Photo Credit: Oleg Abdurashitov, On Cybersecurity Laws – and Their Interpretations, Kaspersky, https://www.kaspersky.com/about/policy-blog/on-cybersecurity-laws (last visited Feb. 24, 2025).
Authored by: Elizabeth Gracie Smith
For people under the age of 50, it can be hard to imagine a world without the internet and consequently, cyber-attacks. The first cybercriminal, 16-year-old Kevin Mitnick, was arrested in 1979, for accessing operating systems at the Digital Equipment Corporation and making copies of the software.[1] The 1980s saw high profile attacks that drew public attention to cyber threats, and the field of cybersecurity began. The development of cybersecurity regulations in the United States has been shaped by the increasing frequency of cyber threats.
Since the United States has no single regulatory cybersecurity framework, there are several laws which govern cybersecurity and privacy practices. These laws are usually tailored to specific industries or sectors. The Sarbanes-Oxley Act (SOX), for example, mandates that publicly traded companies must have robust cybersecurity measures to protect financial data and ensure the accuracy of public financial statements.[2] The Securities and Exchange Commission’s (SEC) Regulation S-P targets financial institutions and requires them to have adequate safeguards to protect consumer financial information.[3]
Another significant law is the Gramm-Leach-Bliley Act (GLBA), which applies to a wide range of financial institutions, including entities such as banks, securities firms, non-bank mortgage lenders, and insurance companies.[4] The GLBA requires organizations to implement comprehensive security programs that include technical, physical and administrative safeguards to protect customers’ sensitive information.[5]
The Federal Trade Commission Act (FTC Act) enforces privacy protections across the United States and requires most businesses to take adequate cybersecurity measures, excluding banks and certain other industries.[6] Similarly, the Health Insurance Portability and Accountability Act (HIPAA) enforces strict security and privacy protocols for healthcare organizations, ensuring sensitive health information is safe.[7] Other regulations like the Defense Federal Acquisition Regulation (DFAR) apply specifically to U.S. Department of Defense contractors,[8] while the Children’s Online Privacy Protection Act (COPPA) protects the privacy of children online.[9]
Initially, cybersecurity laws focused more on protecting financial data, but as technology has advanced, privacy concerns and data protection have drawn more attention. For example, the rise of digital healthcare records required stricter privacy regulations, leading to the creation of HIPAA.[10] As technology continues to advance, the evolving nature of cyber threats may cause lawmakers to rethink this fragmented approach and consider a more unified framework.[11]
The variety of laws that regulate cybersecurity creates compliance challenges for organizations. Businesses operating across multiple states or internationally are especially affected by this patchwork system.[12] Each state may have its own breach notification requirements or cybersecurity mandates, and this inconsistency can make it difficult for businesses to create uniform compliance policies.[13] This complexity increases both the time and cost needed to manage legal requirements, particularly for smaller companies that may lack the resources to stay on top of constantly evolving laws.[14]
State specific laws, such as California’s Consumer Privacy Act (CCPA), create challenges for businesses that operate across state lines.[15] Companies not only must be aware of varying requirements, but also maintain flexibility to adjust their policies based on where they are doing business.[16] For example, a company headquartered in New York might need to comply with the stricter consumer privacy protections of California, which requires them to develop separate compliance strategies for different regions. This patchwork of state and federal laws can lead to inefficiencies and the need for businesses to invest in legal and compliance departments to ensure they do not accidentally violate state-specific regulations.
Varying laws can also create confusion in enforcement. Different states, courts and agencies may interpret the laws differently, leading to inconsistent enforcement and a lack of clarity regarding how different regulations apply in certain circumstances.[17] This inconsistency can undermine efforts to protect consumer privacy and create more risk for businesses that accidentally fail to comply with a specific law.
