10.1 Introduction

This chapter addresses the growing field of cybersecurity law. Cybersecurity law, for the purposes of this book, is made up of the laws and regulations concerning the proper management of a local government’s information assets in order to support the confidentiality, integrity, and availability of those assets. Some, mainly larger local governments, maintain robust legal departments. However, they may contract out for certain types of specialized legal services, cybersecurity among them. Some, perhaps many smaller local governments, however, do not have the resources to support legal departments and must contract out for most or all of their legal services.

Lawyers working in government practice have expertise in many different areas from administrative, criminal, and environmental law to tax, banking, transactional law, and consumer protection. Practice types also vary from bill drafting and regulatory work to litigation and negotiation. These lawyers represent the interests of the local government itself, as well as its citizens. The legal responsibilities facing local governments are plentiful, and they continue to grow. Like almost any organization, local governments must now consider hiring legal counsel with cybersecurity expertise, or “Privacy Officers” who have knowledge and expertise in the areas of information privacy laws and compliance.

This chapter presents an overview of the laws and regulations relevant to local government cybersecurity so that local officials and others are at least aware of potential compliance requirements. These laws directly impact local government cybersecurity postures by mandating specific security standards, technologies, and policies that staff must implement. First, it covers federal policies applicable to local governments including: the Health Insurance Portability and Accountability (HIPAA) Act; IRS Publication 1075; the Federal Information Security Modernization Act (FISMA); the Family Education Rights and Privacy Act of 1974 (FERPA); among others. Second, the chapter covers sector specific security standaards such as the Payment Card Industry (PCI) and North American Electric Reliability Corporation (NERC) standards. Third, the chapter reviews a variety of typical state laws including: state and local cybersecurity legislation; security breach notification laws; data security and data disposal laws; and data protection and privacy laws. Fourth is an introduction of the European Union General Data Protection Regulation (GDPR) and its potential relevance to local government. Fifth, is a brief discussion of proposed federal cybersecurity legislation that would impact local government, like the America COMPETES Act. Conclusions and recommendations close the chapter.

For local governments, many of the laws and regulations discussed in this chapter are not merely suggestions. They contain rules that local governments are mandated to adopt and implement. It is important to be aware of them, not only to ensure no laws are being broken, but also to implement best practices that can help local governments comply with federal and state mandates. Failing to comply with these mandates, in some situations, can be punishable by fines and even jail time (e.g., when protected health, cardholder, tax, or other information described below is willfully exposed).

10.2 Federal Policies

The following federal policies largely deal with protecting the confidentiality, integrity, and availability of various types of sensitive personal data, from health information to tax and cardholder information. The aim of these laws is to balance the interests of privacy, and the flow of information necessary for efficient and effective service provision. Local governments, depending on the services they provide and federal programs they administer, can find themselves subject to one or more, if not all of these regulations.

10.2.1 Health Insurance Portability and Accountability (HIPAA) Act

HIPAA governs how organizations protect the healthcare information of their employees and the electronic storage of protected health information. In 2009 the Healthcare Information Technology for Economic and Clinical Health (HITECH) Act expanded HIPAA’s enforcement and breach notification rules. Some local governments agencies are considered “covered entities” and are thus subject to HIPAA and HITECH regulations, for example, by administering Medicaid or operating healthcare clinics. The Affordable Care Act and expansions to Medicare and Medicaid increased local government responsibility for information security. Public health agencies must implement measures to meet two major cybersecurity objectives in order to comply with these regulations: protect individually identifiable health information from unauthorized access and allowing for authorized access to protected health information consistent with the Privacy Rule. HIPAA’s Privacy Rule sets forth the specific standards by which this information must be protected, with the intent of balancing the interests of patient privacy and the flow of information necessary to ensure the provision of quality care (US Department of Health & Human Services, 2013). Local governments must adopt and implement the proper identity and access management measures to prevent unauthorized access to protected patient information. These access control measures require proper documentation and periodic review in order to be successful. If a breach does occur, HIPAA requires organizations to notify individuals who are affected (e.g., because of compromised PII), as well as the media.

