Skip to main content
SpringerLink
Log in

Spurring the Private Sector: Indirect Federal Regulation of Cybersecurity in the US

  • Chapter
  • First Online:
Cybercrimes: A Multidisciplinary Analysis

  • 2958 Accesses

Abstract

The US federal government has long understood the importance of securing cyberspace and the private sector’s essential role in that effort. Over the past decade, the government consistently has eschewed direct federal mandates regarding private sector cybersecurity practices and instead has favored indirect regulation to achieve cybersecurity goals. Indirect regulation is a regulatory approach that seeks to encourage behaviors that lead to increased cybersecurity and prohibit/discourage behaviors that lead to decreased cybersecurity.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution
Chapter
USD 29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD 169.00
Price excludes VAT (USA)
  • Available as EPUB and PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD 219.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info
Hardcover Book
USD 219.99
Price excludes VAT (USA)
  • Durable hardcover edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

Notes

  1. 1.

    In 1984, Congress chose for the first time to address federal computer-related crimes in a single new statute, 18 U.S.C. §1030, rather than to add new provisions to existing criminal laws.

  2. 2.

    The CFAA of 1986 amended 18 U.S.C. §1030.

  3. 3.

    U.S.C. §1030.

  4. 4.

    CFAA was amended in 1988, 1989, 1990, 1994, 1996, 2001 and 2002.

  5. 5.

    In its current form, CFAA outlaws a variety of activities, including hacking into a government computer (18 U.S.C. §1030(a)(3)); hacking that results in exposure of certain governmental, credit, financial, or commercial information (18 U.S.C. §1030(a)(2)); and damaging a computer through cyberattacks, cybercrime, or cyberterrorism (18 U.S.C. §1030(a)(5)).

  6. 6.

    Congress increased the penalties available under CFAA when it passed the Cyber Security Enhancement Act of 2002 as part of that year’s Homeland Security Act.

  7. 7.

    For example, (1) the Electronic Communications Privacy Act (18 U.S.C. §§2510-2521, 2701-2710), which criminalizes interception of electronic communication, has been used to prosecute hackers; (2) the Economic Espionage Act of 1996 (18 U.S.C. §1831, et seq.) has been interpreted as sufficiently broad to criminalize theft of trade secrets through computer intrusion; (3) the Wire Fraud Act has been interpreted to criminalize computer-aided theft involving the use of interstate wires or mails; and (4) there have been a limited number of prosecutions pursuant to state computer crime statutes such as those in force in Arizona, Florida, Illinois (criminalizing computer tampering and computer fraud), and Vermont.

  8. 8.

    The federal government has long recognized the inadequacy of criminal laws standing on their own. See, e.g., President’s Critical Infrastructure Protection Board, Draft National Strategy to Secure Cyberspace (Draft National Strategy), September 2002 at 4 (“[T]hose who rely on networked computer systems need to identify and remedy their vulnerabilities now, rather than wait for an attacker to be stopped or until alerted of an impending attack.”).

  9. 9.

    Executive Order 13231, “Critical Infrastructure Protection in the Information Age,” October 16, 2001.

  10. 10.

    Draft National Strategy at 1.

  11. 11.

    The National Strategy to Secure Cyberspace (2003) (National Strategy) at 15, available online at https://www.dhs.gov/xlibrary/assets/National\_Cyberspace\_Strategy.pdf.

  12. 12.

    Remarks by the President on Securing Our Nation’s Cyber Infrastructure, May 29, 2009 (Obama Cybersecurity Remarks), available online at http://www.whitehouse.gov/the\_press\_office/Remarks-by-the-President-on-Securing-Our-Nations-Cyber-Infrastructure.

  13. 13.

    Cyberspace Policy Review: Assuring a Trusted and Resilient Information and Communications Infrastructure, May 29, 2009 (CPR), at 5.

  14. 14.

    CPR at 17.

  15. 15.

    U.S.C. Sec. 6801(a)-(b).

  16. 16.

    The federal bank regulatory agencies are the Office of the Comptroller of the Currency, Office of Thrift Supervision, Federal Deposit Insurance Corporation, Federal Reserve Board, and the National Credit Union Administration.

  17. 17.

    See e.g., Federal Trade Commission Privacy of Consumer Information, May 12, 2000 (GLB Privacy Rule).

  18. 18.