The cybersecurity regulatory landscape is not static, and recent developments show the importance of data protection. The introduction of bills like the American Data Privacy and Protection Act (ADPPA) in Congress represents a move toward a more cohesive national cybersecurity framework.[18] Although the bill has not passed yet, its presence in legislative discussions further emphasizes the increasing demand for a single, comprehensive framework to protect consumer data, especially as data breach concerns continue to rise.[19]
While there are disadvantages to the lack of a single, overarching cybersecurity law in the United States, there are also some positives. Having multiple laws allows for more specific regulations that directly address the unique needs of different industries.[20] For example, the specific needs of financial institutions are addressed by GLBA,[21] while healthcare organizations are regulated under HIPAA.[22] This sector-specific approach allows the laws to more effectively address the distinct challenges each industry faces.
The flexibility offered by state laws is another positive aspect. States can enact their own legislation based on the concerns and priorities of their residents.[23] For example, CCPA has stringent privacy rules, reflecting the California’s proactive stance on privacy protection.[24] This approach allows room for innovation for individual states and sets higher standards for privacy and security.
As technology continues to evolve, the need for additional laws will emerge, making the current patchwork of cybersecurity laws even more challenging to navigate.
[1] Hope Trampski, Kevin Mitnick, sound familiar?, cyberTAP Purdue University (July 16, 2024), https://cyber.tap.purdue.edu/blog/articles/kevin-mitnick-sound-familiar/.
[2] Sarbanes-Oxley Act of 2002, Pub. L. No. 107-204 (2002).
[3] 17 C.F.R. 248.
[4] Gramm-Leach-Bliley Act, Pub. L. No. 106-102 (1999).
[5] See id.
[6] 15 U.S.C § 45.
[7] 45 C.F.R. 160-164.
[8] 48 C.F.R. 252.204-7012.
[9] 16 C.F.R. 312.
[10] 45 C.F.R. 160.
[11] Jessica L. Beyer, et al., The Next Step in Federal Cybersecurity? Considering an NTSB-Style Computer Safety Board, The Henry M. Jackson School of International Studies (August 6, 2018), https://jsis.washington.edu/news/the-next-step-in-federal-cybersecurity-considering-an-ntsb-style-computer-safety-board/ (discussing arguments that a single cybersecurity agency should be created at the federal level).
[12] See Amy Chang & Haiman Wong, Navigating the Complexities of U.S. Cybersecurity Regulation Harmonization, RStreet (June 27, 2024), https://www.rstreet.org/commentary/navigating-the-complexities-of-u-s-cybersecurity-regulation-harmonization/ (“In addition to an ever-evolving cyber threat landscape, organizations face a complex web of overlapping and often inconsistent cybersecurity regulations across federal, state, and local levels.”).
[13] Id.
[14] Id.
[15] Cal. Civ. Code § 1798.100.
[16] A Guide to U.S. Cybersecurity Laws and Compliance, NRI Secure (December 5, 2024), https://www.nri-secure.com/blog/us-cybersecurity-laws-compliance (“Businesses operating across multiple states face challenges due to varying cybersecurity and data privacy laws.”).
[17] See, e.g., Cam Sivesind, Chevron Doctrine Reversal: What’s It Mean for Cybersecurity Regulation?, SecureWorld (July 10, 2024), https://www.secureworld.io/industry-news/chevron-doctrine-cybersecurity-regulation (discussing the roles of courts and agencies in interpreting cybersecurity regulations).
[18] H.R. 8152 117th Cong. (2021-2022).
[19] Id.
[20] See Edward McNicholas and Frances Faircloth, Cybersecurity Laws and Regulations USA 2025, ICLG (July 6, 2024), https://iclg.com/practice-areas/cybersecurity-laws-and-regulations/usa (noting the additional requirements that must be taken by each affected industry).
[21] Gramm-Leach-Bliley Act, Pub. L. No. 106-102 (1999).
[22] 45 C.F.R. Part 160.
[23] See Cal. Civ. Code § 1798.100.
[24] Id.
American Journal of Trial Advocacy 