10.2.2 (IRS) Publication 1075 Tax Information Security Guidelines

IRS Pub. 1075 is the Tax Information Security Guidelines for Federal, State and Local Agencies (Internal Revenue Service [IRS], 2016). It aims to protect federal tax information and tax returns, both digitally and physically, from unauthorized access and disclosure. Specifically, federal tax information should be restricted on a need-to-know basis, in that employees should only have access if the information is necessary to perform their duties. Protecting the privacy of tax and taxholder information is essential to maintaining citizen confidence in government.

These guidelines are based on the security standards set forth in NIST Special Publication 800-53 on security and privacy controls for information systems (2020a). Yet again, access control and identity management requirements are major components of IRS Pub. 1075 compliance. In order to receive tax information from the IRS, local governments must create an account with the agency’s Secure Data Transfer program, which encrypts the data during transmission. Local government agencies must be prepared to show that they have the ability to protect the confidentiality of federal tax information by securely storing the data on their IT systems. They must also maintain updated safeguard reports and certain related communications. The IRS Safeguards Program provides further technical assistance and resources for protecting federal tax information (Internal Revenue Service, 2021).

10.2.3 Federal Information Security Modernization Act (FISMA)

FISMA was enacted in 2002 to protect information used by federal agencies and stored on federal networks. It has since been expanded to cover state and local governments administering and participating in federal programs like Medicaid, Medicare, veteran’s health, and federal student loans (Taylor, 2013). There is some overlap with HIPAA standards and IRS Pub. 1075, but FISMA compliance accomplishes more than HIPAA and IRS Pub 1075 alone. While NIST SP 800-53 (2020a) is relevant here, so are other standards set forth in the NIST SP 800 series focused on computer security, particularly SP 800-171 (2020b) on protecting unclassified information, and 800-63 (2017) on digital identity guidelines. Additionally, Federal Information Process Standards (FIPS) Publications 199 (standards for security categorization) and 200 (minimum security requirements for federal information systems) also discuss how agencies can meet FISMA requirements (Federal Information Processing Standards Publication, 2004, 2006). In lay terms, due diligence under FISMA means that local governments covered by the act must take the following steps: 1) categorize and inventory information systems; 2) select and implement privacy and security controls to meet the local government’s mission; 3) assess the effectiveness of the controls in place; 4) authorize the information systems for operation; and 5) continuously monitor the information systems (NIST, 2020a).

10.2.4 Family Educational Rights and Privacy Act of 1974 (FERPA)

FERPA governs the rights of parents and children to access and amend children’s education records, as well as how personally identifiable information (PII) in those records can be disclosed (Family Educational Rights and Privacy Act (FERPA), 2011). FERPA provides students and parents rights to review and correct education records kept by their school and allows for schools to disclose records in certain situations. Student education records include report card information, transcripts, class schedules, disciplinary records, and contact and family information. Schools can disclose such records to other school officials within the same institution or agency, contractors the agency has hired, another institution in which the student seeks to enroll, or in connection with financial aid, etc. without parental consent. Otherwise, written consent is required in order to disclose these records.

Under FERPA, educational and other institutions must protect student education records. This applies to all local government organizations receiving federal funds from Department of Education programs, like public schools, school districts, vocational and technical schools, and postsecondary institutions. While FERPA does not impose specific security controls for individual institutions, cybersecurity breaches that result in student records being illegally disclosed can ultimately lead to FERPA violations. Specifically, the law states “an educational agency or institution that does not use physical or technological access controls must ensure that its administrative policy for controlling access to education records is effective and that it remains in compliance with the legitimate educational interest requirement” of record disclosure (34 CFR §99.31, p. 265). Institutions subject to FERPA should follow NIST’s SP 800 series, particularly 800-171 on protecting unclassified information (2020b), which can help to prevent any such violations. The Department of Education’s Privacy Technical Assistance Center also provides helpful resources such as its data security checklist (2015).