    See, e.g., Federal Trade Commission Standards for Safeguarding Customer Information; Final Rule, 67 Fed. Reg. 36484, May 23, 2002 (GLB Safeguards Rule).

  19. 19.

    Various state medical privacy laws are beyond the scope of this article, however two California laws, Assembly Bill 211 (AB 211) and Senate Bill 541 (SB 541) adopted in September of 2008 are worthy of mention. These laws took effect January 1, 2009 and give Californians rights that are much more expansive than those granted under HIPAA. The laws impose privacy and security standards not only on HIPAA “covered entities” but on other “health facilities” as well. See Civil Code §§56.05 and 56.06. In addition, the laws make it a misdemeanor to unlawfully access, use, or disclose protected information (Civil Code §56.36(a)); and impose fines of up to $250,000 for disclosures of protected information made for financial gain (Civil Code §56.36(c)(3)). The full text of AB 211 may be found online at: http://info.sen.ca.gov/pub/07-08/bill/asm/ab\_0201-0250/ab\_211\_bill\_20080930\_chaptered.pdf. The full text of SB 541 may be found online at: http://info.sen.ca.gov/pub/07-08/bill/sen/sb\_0501-0550/sb\_541\_bill\_20080930\_chaptered.pdf.

  20. 20.

    HIPAA’s statutory provisions themselves require reasonable security. Specifically, covered entities that use, store, maintain, or transmit certain patient health care information known as protected health information (PHI) must maintain “reasonable and appropriate administrative, technical, and physical safeguards” to (1) ensure integrity and confidentiality of PHI; (2) protect against any reasonably anticipated threats or hazards to the security, integrity, or unauthorized uses or disclosures of PHI; and (3) ensure HIPAA compliance by officers and employees of the covered entity. HIPAA, Section 1173(d)(2). Additional security provisions are set forth in the HIPAA Privacy Rule and the HIPAA Security Rule, the federal regulations implementing HIPAA.

  21. 21.

    Standards for Privacy of Individually Identifiable Health Information, 45 CFR part 160 and part 164, subparts A and E (HIPAA Privacy Rule). The security provisions of the HIPAA Privacy Rule, (45 CFR 164.530(c)), also known as the “mini-security rule,” require covered entities to implement general security measures to protect PHI. Under the Privacy Rule, covered entities must “adopt appropriate administrative, technical, and physical safeguards to protect privacy of [PHI]” and “safeguard PHI from any intentional or unintentional use or disclosure that is in violation of the Privacy Rule.” HIPAA Privacy Rule, Sec. 164.530(c).

  22. 22.

    The Security Rule took effect April 20, 2005 for large entities and 1 year later for small businesses.

  23. 23.

    The term “covered entities,” as defined under HIPAA (45 CFR Part 160.103), is not limited to health care companies; it also includes “health plans,” a term which itself includes many employer-sponsored group health plans.

  24. 24.

    PHI refers to certain individually identifiable health care information. 45 CFR 164.501.

  25. 25.

    HIPAA, Section 1177(b)(3).

  26. 26.

    HIPAA, Section 1176(a)(1).

  27. 27.

    American Recovery and Reinvestment Act of 2009 (Public Law 111-5). The Stimulus Law included a section on health information technology (Title XIII) and allocated up to $19 billion to establish a system of electronic health records by 2014.

  28. 28.

    As noted above, the term “covered entities” is defined under HIPAA (45 CFR Part 160.103) and is not limited to health care companies; it also includes “health plans,” a term which itself includes many employer-sponsored group health plans.

  29. 29.

    HHS Breach Notification for Unsecured Protected Health Information; Interim Final Rule (HHS Rule), 74 Fed. Reg 42740 (August 24, 2009). The HHS Rule technically applies to any breach discovered on or after September 23, 2009; however, HHS has said that enforcement will be delayed until February 22, 2010, to allow time for covered entities to come into compliance with the rule. HHS Rule, 74 Fed. Reg. at 42757.

  30. 30.

    FTC Health Breach Notification Rule, 74 Fed. Reg. 42962 (August 25, 2009).

  31. 31.

    As noted below, the U.S. District Court for the District of Columbia has ruled that the FTC’s rule implementing FACTA does not apply to attorneys.

  32. 32.

