This chapter addresses the growing field of cybersecurity law. Cybersecurity law, for the purposes of this book, is made up of the laws and regulations concerning the proper management of a local government’s information assets in order to support the confidentiality, integrity, and availability of those assets. Some, mainly larger local governments, maintain robust legal departments. However, they may contract out for certain types of specialized legal services, cybersecurity among them. Some, perhaps many smaller local governments, however, do not have the resources to support legal departments and must contract out for most or all of their legal services.
Lawyers working in government practice have expertise in many different areas from administrative, criminal, and environmental law to tax, banking, transactional law, and consumer protection. Practice types also vary from bill drafting and regulatory work to litigation and negotiation. These lawyers represent the interests of the local government itself, as well as its citizens. The legal responsibilities facing local governments are plentiful, and they continue to grow. Like almost any organization, local governments must now consider hiring legal counsel with cybersecurity expertise, or “Privacy Officers” who have knowledge and expertise in the areas of information privacy laws and compliance.
This chapter presents an overview of the laws and regulations relevant to local government cybersecurity so that local officials and others are at least aware of potential compliance requirements. These laws directly impact local government cybersecurity postures by mandating specific security standards, technologies, and policies that staff must implement. First, it covers federal policies applicable to local governments including: the Health Insurance Portability and Accountability (HIPAA) Act; IRS Publication 1075; the Federal Information Security Modernization Act (FISMA); the Family Education Rights and Privacy Act of 1974 (FERPA); among others. Second, the chapter covers sector specific security standaards such as the Payment Card Industry (PCI) and North American Electric Reliability Corporation (NERC) standards. Third, the chapter reviews a variety of typical state laws including: state and local cybersecurity legislation; security breach notification laws; data security and data disposal laws; and data protection and privacy laws. Fourth is an introduction of the European Union General Data Protection Regulation (GDPR) and its potential relevance to local government. Fifth, is a brief discussion of proposed federal cybersecurity legislation that would impact local government, like the America COMPETES Act. Conclusions and recommendations close the chapter.
For local governments, many of the laws and regulations discussed in this chapter are not merely suggestions. They contain rules that local governments are mandated to adopt and implement. It is important to be aware of them, not only to ensure no laws are being broken, but also to implement best practices that can help local governments comply with federal and state mandates. Failing to comply with these mandates, in some situations, can be punishable by fines and even jail time (e.g., when protected health, cardholder, tax, or other information described below is willfully exposed).
The following federal policies largely deal with protecting the confidentiality, integrity, and availability of various types of sensitive personal data, from health information to tax and cardholder information. The aim of these laws is to balance the interests of privacy, and the flow of information necessary for efficient and effective service provision. Local governments, depending on the services they provide and federal programs they administer, can find themselves subject to one or more, if not all of these regulations.
HIPAA governs how organizations protect the healthcare information of their employees and the electronic storage of protected health information. In 2009 the Healthcare Information Technology for Economic and Clinical Health (HITECH) Act expanded HIPAA’s enforcement and breach notification rules. Some local governments agencies are considered “covered entities” and are thus subject to HIPAA and HITECH regulations, for example, by administering Medicaid or operating healthcare clinics. The Affordable Care Act and expansions to Medicare and Medicaid increased local government responsibility for information security. Public health agencies must implement measures to meet two major cybersecurity objectives in order to comply with these regulations: protect individually identifiable health information from unauthorized access and allowing for authorized access to protected health information consistent with the Privacy Rule. HIPAA’s Privacy Rule sets forth the specific standards by which this information must be protected, with the intent of balancing the interests of patient privacy and the flow of information necessary to ensure the provision of quality care (US Department of Health & Human Services, 2013). Local governments must adopt and implement the proper identity and access management measures to prevent unauthorized access to protected patient information. These access control measures require proper documentation and periodic review in order to be successful. If a breach does occur, HIPAA requires organizations to notify individuals who are affected (e.g., because of compromised PII), as well as the media.