10.2.5 Criminal Justice Information Services (CJIS) Security Policy Compliance

CJIS is a division of the FBI that serves the law enforcement community by providing tools, services, and sharing criminal justice information. The CJIS Security Policy regulates how local governments utilizing CJIS services protect sensitive criminal background and fingerprint information (Criminal Justice Information Services [CJIS], 2020). These services include the National Instant Criminal Background Check System (NICS); the National Crime Information Center (NCIC), which is an electronic clearinghouse of crime data such as mug shots and crime records used by almost every criminal justice agency in the country; the National Data Exchange (N-DEx), which is an online tool for sharing information across jurisdictions; the Law Enforcement Enterprise Portal (LEEP) that allows for real-time multi-agency collaboration during high-profile events; Identity History Summary Checks, fingerprints, other biometrics, and more (Federal Bureau of Investigation, n.d.).

All local government agencies with access to, or that operate in support of, the CJIS division’s services and information, such as local police departments, are subject to the security policy. The policy applies to how the criminal justice information (CJI) and other PII is created, viewed, modified, transmitted, disseminated, stored, and destroyed. It is the minimum standard that local governments must meet, but additional measures can also be incorporated. Specifically, the security policy sets forth standards covering 13 policy areas (Table 10.1). The requirements set forth in each of these policy areas include user agreements, information exchange agreements, security training for employees, the reporting of security incidents, access control and account management, password strength and multi-factor authentication, data encryption, wireless networking, physical and remote access, Virtual Private Networks (VPNs) and mobile devices and more. Additionally, these policy areas correspond with NIST SP 800-53 on security and privacy controls (2020a).

Source: Criminal Justice Information Services (2020).

As is the case for each of the federal policies discussed in this section, the intent of the CJIS security policy is to balance public safety and civil liberties as much as possible. Without the sharing of CJI across jurisdictions, local law enforcement agencies would struggle to succeed in finding those engaging in violent and criminal behavior and holding them accountable. We do not need to return to the days of fugitives moving on to a different state, whose law enforcement is unaware of an individual’s criminal history. However, there are profound privacy and civil liberties concerns if unfettered access to this information were provided. Vigilante justice and mob thinking make misidentifications all the more likely, and remove all constitutional protections afforded to those suspected of criminal activity. National security concerns also arise if this information is not protected.

10.4 State Laws

This section explores state and local cybersecurity legislation including security breach notification laws, data security and data disposal laws, and data protection and privacy laws. Local governments should examine their state’s laws in order to determine what rules they are subject to follow.

10.5 European Union General Data Protection Regulation (GDPR)

Adopted in 2016 and implemented in 2018, the GDPR has set the global standard for comprehensive data protection and privacy laws (European Data Protection Supervisor, n.d.). The law establishes privacy and security regulations for organizations processing data on people residing in the EU, not necessarily EU citizens, but traffic from any person in the EU. It applies to organizations offering goods or services targeted to people in the EU or those that process and monitor data generated by those in the EU, including local governments in the US. Any organization processing or monitoring internet traffic from the EU technically falls under the purview of the GDPR. The GDPR’s own explanation of the applicability of these rules state that it is unclear whether one-off visits to certain narrowly targeted websites by EU citizens would place an organization “in the crosshairs of European regulators? It’s not likely. But technically you could be held accountable for tracking these data” (Wolford, 2021a). Applicability of the GDPR to local governments outside of the EU has generally been interpreted around whether the government is “targeting” EU residents when providing services (Kawamoto, 2018). For example, EU residents paying a water bill on a local government website might not fall under the GDPR, but local government tourism websites and advertisements targeted to those in the EU would (Kawamoto, 2018).