    Identity Theft Red Flags and Address Discrepancies Under the Fair and Accurate Credit Transactions Act of 2003; Final Rule, 72 Fed. Reg. 63718 (Nov. 9, 2007).

  33. 33.

    Memorandum Opinion, American Bar Ass’n. v. Fed. Trade Comm’n, Civil Action No. 09-1636 (RBW) (U.S.D.C. Oct. 30, 2009) at 40.

  34. 34.

    In this regard, it is noteworthy that plaintiffs’ lawyers are a major Democratic party constituency and fund-raising engine.

  35. 35.

    CPR at 28.

  36. 36.

    CPR at 28.

  37. 37.

    S. 2201, the Online Personal Privacy Act, 107th Congress, 2d Session (available at http://frwebgate.access.gpo.gov/cgi-bin/getdoc.cgi?dbname=107\_cong\_bills\&docid=f:s2201is.txt.pdf).

  38. 38.

    National Strategy at 33.

  39. 39.

    CPR at 17.

  40. 40.

    As with best practices, private sector companies also are concerned that federal standards inevitably will be cited as the “standard of care” in tort cases and, accordingly, private sector companies likely will be compelled to comply with federal security standards even in the absence of legislation requiring compliance.

  41. 41.

    As discussed in more detail in Sect.15.3.1 below, the federal government similarly could require its contractors to insure against cyberrisks to accelerate private sector adoption of cyberinsurance.

  42. 42.

    National Strategy at 4.

  43. 43.

    CPR at v.

  44. 44.

    CPR at 34.

  45. 45.

    Securing Cyberspace for the 44th Presidency: A Report of the CSIS Commission on Cybersecurity for the 44th Presidency (Presidential Commission Report), December 2008 at 50, 55–59.

  46. 46.

    Presidential Commission Report at 2.

  47. 47.

    Presidential Commission Report at 59.

  48. 48.

    Cybersecurity Act of 2009, S. 773, (111th Cong., 1st Sess) introduced April 1, 2009 (hereinafter, Cybersecurity Act of 2009), Section 6(a).

  49. 49.

    Center for Democracy & Technology, Analysis of S. 773 Cybersecurity Act of 2009, May 2009 at 9, available online at http://www.cdt.org/security/20090511\_rocksnowe\_analysis.pdf. See also Presidential Commission Report at 51.

  50. 50.

    Internet Security Alliance Comments to Hathaway on Cyber Insurance, available online at http://www.isalliance.org/index.php?option=com\_content\&task=view\&id=192\&Itemid=365.

  51. 51.

    Internet Security Alliance Comments to Hathaway on Cyber Insurance, available online at http://www.isalliance.org/index.php?option=com\_content\&task=view\&id=192\&Itemid=365.

  52. 52.

    Chubb Encourages Adoption of New Information Security Best Practices, Offers Premium Credit for Organizations That Implement Testing, December 3, 2007 available online at http://www.chubb.com/corporate/chubb7880.html.

  53. 53.

    This is an issue the federal government is attempting to address by promoting public–private information sharing, as discussed in Sect.15.3.2.

  54. 54.

    Since insurance markets are driven by fear of liability, industry may be wary of any federal government interest in insurance that may signal the dawn of new liability regimes.

  55. 55.

    See, generally, Internet Security Alliance Comments to Hathaway on Cyber Insurance available online at http://www.isalliance.org/index.php?option=com\_content\&task=view\&id=192\&Itemid=365.

  56. 56.

    CPR at 19.

  57. 57.

    http://thenewnewinternet.com/2009/11/17/bruce-mcconnell-of-dhs-looks-to-long-term- "http://solutions/at4.

  58. 58.

    CPR at 17-18.

  59. 59.

    CPR at 17-18.

  60. 60.

    Mark F. Grady and Francesco Parisi, eds., The Law and Economics of Cybersecurity, (2006), Amitai Aviram, Chapter 5, Network Responses to Network Threats: The Evolution into Private Cybersecurity Associations at 158.

  61. 61.

    H.R. 2435, 107th Cong. (2001).

  62. 62.

    Statement of Senator Patrick Leahy on Introduction of the Restoration of Freedom of Information Act (Leahy Statement) March 15, 2005, available online at http://leahy.senate.gov/press/200503/031505.html.

  63. 63.

    Leahy Statement at 3.

  64. 64.

    Leahy Statement at 2-3.