IRS Pub. 1075 is the Tax Information Security Guidelines for Federal, State and Local Agencies (Internal Revenue Service [IRS], 2016). It aims to protect federal tax information and tax returns, both digitally and physically, from unauthorized access and disclosure. Specifically, federal tax information should be restricted on a need-to-know basis, in that employees should only have access if the information is necessary to perform their duties. Protecting the privacy of tax and taxholder information is essential to maintaining citizen confidence in government.
These guidelines are based on the security standards set forth in NIST Special Publication 800-53 on security and privacy controls for information systems (2020a). Yet again, access control and identity management requirements are major components of IRS Pub. 1075 compliance. In order to receive tax information from the IRS, local governments must create an account with the agency’s Secure Data Transfer program, which encrypts the data during transmission. Local government agencies must be prepared to show that they have the ability to protect the confidentiality of federal tax information by securely storing the data on their IT systems. They must also maintain updated safeguard reports and certain related communications. The IRS Safeguards Program provides further technical assistance and resources for protecting federal tax information (Internal Revenue Service, 2021).
FISMA was enacted in 2002 to protect information used by federal agencies and stored on federal networks. It has since been expanded to cover state and local governments administering and participating in federal programs like Medicaid, Medicare, veteran’s health, and federal student loans (Taylor, 2013). There is some overlap with HIPAA standards and IRS Pub. 1075, but FISMA compliance accomplishes more than HIPAA and IRS Pub 1075 alone. While NIST SP 800-53 (2020a) is relevant here, so are other standards set forth in the NIST SP 800 series focused on computer security, particularly SP 800-171 (2020b) on protecting unclassified information, and 800-63 (2017) on digital identity guidelines. Additionally, Federal Information Process Standards (FIPS) Publications 199 (standards for security categorization) and 200 (minimum security requirements for federal information systems) also discuss how agencies can meet FISMA requirements (Federal Information Processing Standards Publication, 2004, 2006). In lay terms, due diligence under FISMA means that local governments covered by the act must take the following steps: 1) categorize and inventory information systems; 2) select and implement privacy and security controls to meet the local government’s mission; 3) assess the effectiveness of the controls in place; 4) authorize the information systems for operation; and 5) continuously monitor the information systems (NIST, 2020a).
FERPA governs the rights of parents and children to access and amend children’s education records, as well as how personally identifiable information (PII) in those records can be disclosed (Family Educational Rights and Privacy Act (FERPA), 2011). FERPA provides students and parents rights to review and correct education records kept by their school and allows for schools to disclose records in certain situations. Student education records include report card information, transcripts, class schedules, disciplinary records, and contact and family information. Schools can disclose such records to other school officials within the same institution or agency, contractors the agency has hired, another institution in which the student seeks to enroll, or in connection with financial aid, etc. without parental consent. Otherwise, written consent is required in order to disclose these records.
Under FERPA, educational and other institutions must protect student education records. This applies to all local government organizations receiving federal funds from Department of Education programs, like public schools, school districts, vocational and technical schools, and postsecondary institutions. While FERPA does not impose specific security controls for individual institutions, cybersecurity breaches that result in student records being illegally disclosed can ultimately lead to FERPA violations. Specifically, the law states “an educational agency or institution that does not use physical or technological access controls must ensure that its administrative policy for controlling access to education records is effective and that it remains in compliance with the legitimate educational interest requirement” of record disclosure (34 CFR §99.31, p. 265). Institutions subject to FERPA should follow NIST’s SP 800 series, particularly 800-171 on protecting unclassified information (2020b), which can help to prevent any such violations. The Department of Education’s Privacy Technical Assistance Center also provides helpful resources such as its data security checklist (2015).
CJIS is a division of the FBI that serves the law enforcement community by providing tools, services, and sharing criminal justice information. The CJIS Security Policy regulates how local governments utilizing CJIS services protect sensitive criminal background and fingerprint information (Criminal Justice Information Services [CJIS], 2020). These services include the National Instant Criminal Background Check System (NICS); the National Crime Information Center (NCIC), which is an electronic clearinghouse of crime data such as mug shots and crime records used by almost every criminal justice agency in the country; the National Data Exchange (N-DEx), which is an online tool for sharing information across jurisdictions; the Law Enforcement Enterprise Portal (LEEP) that allows for real-time multi-agency collaboration during high-profile events; Identity History Summary Checks, fingerprints, other biometrics, and more (Federal Bureau of Investigation, n.d.).