The GDPR sets forth seven principles of data protection including: lawfulness, fairness and transparency; purpose limitation; data minimization; accuracy; storage limitation; integrity and confidentiality; and accountability (Wolford, 2021b). Some of these mirror provisions of the Colorado Privacy Act discussed above. Lawfulness, fairness, and transparency around data processing means that it should be clear to the consumer that their data is processed in such a fashion. Purpose limitations specify that the data is processed for legitimate purposes that are explicitly stated to the consumer. Data minimization means only the data required should be collected and processed for the specified purposes. Accuracy involves keeping the information up-to-date, storage limitation means the data is stored for only as long as it is needed, integrity and confidentiality means that processing should be done with encryption so that it is secure, and accountability means organizations are able to demonstrate compliance with the GDPR.

GDPR also establishes eight innovative, if not at times controversial, privacy rights for EU citizens, including: the right to be informed; the right of access; the right of rectification; the right to erasure; the right to restrict processing; the right to data portability; the right to object; and rights in relation to automated decision-making and profiling. Again, the rights of information, access, rectification, erasure, to restrict processing (or opt out), to data portability, and to object are all parallel to the rights afforded by the CPA. Rights related to automated decision-making and profiling is reflected in the CPA’s duty to avoid unlawful discrimination.

Last, American local governments should be aware that although the GDPR has yet to be enforced against them, GDPR regulations technically would apply to local governments tracking data from the EU. Therefore local governments should keep the GDPR regulations in mind as similar data security and privacy rules continue to be introduced in legislatures in the US.

10.6 Federal Legislation

Since FISMA was enacted in 2002, there has been no major cybersecurity legislation passed by the US Congress and signed into law. Despite many attempts at passing such comprehensive legislation, only Presidential Executive Orders have been issued in the interim. See, for example: President Obama’s EO 13636 on Improving Critical Infrastructure Cybersecurity (2013), which established the NIST Cybersecurity Framework (covered in Chapter 9); President Trump’s EO 13800 on Strengthening the Cybersecurity of Federal Networks and Critical Infrastructure (2017), which encouraged modernization of federal IT and partnerships with industry; and President Biden’s EO 14028 on Improving the Nation’s Cybersecurity (2021) focused on bolstering the software supply chain (discussed in Chapter 12).

10.7 Conclusions and Recommendations

This chapter presents a representation of the matrix of federal, state, and international cybersecurity regulations facing American local governments. Cybersecurity compliance is complex and requires expertise in the form of cybersecurity counsel, privacy officers, or compliance officers. For many local governments, this function may need to be outsourced to third-party vendors offering services that help local governments comply with the wide variety of federally mandated security measures.

Local government officials should, at the very least, be aware that such compliance requirements exist. It is up to the CIO, CISO, and IT staff to implement the necessary measures to protect the local government’s information systems and assets from unauthorized access or use. They must be given the tools and resources required to do so. Without such awareness and support, the local government and its officials might very well be at risk of violating the law and be subject to fines or other punishments for unauthorized data disclosure. Following these policies and regulations means implementing high-level cybersecurity standards and controls that will best help protect the local government. Specifically, implementing security measures from NIST’s Special Publication 800 series helps meet many of these various requirements.

Proposed cybersecurity legislation from the 117th Congress indicates a new willingness and push at the US federal level to regulate cybersecurity in the face of constant cyberattacks and increased international competition. Local governments should anticipate federal and/or state level requirements for breach notifications and threat-information sharing (with CISA and other federal agencies) in the not too distant future. There may also be opportunities for grant funding to help boost local government cybersecurity. However, until then, local governments must navigate the plethora of federal, state, and international cybersecurity regulations to which they are subject without much guidance and assistance from higher levels of government.

