Laws and Regulations
Categories of Laws in the US
Criminal Law
Criminal law consists of statutes and rules that define offenses against society, with penalties such as fines, imprisonment, or other punishments.
- Enforced by police and law enforcement agencies
- Prohibits acts like murder, assault, robbery, and arson
- Covers cybercrimes such as hacking, data breaches, and unauthorized system access
- Unique feature is punishment, often involving loss of liberty
- Must be established by legislative bodies at national, state, or local levels
All federal and state laws must comply with the ultimate authority that dictates how the US system of government works - the US Constitution
Civil Law
Also called Tort Law, civil law handles disputes between individuals or organizations where the goal is compensation or specific action, not criminal punishment.
- Covers almost any matter that is not addressed by criminal law.
- This includes liability claims, estate probate, contractual disputes, etc.
- Passed by legislative bodies but does not impose jail time
Like criminal law, civil laws go through the legislative process and must comply with constitutional limits. At the federal level, both are contained in the United States Code (USC).
The main difference between civil law and criminal law lies in who brings the case and the type of penalty.
In a criminal prosecution:
- Goal is to prove guilt and impose punishment
- The government prosecutes the accused
- Penalties include fines, probation, or imprisonment
In civil matters:
- Goal is compensation or action
- The injured party (plaintiff) files the case
- Outcomes are usually monetary damages or court orders
Administrative Law
Administrative law governs the activities of administrative agencies of government.
- Often provide details missing from the law.
- Defines regulatory requirements set by government agencies.
- Specifies standards and procedures for compliance audits.
- Enforces penalties or fines for non-compliance with regulatory standards.
At the federal level, administrative law is found in the Code of Federal Regulations (CFR)
Private Regulations
Private regulations refer to rules and standards established by non-governmental entities, such as industry associations or professional bodies.
- Industry-specific standards for data protection and cybersecurity.
- Requires adherence to codes of conduct and ethical guidelines.
- Provides frameworks for self-regulation and certification programs
- An example is the PCI-DSS credit card processing compliance.
CFAA
Originally introduced in 1984 as the Counterfeit Access Device and Computer Fraud and Abuse Act, it was amended in 1986 and became the Computer Fraud and Abuse Act (CFAA). This U.S. federal law protects computer systems and data from unauthorized access and cyber threats.
- Prohibits unauthorized access to computers and networks
- Covers crimes such as hacking and fraud
- Imposes penalties for computer-related offenses
Congress first attempted to address computer crime under the Comprehensive Crime Control Act (CCCA) of 1984, but the CFAA was written specifically for crimes that crossed state lines, avoiding conflicts with state laws.
The CFAA applies to:
- Computers used by the U.S. government
- Computers used by financial institutions
- Cases where offenses disrupt government or financial systems
- Computers involved in crimes spanning multiple states
ECPA of 1986
A Electronic Communications Privacy Act of 1986 strengthens privacy protections for electronic communications and complements other information security laws.
While both address computers and electronic data, CFAA and ECPA serve different purposes:
-
CFAA (Computer Fraud and Abuse Act)
- Targets computer crimes
- Prohibits unauthorized access, hacking, and cyber fraud
- Violations lead to criminal penalties
-
ECPA (Electronic Communications Privacy Act)
- Protects privacy of electronic communications
- Secures emails, calls, and other electronic data from interception
- Violations can result in civil or criminal penalties
- Focus is on privacy, not system damage
Summary:
- CFAA = crime prevention and punishment
- ECPA = privacy protection
CSA of 1987
The Computer Security Act of 1987 is a US federal law aimed at improving the security of federal computer systems and protecting sensitive information.
- Sets requirements for securing federal computer systems
- Requires protection of sensitive but unclassified information
- Ffederal agencies to develop security plans and training programs for staff
While CFAA address computer crimes, this act emphasizes preventive security measures to reduce risks.
NIIPA of 1996
An amendment to the CFAA, the National Information Infrastructure Protection Act (NIIPA) of 1996 expanded its scope and protections.
- Extended coverage to computer systems used in international commerce, not just interstate
- Included critical infrastructure beyond computers, such as railroads, pipelines, and power grids
- Made intentional or reckless damage to national infrastructure a felony
FISMA of 2002
The Federal Information Security Management Act (FISMA), passed in 2002 under the Electronic Government Act, sets standards for securing federal information and systems. It provides a framework for managing cybersecurity risks across government agencies.
- Strengthens federal agency cybersecurity
- Requires use of a Risk Management Framework (RMF)
- Mandates security controls defined by NIST
- Requires annual security program reports
FISMA places a significant burden on federal agencies and government contractors, who must develop and maintain substantial documentation of their FISM compliant activities.
FISMA of 2014
The Federal Information Security Modernization Act of 2014 updated FISMA to tackle evolving cybersecurity threats and strengthen federal security practices. It also enhanced Department of Homeland Security (DHS) role in overseeing federal cybersecurity.
Exceptions to DHS oversight:
- Defense-related cybersecurity remains under the Secretary of Defense
- Intelligence-related cybersecurity remains under the Director of National Intelligence
CEA of 2014
The Cybersecurity Enhancement Act focused on improving cybersecurity research, standards, and education. Amended in 2022, it strengthens federal cybersecurity efforts and promotes development of best practices.
NIST produces the 800 series of Special Publications for guidance on information security and privacy.
-
NIST SP 800-53
- Security and privacy controls for federal information systems and organizations
- Provides a framework for risk management
- Guides implementation of technical and administrative safeguards
-
NIST SP 800-171
- Protects Controlled Unclassified Information (CUI) in nonfederal systems and organizations
- Specifies security requirements for contractors handling federal data
- Helps ensure consistent safeguarding of sensitive information
NCPA of 2014
The National Cybersecurity Protection Act of 2014 established the National Cybersecurity and Communications Integration Center (NCCIC) within the Department of Homeland Security (DHS). The NCCIC serves as a central hub for sharing cybersecurity information and coordinating responses to cyber threats.
Federal Information and Resources Management Regulation
tHE Federal Information and Resources Management Regulation is a U.S. regulation that sets rules for the use and management of federal information resources.
- Governs how federal agencies manage information resources
- Ensures security and efficiency in resource use
- Requires agencies to implement policies for proper data handling
This regulation helps maintain secure, efficient, and accountable use of federal information.
Office of Management and Budget Circular A-130
Guidance for federal agencies on managing information resources effectively.
- Provides policies for managing federal information systems
- Emphasizes the need to secure federal information
- Encourages risk management and accountability in IT operations
1991 U.S. Federal Sentencing Guidelines
Establishes penalties for corporate crimes, including cybersecurity violations.
- Introduces fines and sanctions for corporate misconduct
- Encourages companies to adopt robust compliance programs
- Rewards proactive security and ethics programs
- Supports enforcement consistency across industries
These guidelines aim to reduce corporate misconduct and promote strong internal controls.