All local government agencies with access to, or that operate in support of, the CJIS division’s services and information, such as local police departments, are subject to the security policy. The policy applies to how the criminal justice information (CJI) and other PII is created, viewed, modified, transmitted, disseminated, stored, and destroyed. It is the minimum standard that local governments must meet, but additional measures can also be incorporated. Specifically, the security policy sets forth standards covering 13 policy areas (Table 10.1). The requirements set forth in each of these policy areas include user agreements, information exchange agreements, security training for employees, the reporting of security incidents, access control and account management, password strength and multi-factor authentication, data encryption, wireless networking, physical and remote access, Virtual Private Networks (VPNs) and mobile devices and more. Additionally, these policy areas correspond with NIST SP 800-53 on security and privacy controls (2020a).
Table 10.1 CJIS security policy: policy areas.
Policy Area | Covers |
1) Information exchange agreements |
|
2) Security awareness training |
|
3) Incident response |
|
4) Auditing and accountability |
|
5) Access control |
|
6) Identification and authentication |
|
7) Configuration management |
|
8) Media protection |
|
9) Physical protection |
|
10) System and communications Protection and information integrity |
|
11) Formal audits |
|
12) Personnel security |
|
13) Mobile devices |
|
Source: Criminal Justice Information Services (2020).
As is the case for each of the federal policies discussed in this section, the intent of the CJIS security policy is to balance public safety and civil liberties as much as possible. Without the sharing of CJI across jurisdictions, local law enforcement agencies would struggle to succeed in finding those engaging in violent and criminal behavior and holding them accountable. We do not need to return to the days of fugitives moving on to a different state, whose law enforcement is unaware of an individual’s criminal history. However, there are profound privacy and civil liberties concerns if unfettered access to this information were provided. Vigilante justice and mob thinking make misidentifications all the more likely, and remove all constitutional protections afforded to those suspected of criminal activity. National security concerns also arise if this information is not protected.
CFAA, perhaps the premier federal computer crime law, was first enacted in 1986 and has since been amended several times. The act prohibits “intentionally access[ing] a computer without authorization or exceed[ing] authorized access,” and obtaining information from a protected computer, which includes information from any federal department or agency, or financial institution, damaging said devices or information, or otherwise hacking into these systems and causing at least $5,000 in damages (Computer Fraud and Abuse Act, 1986). “Without authorization” has been interpreted as widely as to include violating a website’s terms of service or employment acceptable use policy. For example, the Supreme Court recently determined that a law enforcement officer’s use of the government’s license plate database for information requested and paid for by a civilian did not “exceed authorized access” because he was authorized to access the system despite accessing it for an unauthorized purpose (Van Buren v. United States, 2021). The CFAA provides an important tool for prosecutors to seek recourse against those who have caused an adverse cybersecurity event in a local government’s information system that “raises concerns pertaining to national security, critical infrastructure, public health and safety, market integrity, international relations, or other considerations having a broad or significant impact on national or economic interests” (US Department of Justice, 2020). Violations of this act are punishable with up to 20 years in prison if a prior offense has been committed.
ECPA, also enacted in 1986, covers restrictions on how local governments and law enforcement officers can access the stored communications of businesses and residents in their jurisdiction (Electronic Communications Privacy Act, 1986). The law extended restrictions on telephone wire-taps to electronic communications on computers and was last updated by the USA PATRIOT Act. Local governments and their officers may not attempt to intercept such communications unless they have obtained judicial authorization, or a warrant, to do so. The warrant must be supported by probable cause, and can last up to 30 days (Bureau of Justice Assistance, n.d.). If a warrant is not obtained, any evidence gathered will not be admissible as evidence in court.
The following are security standards set by professional organizations within specific sectors of the economy that also pertain to local governments. These standards are not established by federal policy, but must be followed by all organizations involved in these particular sectors and activities.
