Cybersecurity Law
Computer fraud, data breach notification, incident reporting, and critical infrastructure protection.
Overview
Cybersecurity law addresses the legal framework for protecting computer systems, networks, and data from unauthorized access, damage, and theft. The Computer Fraud and Abuse Act (CFAA) is the primary federal criminal statute prohibiting unauthorized access to protected computers, while a growing body of state and federal laws addresses data breach notification, incident reporting, and cybersecurity standards for critical infrastructure.
Data breach notification laws, enacted in all 50 states, the District of Columbia, and U.S. territories, require organizations to notify affected individuals when their personal information has been compromised. Federal sector-specific requirements (HIPAA for healthcare, GLBA for financial institutions) impose additional cybersecurity and notification obligations. The Cybersecurity Information Sharing Act of 2015 (CISA) encourages voluntary sharing of cyber threat indicators between the private sector and government by providing liability protections.
The regulatory landscape continues to evolve rapidly. SEC cybersecurity disclosure rules require public companies to report material cybersecurity incidents within four business days. The NIST Cybersecurity Framework provides voluntary standards for critical infrastructure operators. State-level cybersecurity regulations, including New York's DFS Cybersecurity Regulation (23 NYCRR 500) and the California Consumer Privacy Act (CCPA), have established increasingly specific requirements. Federal agencies including CISA, the FBI, and the DOJ Cyber Division play key roles in incident response, investigation, and enforcement.
Key Statutes
| Statute | Citation | Summary |
|---|---|---|
| Computer Fraud and Abuse Act (CFAA) | 18 U.S.C. § 1030 | Federal criminal statute prohibiting unauthorized access to protected computers, computer fraud, damage to protected computers, and trafficking in passwords. |
| Cybersecurity Information Sharing Act of 2015 (CISA Act) | 6 U.S.C. §§ 1501–1510 | Encourages voluntary sharing of cyber threat indicators and defensive measures between private entities and the federal government, with liability protections for sharing. |
| Cyber Incident Reporting for Critical Infrastructure Act of 2022 (CIRCIA) | 6 U.S.C. §§ 681–681g | Requires critical infrastructure entities to report significant cyber incidents to CISA within 72 hours and ransomware payments within 24 hours. |
| Electronic Communications Privacy Act (ECPA) | 18 U.S.C. §§ 2510–2523, 2701–2712, 3121–3127 | Prohibits unauthorized interception of electronic communications and unauthorized access to stored communications, with exceptions for law enforcement. |
Key Cases
Van Buren v. United States
593 U.S. 374 (2021)
Narrowed the CFAA's 'exceeds authorized access' provision, holding it applies only to those who access areas of a computer they are not permitted to access, not those who misuse permitted access.
hiQ Labs, Inc. v. LinkedIn Corp.
31 F.4th 1180 (9th Cir. 2022)
Held that scraping publicly available data from a website does not violate the CFAA, as there is no 'authorization' barrier to access public information.
In re Capital One Consumer Data Security Breach Litigation
488 F. Supp. 3d 374 (E.D. Va. 2020)
Major data breach class action establishing standards for duty of care, standing, and damages in cybersecurity breach litigation.
Key Regulations
SEC Cybersecurity Risk Management and Incident Disclosure Rules
Securities and Exchange Commission (17 CFR Parts 229, 249)
Requires public companies to disclose material cybersecurity incidents within four business days and annually report cybersecurity risk management and governance.
NIST Cybersecurity Framework
National Institute of Standards and Technology
Voluntary framework providing standards, guidelines, and best practices for managing cybersecurity risk in critical infrastructure organizations.
NY DFS Cybersecurity Regulation
New York Department of Financial Services (23 NYCRR 500)
Comprehensive cybersecurity requirements for financial services companies operating in New York, including risk assessments, incident response plans, and CISO requirements.
Common Issues
- Data breach response and notification obligations
- CFAA scope and authorized access boundaries
- Ransomware incident response and payment considerations
- Cybersecurity insurance coverage and exclusions
- Vendor and supply chain cybersecurity risk management
- SEC materiality determination for cyber incidents
- Critical infrastructure protection and CISA coordination
- Cross-border data breach notification requirements
State Variations
All 50 states, D.C., and U.S. territories have enacted data breach notification laws, but they differ significantly in the definition of personal information, notification triggers, timing requirements, and enforcement mechanisms. Some states (California CCPA, Virginia VCDPA, Colorado CPA) have enacted comprehensive consumer privacy laws with cybersecurity components. New York's DFS Cybersecurity Regulation applies specifically to financial services. Ohio, Connecticut, and Utah have enacted safe harbor laws providing affirmative defenses to data breach claims for organizations that implement recognized cybersecurity frameworks. State attorneys general serve as primary enforcers of data breach notification compliance in most states.
Resources
Cybersecurity and Infrastructure Security Agency (CISA)
Federal agency responsible for protecting critical infrastructure, coordinating cyber threat information sharing, and providing incident response assistance.
FBI Internet Crime Complaint Center (IC3)
FBI's centralized mechanism for reporting suspected internet-facilitated criminal activity, including cyber intrusions and data breaches.