Question

Review the three main statutes that protect our privacy in the healthcare, banking, and credit card industries. Those being HIPAA, GLBA, and PCI respectively, including a discussion of how the federal and state governments monitor compliance, fines, and other penalties for non-compliance. Find one case for each regulation that illustrates a government case for non-compliance (e.g. U.S. v. CVS) and discuss the merits of the case.

Answer 1

cybersecurity preparedness in the securities sector. In the healthcare sector, under HIPAA, the Department of Health and Human Services (HHS) has adopted security standards to protect individually identifiable health information, and has, in recent years, launched audits to assess compliance with HIPAA. The healthcare sector was also a focus of the Cybersecurity Act of 2015, which mandated the development of a Health Care Industry Cybersecurity Task Force, a public-private group to develop recommendations on improving sector cybersecurity. The Task Force issued its report in June 2017, identifying six ‘imperatives’ for improving sector cybersecurity, with concrete recommendations for action under each imperative.

At the federal level, numerous agencies impose cybersecurity standards through a variety of regulatory and enforcement mechanisms. For example, the Federal Information Security Management Act (and implementing guidance) establishes cybersecurity standards for federal government agencies and their contractors. Similarly, the Gramm-Leach-Bliley Act (GLBA) and the Health Insurance Portability and Accountability Act (HIPAA) (and implementing regulations and agency guidance) require entities in the financial services and health sectors, respectively, to employ technical, administrative and physical safeguards to protect customer information from unauthorised access or use. Several states have also enacted state parallels to the GLBA and HIPAA requirement. The Federal Risk and Authorization Management Program (FedRAMP) is a government-wide programme that provides a standardised approach to security assessments, authorisation and continuous monitoring for companies providing cloud services to federal civilian agencies.

Beyond regulatory standards, many organisations are subject to voluntary standards or are required by contract to comply with cybersecurity requirements. Of particular note, the payment card industry in the United States establishes its own cybersecurity standards (the Payment Card Industry Data Security Standards (PCI-DSS)) that apply to merchants or vendors that process payment card data. The federal government has also focused substantially in recent years on the establishment of voluntary cybersecurity requirements, particularly for critical infrastructure entities, which are generally entities that provide vital services to a large part of the population. In 2013, President Obama issued Executive Order 13636, ‘Improving Critical Infrastructure Cybersecurity’ to establish a process for the government to create voluntary cybersecurity standards applicable to critical infrastructure entities. Pursuant to this Executive Order, the National Institute of Standards and Technology (NIST) issued a voluntary ‘Cybersecurity Framework’, which provides a risk-based approach to cybersecurity, and references various national and international standards. President Trump’s cybersecurity Executive Order, Executive Order 13800, ‘Strengthening the Cybersecurity of Federal Networks and Critical Infrastructure,’ requires federal agency heads to implement the NIST Cybersecurity Framework, further encouraging broad adoption of the voluntary risk-based standard.