The PCI Data Security Standard regulates how organizations protect cardholder data or “any information contained on a customer’s payment card…printed on either side of the card [or] contained in the digital format on [the card’s] magnetic stripe” (PCI Security Standards Council, 2008, p. 1). The standard was first established in 2004 to help govern the transition to digital transactions and help protect against payment fraud. The PCI standard was one of the first of such cybersecurity regulatory requirements faced by most local governments (Chabrow, 2009).
Table 10.2 PCI data security standard goals and requirements.
Goals | PCI DSS Requirements |
Build and maintain a secure network | 1. Install and maintain a firewall configuration to protect cardholder data |
2. Do not use vendor-supplied defaults for system passwords and other security parameters | |
Protect cardholder data | 3. Protect stored cardholder data |
4. Encrypt transmission of cardholder data across open, public networks | |
Maintain a vulnerability management program | 5. Use and regularly update anti-virus software or programs |
6. Develop and maintain secure systems and applications | |
Implement strong access control measures | 7. Restrict access to cardholder data by business need-to-know |
8. Assign a unique ID to each person with computer access | |
9. Restrict physical access to cardholder data | |
Regularly monitor and test networks | 10. Track and monitor all access to network resources and cardholder data |
11. Regularly test security systems and processes | |
Maintain an information security policy | 12. Maintain a policy that addresses information security for employees |
Source: PCI Security Standards Council LLC (n.d.).
Local governments are subject to follow the PCI standard if they process or handle debit, credit, or EBT (Electronic Benefit Transfer) card transactions. The wide array of services provided by local governments necessitate that they follow the PCI security standard in order to protect cardholder data received from online and in-person transactions like tax, water bill, permit, and other payments.
The PCI standard sets forth 12 major requirements to help meet six overarching goals that are aligned with good cybersecurity practices: 1) build and maintain a secure network; 2) protect cardholder data; 3) maintain a vulnerability management program; 4) implement strong access control measures; 5) regularly monitor and test networks; and 6) maintain an information security policy (see Table 10.2). In brief, the standards include restricting physical access to cardholder data, restricting access on a need-to-know basis, and not using system default passwords. The PCI standard also requires that robust identity and access management measures be in place. Cardholder information must be received, processed, stored, and transmitted securely. Local governments can defer PCI compliance responsibilities by working with a third-party merchant service provider.
The NERC CIP Standards were developed by the North American Electric Reliability Corporation in 2008 to regulate the cybersecurity of bulk electric system (BES) owners and operators in North America, including state and local government electric utilities (North American Electric Reliability Corporation [NERC], n.d.). A BES includes the systems for electrical generation, transmission lines, and connections with neighboring systems. Some local government BES owners include the Alameda Bureau of Electricity in California, the Columbus Division of Electricity in Ohio, the Long Island Power Authority in New York, and the Los Alamos County Utilities Department in New Mexico (The Utility Connection, n.d.). As of this writing, there are 12 control families in the standards, with four more subject to future enforcement (Table 10.3). These “control families” are similar to the CJIS policy areas described above and govern the types of security controls required for each area. The NIST SP 800 series help meet the myriad of standards set forth in these control families.
Table 10.3 NERC CIP control families.
Status | Control Family | Requirements |
Required | BES cyber system Categorization (CIP 2-5.1a) |
|
Security management controls (CIP 3-8) | CIP senior manager approval every 15 months for documented security policies | |
| ||
Electronic security perimeter(s) (CIP 5-6) |
| |
Physical security of BES cyber systems (CIP 6-6) |
| |
System security management (CIP 7-6) |
| |
Incident reporting and response planning (CIP 8-6) |
| |
Recovery plans for BES cyber systems (CIP 9-6) |
| |
Configuration change management and vulnerability Assessments (CIP 10-3) |
| |
Information protection (CIP 11-2) |
| |
Supply chain risk management (CIP 13-1) |
| |
Physical security (CIP 14-2) |
| |
Future | Electronic security perimeter(s) (CIP 5-7) |
|
Configuration change management and vulnerability Assessments (CIP 10-4) |
| |
Communications between control centers |
| |
Supply chain risk management (CIP 13-2) |
|
Source: NERC (n.d.).
