US Cyber Law

The Computer Fraud and Abuse Act

The Computer Fraud and Abuse Act, codified at 18 U.S.C. § 1030, constitutes the primary federal statute addressing computer-related crime in the United States. Originally enacted in 1986 as an amendment to the Comprehensive Crime Control Act of 1984, the CFAA has been amended multiple times, most significantly by the USA PATRIOT Act of 2001, the Identity Theft Enforcement and Restitution Act of 2008, and the Fraud Enforcement and Recovery Act of 2009. The statute criminalises seven categories of conduct involving computers: unauthorised access to obtain national security information; accessing a computer and obtaining protected financial or credit information; intentional unauthorised access to a non-public government computer; accessing a computer with intent to defraud; intentionally causing damage by knowing transmission of code or commands; trafficking in passwords with intent to defraud; and extortion involving threats to damage computers. The CFAA has been the subject of extensive judicial interpretation, particularly on the question of what constitutes authorisation. In Van Buren v United States (593 U.S. ___ , 2021), the Supreme Court adopted a narrow interpretation, holding that a person exceeds authorised access when they access a computer with authorisation but obtain information located in particular files or databases that are off-limits to them, resolving a longstanding circuit split and limiting the reach of the statute in the employment context.

The Cybersecurity Information Sharing Act

The Cybersecurity Information Sharing Act of 2015, part of the Consolidated Appropriations Act 2016, establishes a voluntary framework for the sharing of cyber threat indicators and defensive measures between private entities and the federal government. CISA provides liability protections for entities that share such information with the Department of Homeland Security’s National Cybersecurity and Communications Integration Center, the Department of Defense, and the Department of Justice. The statute requires the removal of personal information unrelated to the cyber threat before sharing, though critics have raised concerns about privacy and surveillance overreach. The Act also authorises the government to use shared information for five specific purposes: cybersecurity, investigation of cyber crimes, protection of individuals from death or serious bodily harm, protection of minors, and prosecution of specified felonies. The Cybersecurity and Infrastructure Security Agency, established in 2018 pursuant to the Cybersecurity and Infrastructure Security Agency Act, administers CISA’s information-sharing programmes, including the Automated Indicator Sharing mechanism.

State Data Breach Notification Laws

In the absence of a comprehensive federal data breach notification statute, all fifty states, the District of Columbia, Puerto Rico, and the Virgin Islands have enacted data breach notification laws requiring entities that maintain personal information to notify affected individuals and, in most cases, state authorities, following a security breach. While these statutes vary considerably, they commonly define personal information as an individual’s first name or first initial and last name combined with a Social Security number, driver’s licence number, or financial account number. California’s Security Breach Notification Act, enacted in 2003 as the first such law in the nation, served as a model for subsequent state legislation. The California Consumer Privacy Act of 2018 expanded breach notification obligations by creating a private right of action for data breaches involving certain categories of unencrypted personal information and establishing statutory damages of between $100 and $750 per consumer per incident. The patchwork of state laws creates significant compliance burdens for multistate entities, and federal preemption proposals have repeatedly failed to advance through Congress.

The NIST Cybersecurity Framework

The National Institute of Standards and Technology Cybersecurity Framework, first published in 2014 pursuant to Executive Order 13636, provides voluntary guidance for organisations seeking to manage and reduce cybersecurity risk. The Framework is structured around five core functions: Identify, Protect, Detect, Respond, and Recover. Each function is subdivided into categories and subcategories referencing existing standards, guidelines, and practices. The Framework has been updated in 2018 (Version 1.1) and most recently with the CSF 2.0 release in 2024, which expanded the core functions from five to six by adding a Govern function emphasising cybersecurity governance and supply chain risk management. While the Framework remains voluntary for private sector entities, Executive Order 14028 of 2021 mandated its use for federal contractors and software vendors supplying the federal government. Numerous state regulators, particularly state attorneys general and insurance commissioners, have cited the NIST Framework as a benchmark for reasonable cybersecurity practices in enforcement actions and regulatory guidance.

