Anyone tasked with responsibility for enterprise cybersecurity has to consider a legal and compliance landscape that is evolving and growing in complexity. Cybersecurity planning and implementation potentially implicates a broad range of federal and state laws, regulatory rules and guidelines, standards, and other forms of published guidance that could impact legal risk. In this piece, we sketch out the topography of the legal landscape for enterprise cybersecurity from a high altitude.
Businesses in certain industries, such as financial services or healthcare, are governed by specific regulations pertaining to cybersecurity. These regulations, such as the Gramm-Leach-Bliley Act (GLBA) or the Health Insurance Portability and Accountability Act (HIPAA), target categories of data and prescribe required protections, at least in broad terms. However, even outside of these industries and their specialized laws, e.g., GLBA or HIPAA, regulators like the Federal Trade Commission (FTC) have asserted broad authority to deal with “unfair” or “deceptive” trade practices.