Each control family sets forth the purpose of the control, who it applies to, the facilities involved, exemptions to the CIP, effective dates, background information for the control, the requirements and measures of the control, and how to comply with the control. For example, CIP 4-6 on personnel and training entails five requirements, or in this case, programs that BES owners must implement: 1) a security awareness program; 2) a cybersecurity training program; 3) a personnel risk assessment program; 4) an access management program; and 5) a program for access revocation. Each of the requirements are then broken down into parts and examples of measures taken that would provide evidence of fulfilling the requirement. Here again, these requirements echo what has been repeatedly discussed in this book as effective cybersecurity best practices.
This section explores state and local cybersecurity legislation including security breach notification laws, data security and data disposal laws, and data protection and privacy laws. Local governments should examine their state’s laws in order to determine what rules they are subject to follow.
The National Conference of State Legislatures (NCSL), which tracks cybersecurity legislation annually, found that at least 45 states considered over 250 measures focusing on cybersecurity in 2021 (2021a). At the time of writing, 58 of the bills or resolutions have been enacted. This count does not include all cybersecurity appropriations enacted during the year. Clearly, there has been some state level movement and response to ongoing cybersecurity threats. The NCSL found four common issues that received the most legislative activity: mandating that government agencies implement formal security policies; conduct cybersecurity training and plan and test for incident response; regulating cybersecurity insurance; creating commissions or task forces to study cybersecurity issues; and supporting cybersecurity training and education programs. The first specifically deals with local government cybersecurity. Ongoing legislative activity around what local governments must implement and establish in terms of their cybersecurity is a welcome sign of needed attention and support. The remaining three issues receiving the most attention all indirectly impact local governments, as well. For example, local governments are purchasers of cybersecurity insurance. Task forces will likely study the impact of cyberattacks on the public sector. And assistance for cybersecurity education can only help address the skills gap facing the industry at large, and local governments more acutely.
According to the NCSL, all 50 states, DC, Puerto Rico, Guam, and the Virgin Islands have implemented security breach notification laws (2021b). Breach notification laws require organizations to notify individuals, government entities, and sometimes the media of cybersecurity breaches that expose citizen or customer PII. These laws vary depending on the size and type of organization affected, the number of records impacted, and the type of information exposed. Definitions of “breach,” notice requirements, and exemptions vary as well. The types of organizations subject to these laws typically include governmental entities, educational institutions, businesses, and other organizations that collect and sell information. Not every law covers all types of organizations, so local governments must closely examine the security breach notification laws enacted in their state. Another aspect of breach notification laws that varies includes the types of records the laws govern, such as account numbers, identification numbers, drivers license information, name combined with social security number (SSN), user names and passwords, biometric information, medical information, and more. Additionally, the timing and method of notification can vary, as well as who must be notified and what information must be included in the notice. Exemptions generally provide “safe harbor” for data that is redacted, encrypted, unreadable, or unusable.
California’s data breach notification law was passed in 2002 and was the first of its kind enacted in the country. It has become a model for many other state laws and provides a good example for what local governments are required to do when they experience a breach (Cal. Civil Code § 1798.25 – 1798.29). In California, if a local government experiences a breach and PII stored on its IT system is illegally acquired, the local government must notify the individuals whose PII has been exposed. The notification must be made “in the most expedient time possible and without unreasonable delay” unless law enforcement determines it will impede a criminal investigation. The law also requires written or electronic notice of the breach and provides a model notification form that local governments can follow (Table 10.4).
In addition to providing victims with meaningful information about the breach, the local government also has the discretion to provide information about what it has done to protect individuals whose information has been breached or provide advice on steps those individuals can take to protect themselves. If the breach impacts more than 500 California residents, the local government must notify the Attorney General, as well.
Table 10.4 Model breach notification form.
