While studying for the CompTIA Cybersecutity Analyst+ (CySA+) exam and Certified Ethical Hacker (CEH) exams, I came across a large number of legal terms that all sounded pretty similar. I took some notes on what they were and decided to publish them here for ease of reference. These are USA-based unless otherwise stated.
Children’s Online Privacy Protection Act (COPPA): This is for protection of privacy of children. COPPA requires a privacy act specific to websites that knowingly collect information from children. In this case, children are defined as persons below age 13. Parental consent is required for data collection
Computer Fraud and Abuse Act (CFAA): Prohibits unauthorized access to computer system that is involved in interstate commerce. Essentially this makes hacking a crime in the USA.
Electronic Communications Privacy Act (ECPA): Restricts government interception of communications.
Family Education Rights and Privacy Act (FERPA): Regulates how student educational records. This allows students and guardians the right to inspect records. It also covers the obligations of the data storage entity for release of that information. If a student is an adult, the student’s parents may not request a copy of their data.
Federal Information Security Management Act (FISMA): Provides guidance on running information security programs in the US federal government. This provides three zones: FISMA-High, FISMA-Medium, and FISMA-Low. FISMA systems have a required risk assessment, incident response requirement, and business continuity-of-operations plan.
Identity Theft and Assumption Deterrence Act (ITADA): This makes identity theft illegal. Identity theft is any type of impersonation of another individual.
General Data Protection Regulation (GDPR): Privacy law specific to European countries. This requires a transparent and lawful data processing method. Data must be collected and retained only for a specific purpose with the minimum amount of data retention possible.
Gramm-Leach-Bliley Act (GLBA): This covers the financial and banking industry. This requires that financial institutions have a formal security program and designated security officer (CISO or similar). This includes the Safeguards Rule which is a set of privacy acts specific to protecting customer information.
Health Insurance Portability and Accountability Act (HIPAA): This is a legal requirement associated with healthcare providers, insurance agencies, and those that otherwise act to store information. HIPAA entities handle Protected Health Information. Disclosure of PHI requires immediate notification to law enforcement. HIPAA also covers Confidentiality, Availability, and Integrity requirements associated with PHI.
Payment Card Industry Data Security Standard (PCI DSS): This applies to organizations that handle payment data. This requires enhanced security controls and specifically a yearly vulnerability scan through a licensed agency.
Privacy Act of 1974: This applies to federal agencies. This law states that “no agency shall disclose any record which is contained in a system of records by any means of communication to any person, or to another agency, except pursuant to a written request by, or with the prior written consent of, the individual to whom the record pertains.” Essentially it governs the use of Personally Identifiable Information (PII) by the federal government.
Sarbanes-Oxley Act (SOX): This law provides protection to both the public and investors against fraud for publicly traded companies. This was created after the Enron and WorldCom financial meltdowns. This involves cybersecurity because, as cybersecurity experts, we must validate data integrity in general *but especially* for SOX-regulated systems. Essentially this act is to prevent financial crimes from altering data and to ensure it is auditable.