While studying for the CompTIA Cybersecurity Analyst+ (CySA+) exam and Certified Ethical Hacker (CEH) exams, I came across many legal terms that all sounded pretty similar. I took some notes on what they were and decided to publish them here for ease of reference. These are USA-based unless otherwise stated.
Children's Online Privacy Protection Act (COPPA): This is for the protection of the privacy of children. COPPA requires a privacy act specific to websites that knowingly collect information from children. In this case, children are defined as persons below the age of 13. Parental consent is required for data collection
Computer Fraud and Abuse Act (CFAA): Prohibits unauthorized access to computer systems involved in interstate commerce. Essentially this makes hacking a crime in the USA.
Electronic Communications Privacy Act (ECPA): Restricts government interception of communications.
Family Education Rights and Privacy Act (FERPA): Regulates how student educational records. This allows students and guardians the right to inspect records. It also covers the data storage entity's obligations to release information. If a student is an adult, the student's parents may not request a copy of their data.
Federal Information Security Management Act (FISMA): Guides running information security programs in the US federal government. This provides three zones: FISMA-High, FISMA-Medium, and FISMA-Low. FISMA systems have a required risk assessment, incident response requirement, and business continuity-of-operations plan.
Identity Theft and Assumption Deterrence Act (ITADA): This makes identity theft illegal. Identity theft is any type of impersonation of another individual.
General Data Protection Regulation (GDPR): Privacy law specific to European countries. This requires a transparent and lawful data processing method. Data must be collected and retained only for a particular purpose with the minimum amount of data retention possible.
Gramm-Leach-Bliley Act (GLBA): This covers the financial and banking industry. This requires that financial institutions have a formal security program and designated security officer (CISO or similar). This includes the Safeguards Rule, a set of privacy acts specific to protecting customer information.
Health Insurance Portability and Accountability Act (HIPAA): This legal requirement is associated with healthcare providers, insurance agencies, and those that otherwise act to store information. HIPAA entities handle Protected Health Information. Disclosure of PHI requires immediate notification to law enforcement. HIPAA also covers Confidentiality, Availability, and Integrity requirements associated with PHI.
Payment Card Industry Data Security Standard (PCI DSS): This applies to organizations that handle payment data. This requires enhanced security controls and specifically a yearly vulnerability scan through a licensed agency.
Privacy Act of 1974: This applies to federal agencies. This law states that "no agency shall disclose any record which is contained in a system of records by any means of communication to any person, or to another agency, except under a written request by, or with the prior written consent of, the individual to whom the record pertains." Essentially, it governs the federal government's use of Personally Identifiable Information (PII) by the federal government.
Sarbanes-Oxley Act (SOX): This law protects both the public and investors against fraud in publicly traded companies. This was created after the Enron and WorldCom financial meltdowns. This involves cybersecurity because, as cybersecurity experts, we must validate data integrity, generally, *but especially* for SOX-regulated systems. Essentially, this act prevents financial crimes from altering data and ensures it is auditable.