[Name of Local Government/Logo] Date: [insert date] | |
NOTICE OF DATA BREACH | |
What happened? | |
What information was involved? | |
What are we doing? | |
What you can do. | |
Other important information | |
For more information: | Call [telephone number] or go to [internet website] |
Source: Cal. Civil Code § 1798.25 – 1798.29 |
According to the NCSL, 32 states have adopted some form of data security laws that require state agencies, and in some situations, local governments, to implement certain types of data security measures. Many of these laws were enacted in the two to three years prior to the publication of the NCSL report in 2020 (National Conference of State Legislatures, 2020). Data security laws govern how local governments protect the PII that they maintain and control how PII is protected, destroyed, disclosed, used, or modified. Data security laws in Alabama, Maryland, Nevada, and Utah explicitly include local governments. More states may include local governments in their definition of “public agency” or “state agency.”
Some state data security laws cover specific types of information like, SSNs, health information, and financial or tax information. Others establish positions like information security and privacy officers, CIOs and CISOs, and set forth the roles of those officials. Still more require adoption of strategic policies, mandate annual assessments, and establish record keeping and training requirements and more.
Data destruction and retention rules cover when and how local governments destroy and dispose of personally identifiable information or make it unreadable. Sixteen states have instituted data disposal laws applicable to government (NCSL, 2019). Generally, these laws require that local governments take steps to protect against unauthorized access or use of the PII when it is being destroyed, considering the sensitivity of the information, the local government agency involved, and types of available destruction methods. Some of these laws are enforced through fines. HIPAA also mandates specific rules around the disposal of electronic health information.
Data protection and privacy laws are a recent trend in state-level cybersecurity legislation. These laws specifically deal with how organizations use, store, and destroy information they gather on individuals. They also provide certain rights to individuals in determining how they wish their data to be used, and whether they wish to have their data processed or tracked. Organizational obligations and consumer rights make up the bulk of these laws. These laws often also include rules on disposal of PII, protection of PII, and security breach notifications.
The International Association of Privacy Professionals (IAPP) follows state-level privacy legislation and of the 27 bills considered in 2021, two were enacted, six are still active, and 19 failed (Rippy, 2021a). As of this writing, three states have enacted data protection and privacy laws: California, Virginia, and Colorado. California’s privacy law does not apply to governmental agencies (Office of the California Attorney General, n.d.). Virginia’s law explicitly exempts political subdivisions of the Commonwealth, as well (Virginia General Assembly, 2021). However, the most recent addition to the group of states with a comprehensive privacy rights law, Colorado, explicitly includes governmental entities (Colorado Attorney General, n.d.). All of these laws are similar to one another and are modeled in whole or in part on the European Union’s General Data Protection Regulation (GDPR).
The Colorado Privacy Act (CPA) applies to any organization that maintains, owns, or licenses PII or personal information on Colorado residents. The law primarily requires three things: that said organizations establish policies governing disposal of PII; that they take reasonable steps to protect PII; and that they notify residents and the Attorney General of breaches. The act contains many of the same rights and obligations set forth in the GDPR. These include: the right of access (to the personal data being stored); the right of rectification (or to correct inaccuracies in the personal data); the right of deletion (of personal data); the right of portability (or to obtain personal data in a usable format); the right to opt-out of certain automated decision-making (e.g., targeted advertisements, sale of personal data, or profiling in furtherance of significant decisions); and the right to appeal business denials (Rippy, 2021b). Local governments have seven duties they must meet in terms of data collection and processing (Table 10.5). These include notice and transparency requirements, stated purpose and processing limitations for the personal data, protecting the data from unauthorized access, and consent for the processing of sensitive information. Enforcement of this law lies with the Colorado Attorney General’s Office, as well as district attorneys, giving 60 days for organizations to cure violations.
Table 10.5 Rights and duties under the CPA.
