and 400 test procedures to help an enterprise achieve and maintain compliance. The requirements are categorized based on the number of credit card transactions your business processes yearly. Requirement 3 specifies that your data must be secure and protected, so it’s important to implement robust network security protocols. This protects against criminal activity like theft through illegitimate virtual access to your system networks. Another requirement is to protect your data from malicious online attacks, such as SQL injections or Request Forgery (RFI). Ensure that your firewall and application configurations are up to date. One way to meet this is to use a web application firewall.
Cybersecurity Information Sharing Act
The Cybersecurity Information Sharing Act (CISA) enables businesses to share cybersecurity threat information with the government without fear of liability. It is intended to make it easier for the federal government to find and combat cyber threats, which can significantly impact businesses of all sizes and across industries.
CISA establishes a portal for businesses to submit cyber threat indicators to the Department of Homeland Security (DHS) and allows the DHS to share that information with other agencies, including the federal intelligence community. It also exempts shared information from being subject to Freedom of Information Act requests and other open-government laws.
In addition, the law requires that private entities that share cyber threat indicators with the DHS portal scrub personal information that is not directly related to a threat before it is shared. The DHS must guide on complying with this requirement based on feedback from inside the government and the privacy advocacy community. The law provides a variety of liability protections for private entities that share cyber threat indicators and operate defensive measures. It prohibits causes of action arising from activities relating to sharing or receiving such information, decisions made by companies to enhance cybersecurity based on that information, and authorized network monitoring. However, this liability protection does not apply to negligence claims or breaches of contractual cybersecurity obligations.