Cybersecurity: A Combination of Legal, Business and Technical Measures

Following the development of internet technology and application, both legal and business options for eliminating or ameliorating cybersecurity difficulties have sprung into existence.

By Jonathan D. Bick | October 25, 2019  New Jersey Law Journal

Cybersecurity, the protection of computer hardware, software and data from the theft, damage, disruption and/or misuse, has been in place for decades. Due to the internet’s connection to things like medical devices, personal devices and cars, cybersecurity is now relevant to individuals, whereas in the past only computer system manufacturers and operators needed to be cybersecurity savvy. Fortunately, legal, business and technical cybersecurity means are available to individuals and computer system manufacturers and operators alike.

Since 1988, when a self-replicating worm software allowed a Cornell graduate student to unintentionally disrupt up to 10% of all internet computers within a few hours (see United States v. Morris, 928 F.2d 504 (1991)), an industry specializing in technology solutions to cybersecurity matters has arisen. Following the development of internet technology and application, both legal and business options for eliminating or ameliorating cybersecurity difficulties have sprung into existence.

Both criminal and civil legal options are available for dealing with cybersecurity matters. Several federal laws are applicable to resolving cybersecurity difficulties. These statutes are sector specific, namely, health, financial and governmental. Each of these three sectors has specific minimum cybersecurity rules they must follow.

The first federal law which specifically dealt with cybersecurity matters was the Health Insurance Portability and Accountability Act of 1996 (HIPAA) (see 42 U.S.C. § 1320d-6 (2018)). HIPAA’s Privacy Rule includes “health plans, health care clearinghouses, and … health care provider[s] who transmit health information in electronic form in connection with transactions for which the Secretary of HHS has adopted standards under HIPAA.” Significant civil and criminal penalties have continuously been assessed for failure to abide by the administrative safeguards, which include policies and procedures directives, and physical technical safeguard prerequisites.

The second federal law which specifically dealt with cybersecurity matters was the Gramm-Leach-Bliley Act of 1999 (GLB). GLB was applicable to banking, insurance and investment entities. Specifically, GLB includes regulations that require said entities to use the internet for collection, storage, protection and disclosure of customers’ financial information. More specifically, 16 CFR Part 314 (Safeguards Rule) requires financial institutions under FTC jurisdiction to have measures in place to keep customer information secure. In addition to developing their own safeguards, companies covered by the Rule are responsible for taking steps to ensure that their affiliates and service providers safeguard customer information in their care.

The third federal law that specifically dealt with cybersecurity matters was the Federal Information Security Management Act of 2002 (FISMA). FISMA covers federal agencies and requires each federal agency to develop, document and implement specific cybersecurity programs.

States have also enacted cybersecurity minimum requirements for  specific sectors, particularly financial institutions. For example, NY COMP. CODES Title 23, Section 500.01(c) (2019), requires specific minimum cybersecurity measures for New York person operating under or required to operate under a license, registration, charter, certificate, permit, accreditation or similar authorization under the Banking Law, the Insurance Law or the Financial Services Law. While federal and state laws in conjunction with technical efforts by individuals and computer system manufactures and operators alike may have prevented or ameliorated the difficulties related to breaches in cybersecurity, both the scope and severity of cybersecurity breaches have increasingly interrupted revenue generating activities and often produce adverse publicity. Additionally, enforcement actions against businesses that have allegedly failed to adequately protect their internet assets, such as customer data, have resulted in legal difficulties and fines.

Consequently, the purchase of an insurance policy against cyberattack-related losses is another measure which is part of  many entities’ cybersecurity. Such a policy will cover damages to the insured and to third parties. Depending upon the policy, it may also cover the cost of attorney fees to defend damage claims. Typically, the insurer will require specific technological precautions to minimize insured losses from failure in an entity’s cybersecurity. Typically, the technology measures that insurers require are already employed by individuals and organizations. These measures usually include a properly configured and monitored firewall and regular review of firewall logs. More advanced precautions include automated intrusion detection systems, file integrity monitoring, and penetration testing. In addition to learning how to recognize phishing attacks and what to do if a cybersecurity difficulty is detected, normally individuals will want to do the following to ensure the viability of their cybersecurity: Keep firewall on because it helps to protect your computer from hackers who might try to gain access to crash it, delete information, or even steal passwords or other sensitive information; and

Install and maintain antivirus software because it is designed to prevent and neutralize malicious software programs as well as stopping third parties from collecting information without consent.

Finally, an individual can take a few steps to promote cybersecurity. Do not open an e-mail attachment from an unknown source. Only use trusted sites when providing your personal information. A good rule of thumb is to check the URL. If the site includes “https://,” then it’s a secure site. If the URL includes “http://,” — note the missing “s” — avoid entering sensitive information like your credit card data or Social Security number. Setup Two Factor Authentication (2FA) which is In addition to a password; 2FA requires you to provide a second piece of information to confirm your identity. Don’t use the same password for your personal and work emails. And last, turn off computers that are not in use. A computer that is off is generally free from being harmed or doing harm to others.