Rights | Description |
Right to opt out | Of processing of personal data for:
|
Right of access | To confirm whether their personal data is being processed, and gain access to the data |
Right to correction | To correct inaccuracies in the personal data |
Right to deletion | To delete personal data concerning the consumer |
Right to data portability | To obtain personal data in a portable and readily usable format to transmit to another entity without hindrance |
Duty | Description |
Duty of transparency | Provide consumers with reasonably accessible, clear and meaningful privacy notice including:
|
Duty of purpose Specification | Specify the express purposes for which personal data are collected/processed |
Duty of data minimization | “Collection of personal data must be adequate, relevant and limited to what is reasonably necessary to the specified purposes for which the data are processed” |
Duty to avoid secondary use | Prohibits the processing of personal data for purpose not reasonably necessary or compatible with the specified purposes |
Duty of care | Take reasonable measures to secure personal data in storage and use from unauthorized acquisition |
Duty to avoid unlawful discrimination | Prohibits the processing of personal data in violation of laws prohibiting unlawful discrimination against consumers |
Duty regarding sensitive data | Consent/parental consent required to process sensitive data |
Source: Colorado General Assembly (2021). |
Adopted in 2016 and implemented in 2018, the GDPR has set the global standard for comprehensive data protection and privacy laws (European Data Protection Supervisor, n.d.). The law establishes privacy and security regulations for organizations processing data on people residing in the EU, not necessarily EU citizens, but traffic from any person in the EU. It applies to organizations offering goods or services targeted to people in the EU or those that process and monitor data generated by those in the EU, including local governments in the US. Any organization processing or monitoring internet traffic from the EU technically falls under the purview of the GDPR. The GDPR’s own explanation of the applicability of these rules state that it is unclear whether one-off visits to certain narrowly targeted websites by EU citizens would place an organization “in the crosshairs of European regulators? It’s not likely. But technically you could be held accountable for tracking these data” (Wolford, 2021a). Applicability of the GDPR to local governments outside of the EU has generally been interpreted around whether the government is “targeting” EU residents when providing services (Kawamoto, 2018). For example, EU residents paying a water bill on a local government website might not fall under the GDPR, but local government tourism websites and advertisements targeted to those in the EU would (Kawamoto, 2018).
The GDPR sets forth seven principles of data protection including: lawfulness, fairness and transparency; purpose limitation; data minimization; accuracy; storage limitation; integrity and confidentiality; and accountability (Wolford, 2021b). Some of these mirror provisions of the Colorado Privacy Act discussed above. Lawfulness, fairness, and transparency around data processing means that it should be clear to the consumer that their data is processed in such a fashion. Purpose limitations specify that the data is processed for legitimate purposes that are explicitly stated to the consumer. Data minimization means only the data required should be collected and processed for the specified purposes. Accuracy involves keeping the information up-to-date, storage limitation means the data is stored for only as long as it is needed, integrity and confidentiality means that processing should be done with encryption so that it is secure, and accountability means organizations are able to demonstrate compliance with the GDPR.
GDPR also establishes eight innovative, if not at times controversial, privacy rights for EU citizens, including: the right to be informed; the right of access; the right of rectification; the right to erasure; the right to restrict processing; the right to data portability; the right to object; and rights in relation to automated decision-making and profiling. Again, the rights of information, access, rectification, erasure, to restrict processing (or opt out), to data portability, and to object are all parallel to the rights afforded by the CPA. Rights related to automated decision-making and profiling is reflected in the CPA’s duty to avoid unlawful discrimination.
Last, American local governments should be aware that although the GDPR has yet to be enforced against them, GDPR regulations technically would apply to local governments tracking data from the EU. Therefore local governments should keep the GDPR regulations in mind as similar data security and privacy rules continue to be introduced in legislatures in the US.
Since FISMA was enacted in 2002, there has been no major cybersecurity legislation passed by the US Congress and signed into law. Despite many attempts at passing such comprehensive legislation, only Presidential Executive Orders have been issued in the interim. See, for example: President Obama’s EO 13636 on Improving Critical Infrastructure Cybersecurity (2013), which established the NIST Cybersecurity Framework (covered in Chapter 9); President Trump’s EO 13800 on Strengthening the Cybersecurity of Federal Networks and Critical Infrastructure (2017), which encouraged modernization of federal IT and partnerships with industry; and President Biden’s EO 14028 on Improving the Nation’s Cybersecurity (2021) focused on bolstering the software supply chain (discussed in Chapter 12).