  65. 65.

    Leahy Statement.

  66. 66.

    Cyber Security Research and Development Act of 2002, (P.L. 107-305, 107th Congress, 2d Session, November 27, 2002), 15 U.S.C. 7402, et seq.

  67. 67.

    President’s Information Technology Advisory Committee, Report to the President–Cyber Security: A Crisis of Prioritization, February 2005 (PITAC Report), p. iv, available online at http://www.nitrd.gov/pitac/reports/20050301\_cybersecurity/cybersecurity.pdf.

  68. 68.

    PITAC Report at 21.

  69. 69.

    PITAC Report at 21-22.

  70. 70.

    The Cybersecurity Act of 2009, Section 11.

  71. 71.

    The Cybersecurity Act of 2009, Section 11.

  72. 72.

    National Research Council, Innovation in Information Technology, 2003, p. 4.

  73. 73.

    CRS Report for Congress, The Federal Networking and Information Technology Research and Development Program: Funding Issues and Activities, Updated October 23, 2008, CRS-12 available online at http://ipmall.info/hosted\_resources/crs/RL33586\_081023.pdf.

  74. 74.

    The Cybersecurity Act of 2009, Section 13.

References

  1. Clarke, R., President’s Critical Infrastructure Protection Board. (2002, September). The National Strategy to secure cyberspace: Draft.

    Google Scholar 

  2. Krebs, B. (2002, June 10). White House stressing unorthodox in it security fight. Retrieved from http://www.washingtonpost.com/wp-dyn/articles/A27682-2002Jun10.html

  3. Pub.L. 105-304, 112 Stat 2877 (1998). 1998.

    Google Scholar 

  4. Public Law 105-304, 112 Stat. 2860 (1998), codified in various sections of 17 U.S.C. 1998.

    Google Scholar 

  5. Lessig, L. (1999). Code and other laws of cyberspace. New York, NY: Basic Books.

    Google Scholar 

  6. Gramm–Leach–Bliley Financial Services Modernization Act of 1999, 12 U.S.C. §1811 (1999). 1999.

    Google Scholar 

  7. Tritak, J. S. (2001). Director, Critical Infrastructure Assurance Office, Bureau of Industry and Security, United States Department of Commerce. (2002, June 24). Statement before the House Committee on Science. Retrieved from http://www.ciao.gov/publicaffairs/tritak6.24.02.html

  8. Geer, D. E., Jr. Making choices to show ROI. Secure Business Quarterly, 1(2), 7.

    Google Scholar 

  9. Miller, H. N., President, Information Technology Association of America. (2001, July 16). Testimony on Internet security before the Senate Committee on commerce, science and transportation subcommittee on science, technology and space (p. 6).

    Google Scholar 

  10. The National Education and Training Program. Retrieved from http://www.ciao.gov/education/index.html

  11. Mark, R. GOVNET aims to protect critical it functions from attacks. Retrieved from http://dc.internet.com/news/article/0,1934,2101\_900961,00.html

    Google Scholar 

  12. Gillham, O. (2002, January 21). Cybercorps students to fight terror. Retrieved from http://www.cis.utulsa.edu/InTheNews/cybercorpsstudentstofightterror.asp

  13. Retrieved from http://www.cybercitizenship.org/aboutus/aboutus.html

Download references

Author information

Authors and Affiliations

  1. Washington, USA

    Stewart Baker & Melanie Schneck-Teplinsky

Authors
  1. Stewart Baker
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Melanie Schneck-Teplinsky
    View author publications

    You can also search for this author in PubMed Google Scholar

Editor information

Editors and Affiliations

  1. Joel Drive 917, Tyler, 75703, Texas, USA

    Sumit Ghosh

  2. Babbitt Rd 10, Mendham, 07945-1802, New Jersey, USA

    Elliot Turrini

Rights and permissions

Reprints and permissions

Copyright information

© 2011 Springer-Verlag Berlin Heidelberg

About this chapter

Cite this chapter

Baker, S., Schneck-Teplinsky, M. (2011). Spurring the Private Sector: Indirect Federal Regulation of Cybersecurity in the US. In: Ghosh, S., Turrini, E. (eds) Cybercrimes: A Multidisciplinary Analysis. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-642-13547-7_15

Download citation

Publish with us

Policies and ethics

Search

Navigation