References

1. Bureau of Justice Assistance, US Department of Justice. (n.d.). Electronic Communications Privacy Act of 1986 (ECPA). https://bja.ojp.gov/program/it/privacy-civil-liberties/authorities/statutes/1285
2. California Civil Code § 1798.25 – 1798.29 et sec.
3. California Office of the Attorney General (n.d.). California consumer privacy act (CCPA). https://oag.ca.gov/privacy/ccpa#:~:text=No.,nonprofit%20organizations%20or%20government%20agencies
4. Chabrow, E. (2009, September 24). PCI: A vital standard for government. GovInfoSecurity. https://www.govinfosecurity.com/blogs/pci-vital-standard-for-government-p-311
5. Colorado Attorney General (n.d.). Colorado’s consumer data protection laws: FAQ’s for businesses and government agencies. https://coag.gov/resources/data-protection-laws
6. Colorado General Assembly (2021). Colorado Privacy Act, S.B. 21-190, http://leg.colorado.gov/sites/default/files/documents/2021A/bills/2021a_190_rer.pdf
7. Computer Fraud and Abuse Act of 1986, 18 USC § 1030 (1986).
8. Criminal Justice Information Services, US Federal Bureau of Investigation (2020, June 01). Criminal justice information service (CJIS) security policy version 5.9. https://www.fbi.gov/file-repository/cjis_security_policy_v5-9_20200601.pdf/view
9. Electronic Communications Privacy Act of 1986, 18 USC Chapter 119 (1986).
10. European Data Protection Supervisor (n.d.). The history of the general data protection regulation. https://edps.europa.eu/data-protection/data-protection/legislation/history-general-data-protection-regulation_en
11. Exec. Order No. 13636, 78 Fed. Reg. 11737 (February 12, 2013).
12. Exec. Order No. 13800, 82 Fed. Reg. 22391 (May 11, 2017).
13. Exec. Order No. 14028, 86 Fed. Reg. 26633 (May 12, 2021).
14. Family Educational Rights and Privacy Act (FERPA) of 1974, 34 CFR § 99 et seq. (2011).
15. Federal Information Processing Standards Publication (2004, February). FIPS Pub. 199: Standards for security categorization of federal information and information systems. https://nvlpubs.nist.gov/nistpubs/FIPS/NIST.FIPS.199.pdf
16. Federal Information Processing Standards Publication (2006, March). FIPS Pub. 200: Minimum security requirements for federal information and information systems. https://nvlpubs.nist.gov/nistpubs/FIPS/NIST.FIPS.200.pdf
17. Hecht, A., and Fjeld, C.T. (2021, May 05). Cyber policy legislative tracker. Mintz. https://www.mintz.com/insights-center/viewpoints/2236/2021-05-04-cyber-policy-legislative-tracker
18. Information Transparency and Personal Data Control Act, H.R. 1816, 117th Congress (2021). https://www.congress.gov/bill/117th-congress/house-bill/1816
19. Infrastructure Investment and Jobs Act, H.R. 3684, 117th Congress (2021). https://www.congress.gov/bill/117th-congress/house-bill/3684
20. Internal Revenue Service, US Department of the Treasury (2016, September 30). Publication 1075 Tax information security guidelines for federal, state and local agencies. https://www.irs.gov/pub/irs-pdf/p1075.pdf
21. Internal Revenue Service, US Department of the Treasury (2021, March 4). Safeguards program. https://www.irs.gov/privacy-disclosure/safeguards-program
22. Kawamoto, D. (2018, May 2). Will GDPR rules impact states and localities? Government Technology. https://www.govtech.com/data/will-gdpr-rules-impact-states-and-localities.html#:~:text=%E2%80%9CFederal%2C%20state%20and%20local%20governments,are%20not%20exempt%20under%20GDPR.%E2%80%9D
23. National Conference of State Legislatures (2019, January 4). Data disposal laws. https://www.ncsl.org/research/telecommunications-and-information-technology/data-disposal-laws.aspx
24. National Conference of State Legislatures (2020, February 14). Data security laws state government. https://www.ncsl.org/research/telecommunications-and-information-technology/data-security-laws-state-government.aspx
25. National Conference of State Legislatures (2021a, June 22). Cybersecurity Legislation 2021. https://www.ncsl.org/research/telecommunications-and-information-technology/cybersecurity-legislation-2021.aspx#:~:text=2021%20Introductions&text=Requiring%20government%20agencies%20to%20implement,industry%20or%20addressing%20cybersecurity%20insurance