The recently enacted Infrastructure Investment and Jobs Act, also known as the Bipartisan Infrastructure Framework, created a $1 billion state, local, tribal and territorial (SLTT) cybersecurity grant program to be administered by the Federal Emergency Management Agency in consultation with CISA (Infrastructure Investment and Jobs Act, 2021). The Act’s other cybersecurity measures include authorizing the Department of Homeland Security to declare that a significant cybersecurity incident has occurred or is likely to occur and to provide voluntary assistance to non-federal entities in responding to and recovering from the incident, and creating a Cyber Response and Recovery Fund to assist in recovery from such incidents. Additionally, the Act regulates other aspects of infrastructure cybersecurity including: promoting the creation of public-private partnerships to enhance the security of the electric grid; creating the Energy Cyber Sense program to test the cybersecurity of products and technologies used in the energy sector; creating incentives for advanced cybersecurity technology investment in the electric grid; establishing the Rural and Municipal Utility Advanced Cybersecurity Grant and Technical Assistance Program; and more. Cybersecurity measures are also included for highways, water systems, and research and innovation.
As of this writing, at least 13 bills concerning cybersecurity have been introduced in the 117th Congress (2021–2023). Many of these bills attempt to address issues around cyber workforce training, supply chain security, and international competitiveness with China (Hecht and Fjeld, 2021). They also attempt to reinvigorate federal abilities to address cybersecurity by forming new departments, such as the proposed Bureau of International Cyberspace Policy or International Technology Partnership Office at the Department of State, or granting additional authority to other agencies, such as the Federal Trade Commission (FTC). Some have proposed directing the FTC to open a bureau to investigate security and privacy issues in the organizations that the agency oversees (Shepardson and Bartz, 2021).
The Cyber Incident Notification Act would require that federal agencies, government contractors, and critical infrastructure operators notify CISA of a detected breach within 24 hours and would grant reporting organizations limited immunity (Office of Senator Mark Warner, 2021). While some local government agencies are undoubtedly considered critical infrastructure, such as water treatment or electricity distribution, not all local governments would be subject to this reporting requirement. A federal privacy bill, similar to the CPA and the GDPR, has also been introduced although it is unclear whether sufficient political will to pass such a bill currently exists (Information Transparency and Personal Data Control Act, 2021).
Two particularly comprehensive bills, the Senate’s United States Innovation and Competition Act and the House of Representative’s more expansive response bill, The America COMPETES Act, would establish regional cybersecurity hubs partnering government, private, and academic stakeholders (United States Innovation and Competition Act, 2021; The America COMPETES Act, 2022). Additionally, they would award strategy development and strategy implementation grants to eligible regional technology and innovation hubs. The bill would also establish a Directorate for Science and Engineering Solutions in the National Science Foundation. The main purpose of both bills is to attempt to address supply chain gaps, vulnerabilities in critical infrastructure, and to boost the standing of the US as a global leader in AI and high performance computing and manufacturing. While its unclear what, if any, standards either version would create for local governments, if reconciled and passed the legislation, and others like it would undoubtedly impact local government cybersecurity down the line.
This chapter presents a representation of the matrix of federal, state, and international cybersecurity regulations facing American local governments. Cybersecurity compliance is complex and requires expertise in the form of cybersecurity counsel, privacy officers, or compliance officers. For many local governments, this function may need to be outsourced to third-party vendors offering services that help local governments comply with the wide variety of federally mandated security measures.
Local government officials should, at the very least, be aware that such compliance requirements exist. It is up to the CIO, CISO, and IT staff to implement the necessary measures to protect the local government’s information systems and assets from unauthorized access or use. They must be given the tools and resources required to do so. Without such awareness and support, the local government and its officials might very well be at risk of violating the law and be subject to fines or other punishments for unauthorized data disclosure. Following these policies and regulations means implementing high-level cybersecurity standards and controls that will best help protect the local government. Specifically, implementing security measures from NIST’s Special Publication 800 series helps meet many of these various requirements.
Proposed cybersecurity legislation from the 117th Congress indicates a new willingness and push at the US federal level to regulate cybersecurity in the face of constant cyberattacks and increased international competition. Local governments should anticipate federal and/or state level requirements for breach notifications and threat-information sharing (with CISA and other federal agencies) in the not too distant future. There may also be opportunities for grant funding to help boost local government cybersecurity. However, until then, local governments must navigate the plethora of federal, state, and international cybersecurity regulations to which they are subject without much guidance and assistance from higher levels of government.