Cybersecurity laws concern the protection of information technology and computer systems, and the prevention of cyber-attacks, including viruses, phishing, and denial of service (DOS) attacks. Cyber-attacks can also include worms, Trojan horses, unauthorized access, including theft of intellectual property or confidential information, and attacks on control systems. Among the cyber-security measures used to prevent the occurrence of cyber-attacks are firewalls, anti-virus software, encryption, and login passwords.
There are three principal cybersecurity regulations under federal law. They are the Health Insurance Portability and Accountability Act (HIPAA)of 1996, the Gram-Leach-Billey Act of 1999, and the Homeland Security Act of 2002, of which the Federal Information Security Management Act was a part. Each of these regulations requires that healthcare organizations, federal agencies, and financial companies, safeguard their systems and information.
Title I of HIPAA provides protection of health care coverage for individuals and their families when they obtain different employment or become unemployed. Title II of HIPAA, which is called the Administrative Simplification (AS) provisions, requires that national standards be established for electronic health care transactions, and ways in which to identify providers, health insurance coverage, and employers.
The Gram-Leach-Billey Act of 1999, also called the Financial Services Modernization Act of 1999, removed obstacles in the market that prohibited banking, securities, and insurance companies, from conducting business as any combination of an insurance company, an investment bank, and a commercial bank. There are certain regulations within the Act that mandate that consumers’ nonpublic personal information, or information that could identify them, be protected. They are the Financial Privacy Rule, Safeguards Rule, and Pretexting Protection.
The Homeland Security Act of 2002 was enacted in the wake of the September 11 attacks, and later mailings of anthrax. The Act is the basis of the Cyber Security Enhancement Act of 2002, which modified the U.S. Patriot Act by lessening restrictions on Internet service providers (ISPs) regarding when, and to whom, they can provide information about subscribers. This aspect of the Act was especially disconcerting to privacy advocates who contend that there is an increased risk to personal privacy and security.
There are organizations that have experienced some type of security breach or theft. These include law firms, 14% of which have reported such cyber-attacks. Law firms’ security measures, including their protection of confidential information sent to vendors like printing companies and word processing firms, are being examined by banks, which are conducting on-site technology audits of the firms. The banks, in turn, are being encouraged by regulators to strengthen their cyber-security measures.
Recently, letters were sent to banks from New York’s Department of Financial Services, inquiring about ways in which to protect information sent to third-party vendors, including law firms and accounting firms. Law firms are considered to be especially vulnerable to cyber-attacks because clients often turn over to them all of their sensitive information.
Furthermore, the Department of Homeland Security is conducting an investigation into potential flaws in medical devices that could permit packers to obtain control of the equipment with the purpose of maiming or killing patients. Hackers who abuse cybersecurity flaws could, for instance, place an order for an excessive dose from an infusion pump, or a fatal shock from a heart pump.
As a result of these flaws, companies have reportedly made improvements to their devices so as to strengthen their cybersecurity.