26. National Conference of State Legislatures (2021b, April 15). Security breach notification laws. https://www.ncsl.org/research/telecommunications-and-information-technology/security-breach-notification-laws.aspx
27. North American Electric Reliability Corporation (n.d.). Critical infrastructure protection. https://www.nerc.com/pa/Stand/Pages/CIPStandards.aspx
28. Office of Senator Warner, M.R. (2021, July 21). Following solarwinds and colonial hacks, leading national security senators introduce bipartisan cyber reporting bill [press release]. https://www.warner.senate.gov/public/index.cfm/2021/7/following-solarwinds-colonial-hacks-leading-national-security-senators-introduce-bipartisan-cyber-reporting-bill
29. PCI Security Standards Council LLC (n.d.). Maintaining payment security. https://www.pcisecuritystandards.org/merchants/process
30. PCI Security Standards Council LLC (2008). PCI data storage do’s and don’ts. https://www.pcisecuritystandards.org/pdfs/pci_fs_data_storage.pdf
31. Rippy, S. (2021a, July 08). US state privacy legislation tracker. International Association of Privacy Professionals. https://iapp.org/resources/article/us-state-privacy-legislation-tracker
32. Rippy, S. (2021b, July 08). Colorado privacy act becomes law. International Association of Privacy Professionals. https://iapp.org/news/a/colorado-privacy-act-becomes-law
33. Shepardson, D. and Bartz, D. (2021, September 10). US lawmakers seek $1 bln to fund FTC privacy probes. Reuters. https://www.reuters.com/business/retail-consumer/us-lawmakers-seek-1-bln-fund-ftc-privacy-probes-2021-09-10
34. Taylor, L.P. (2013). FISMA trickles into the private sector. In Patricia Moulder, Technical Editor, FISMA Compliance handbook. Syngress.
35. The America COMPETES Act of 2022, H.R. 4521, 117th Congress (2022). https://docs.house.gov/billsthisweek/20220131/BILLS-117HR4521RH-RCP117-31.pdf
36. The Utility Connection (n.d.). 251 Publicly owned electric and gas utilities (US). http://www.utilityconnection.com/page2e.asp
37. United States Innovation and Competition Act of 2021, Pub. L. No. 117-58, 135 Stat. 429 (2021). https://www.congress.gov/bill/117th-congress/senate-bill/1260
38. U.S. Department of Education Privacy Technical Assistance Center (2015, July). Data security checklist. https://studentprivacy.ed.gov/sites/default/files/resource_document/file/Data%20Security%20Checklist_0.pdf
39. U.S. Department of Health and Human Services (2013, July 26). Summary of the HIPAA privacy rule. https://www.hhs.gov/hipaa/for-professionals/privacy/laws-regulations/index.html
40. US Federal Bureau of Investigation (n.d.). Criminal justice information service (CJIS). https://www.fbi.gov/services/cjis
41. US National Institute of Standards and Technology (NIST) (2017, June). NIST Special Publication 800-63-3: Digital identity guidelines. https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-63-3.pdf
42. US National Institute of Standards and Technology (NIST) (2020a, September). NIST special publication 800-53 Revision 5: Security and privacy controls for information systems and organizations. https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r5.pdf
43. US National Institute of Standards and Technology (NIST) (2020b, February). NIST Special publication 800-171 Revision 2: Protecting controlled unclassified information in nonfederal systems and organizations. https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171r2.pdf
44. Van Buren v. United States, No. 19-783, 2021.
45. Virginia General Assembly (2021). Virginia consumer data protection act, S.B. 1392, https://lis.virginia.gov/cgi-bin/legp604.exe?211+ful+SB1392
46. Wolford, B. (2021a). Does the GDPR apply to companies outside of the EU? GDPR.eu. https://gdpr.eu/companies-outside-of-europe
47. Wolford, B. (2021b). What is GDPR, the EU’s new data protection law? GDPR.eu. https://gdpr.eu/what-is-gdpr