Federal Trade Commission Enforcement

The Federal Trade Commission has emerged as the principal federal enforcer of cybersecurity standards through its authority under Section 5 of the Federal Trade Commission Act, which prohibits unfair or deceptive acts or practices in or affecting commerce. The Commission has brought over seventy enforcement actions against companies alleging that inadequate cybersecurity practices constitute deceptive trade practices (when a company’s privacy policy or security promises misrepresent its actual security posture) or unfair practices (when security failures cause substantial consumer injury that is not outweighed by countervailing benefits and cannot reasonably be avoided). In FTC v Wyndham Worldwide Corporation (799 F.3d 236, 3d Cir. 2015), the Third Circuit upheld the FTC’s authority to regulate cybersecurity as an unfair practice, rejecting Wyndham’s argument that the FTC lacked statutory authority and that the Commission had failed to provide fair notice of the applicable standards. The FTC’s 2021 amendments to the Safeguards Rule under the Gramm-Leach-Bliley Act require financial institutions to implement comprehensive information security programmes, including incident response plans, access controls, and encryption.

Bipartisan Infrastructure Law Cybersecurity Provisions

The Infrastructure Investment and Jobs Act of 2021, commonly referred to as the Bipartisan Infrastructure Law, includes approximately $2 billion in cybersecurity-related funding. The legislation establishes the State and Local Cybersecurity Grant Programme, administered by CISA, allocating $1 billion over four years to assist state, local, tribal, and territorial governments in addressing cybersecurity risks. The law also creates the Cybersecurity and Infrastructure Security Agency’s Cyber Response and Recovery Fund, providing $100 million for response to significant cyber incidents affecting critical infrastructure. Additional provisions fund the establishment of a Cybersecurity Emergency Literacy Programme, the expansion of the Cybersecurity Education and Training Assistance Programme, and the development of the Joint Cyber Planning Office at CISA. The statute further directs the Cybersecurity and Infrastructure Security Agency to develop a Cyber Incident Reporting Council and required CISA to issue regulations implementing the Cyber Incident Reporting for Critical Infrastructure Act of 2022, which mandates covered entities to report substantial cyber incidents within seventy-two hours and ransomware payments within twenty-four hours.

State Privacy Laws

Following the enactment of the California Consumer Privacy Act in 2018, a wave of comprehensive state privacy legislation has transformed the American data privacy landscape. The CCPA, effective 1 January 2020 and amended by the California Privacy Rights Act of 2020, grants California residents rights of access, deletion, correction, and portability regarding their personal information, together with the right to opt out of the sale or sharing of personal information for cross-context behavioural advertising. The Virginia Consumer Data Protection Act (effective 2023), the Colorado Privacy Act (effective 2023), the Connecticut Data Privacy Act (effective 2023), and the Utah Consumer Privacy Act (effective 2023) have established similar frameworks, collectively covering over one hundred million Americans. The Florida Digital Bill of Rights, the Texas Data Privacy and Security Act, and the Oregon Consumer Privacy Act became effective in 2024, extending coverage to additional states. These statutes share common structural elements — controller obligations, consumer rights, data protection assessments — but diverge in material respects, including the scope of exemptions, the nature of enforcement mechanisms (with California and Florida authorising private rights of action while other states rely exclusively on state attorney general enforcement), and the treatment of sensitive data. Federal comprehensive privacy legislation, most recently the American Privacy Rights Act introduced in 2024, has not yet been enacted, leaving the state-by-state approach as the prevailing regulatory model.

The Role of Administrative Agencies

Beyond the FTC and CISA, multiple federal agencies exercise cybersecurity regulatory authority within their respective sectors. The Securities and Exchange Commission adopted cybersecurity risk management, strategy, governance, and incident disclosure rules in 2023, requiring public companies to report material cyber incidents on Form 8-K within four business days and to disclose annually their cybersecurity governance and risk management processes. The Department of Health and Human Services, through the Health Insurance Portability and Accountability Act Security Rule, requires covered entities and business associates to implement administrative, physical, and technical safeguards for electronic protected health information. The Department of Transportation has promulgated cybersecurity requirements for the aviation and rail sectors, while the Environmental Protection Agency has addressed cybersecurity in the water and wastewater sector. The Federal Energy Regulatory Commission and the North American Electric Reliability Corporation enforce critical infrastructure protection reliability standards for the bulk electric system. This sectoral approach, combined with state-level regulation and common law tort claims, creates a complex and frequently overlapping regulatory environment.