11

What about the US?

In this final chapter, we will enter the world of US privacy, including the Federal Trade Commission (including Section 5), and check the status of local privacy laws, while looking at other laws that are relevant to data protection and trying to understand whether they can, sooner or later, lead to a national law. Finally, we will look at two different but similar phenomena: bring your own device and remote working.

In this chapter, we will cover the following topics:

• The US status of privacy
• The Federal Trade Commission (FTC)
• An overview of Section 5 of the FTC Act
• How NIST and FTC interact
• Bring Your Own Device (BYOD)
• Remote working
• What privacy rights are available to employees?

The US status of privacy

Customers are largely unaware of the data economy that supports everyday products and services. Their data is shared with a greater number of third parties, which not only increases the number of businesses that may make money from it but also increases the likelihood that their data can be breached or leaked in a way that results in actual harm. Just this past year, a news organization exposed a priest using pseudonymous app data that was purportedly leaked from an advertiser connected to the dating app Grindr. According to another report, the US government purchased location information from a prayer app. Apps for treating opioid addiction have been identified by researchers to share sensitive information. Additionally, a recent data breach at T-Mobile affected at least 40 million customers, some of whom had no prior connection to the company.

Consumer data privacy regulations can give people power over their data, but if they’re executed poorly, they can also serve to protect the status quo.

What the current national privacy laws (don’t) do

At the moment, privacy laws are a confusing jumble of many sectoral regulations. Historically, the US has a variety of inconsistent federal (and state) regulations that look at certain data categories, such as credit data or health information, or look at specific populations, such as children, and regulate within those areas.

The vast majority of goods that individuals use every day are unregulated in how they collect data. Unless a state has its own data privacy law, many corporations are essentially free to do anything they want with the data because there are no federal privacy rules governing them. Most states allow businesses to use, distribute, or sell any information they acquire about you without informing you first. No national legislation specifies when (or whether) a business must inform you whether your data is compromised or made available to unauthorized individuals.

Your data may be further sold or shared without your knowledge if a corporation distributes it with third parties (such as data brokers), including sensitive information such as your location or health.

Most US consumers think they are protected until they aren’t. Sadly, customers are unable to observe and comprehend the flow of information because this ecosystem is largely opaque and concealed from view. Unlike the EU, with its General Data Protection Regulation (GDPR), the United States lacks a single legislation that protects the privacy of all kinds of data. Instead, it consists of a variety of regulations with acronyms such as HIPAA, FCRA, FERPA, GLBA, ECPA, COPPA, and VPPA that are intended to exclusively target particular categories of data in unique (and frequently outmoded) situations:

• Only communication between you and covered entities, such as physicians, hospitals, pharmacies, insurers, and other such organizations, is covered by the Health Insurance Portability and Accountability Act (HIPAA), which has little to do with privacy. People tend to think HIPAA covers all health data, but it doesn’t. For instance, neither your Fitbit data nor the law’s restrictions on who can inquire about your COVID-19 vaccination status are protected.
• Information in your credit report is protected by the Fair Credit Reporting Act (FCRA). It places restrictions on who can access credit reports, what data the credit agencies can gather, and how information is acquired.
• Who can seek student educational records is specified in the Family Educational Rights and Privacy Act (FERPA). This involves granting the right to view education records kept by a school to parents, qualified students, and other schools.
• Consumer financial products, such as loan services or investment advising services, are required to disclose how they share data as well as a customer’s choice to opt out under the Gramm-Leach-Bliley Act (GLBA). As long as they declare such use in advance, the law does not impose restrictions on how businesses utilize the data they acquire. It at least makes an effort to erect barriers to the security of some personal information.
• Government wiretapping of phone calls and other electronic signals is prohibited by the Electronic Communications Privacy Act (ECPA) (although the USA Patriot Act redefined much of this). Additionally, it establishes a wide range of guidelines for communication monitoring by employers. The ECPA was passed in 1986, and critics frequently point out how out of date it is. The ECPA does not defend against contemporary surveillance techniques, including law enforcement access to older material saved on servers, in cloud storage documents, and in search queries because it was written before the era of the modern internet.
• The Children’s Online Privacy Protection Rule (COPPA) places restrictions on how much information businesses can gather about children under the age of 13 in their databases.
• The sharing of VHS rental records is prohibited by the Video Privacy Protection Act (VPPA). Although it may seem absurd now, this regulation was created as a result of a journalist retrieving Robert Bork’s video rental history when he was a candidate for the Supreme Court. However, the VPPA hasn’t prevented streaming firms from operating.
• A website or app that violates its own privacy statement may be targeted by the Federal Trade Commission (FTC) under the Federal Trade Commission Act (FTC Act). The FTC has the authority to look into instances of misleading users by claiming that video chats are end-to-end encrypted. This is what it did when it filed a complaint against Zoom. Recently, some organizations have urged the FTC to extend that authority to unlawful data practices.

It’s understandable how people could become perplexed about the rights they have and do not have, given the variety of laws in existence. Additionally, there are a few state statutes in addition to these federal laws.

The California Consumer Privacy Act (CCPA) from 2018 and the California Privacy Rights Act (CPRA), which California voters approved in November 2020, are having a significant impact on the landscape of privacy and data security, alongside the Virginia Consumer Data Protection Act (VCDPA) and the Colorado Privacy Act (Colopa or CPA).

These three US states have three distinct, comprehensive consumer privacy laws. These laws only give their residents an extra layer of data protection, regardless of where a firm is situated.

Similar clauses in this legislation usually offer you some kind of notice and let you decide how to handle your data. In essence, a business operating under these standards is required to inform you if it is selling your data. You also have the option of agreeing or disagreeing with this, and you have the right to access, delete, correct, or move your data as you see fit. The permitted cure periods (the amount of time a business has to correct an error), the size or income level of businesses the law applies to, and whether you can use tools or authorized agents for opt-out requests are some other minor differences between these laws (such as a setting in your web browser that automatically opts you out of data sales on a web page, or a service where another person makes opt-out requests for you).

The privacy laws in California contain a limited private right of action – the capacity to bring a lawsuit against a company – against specific categories of data breaches, according to the experts, making them the strongest in the US. California also mandates a global opt out to stop data sharing across all devices or browsers, as opposed to being required to opt out on each website separately. At the same time, it’s very difficult to establish the same purpose for theVCDPA; most professionals consider VCDPA a really weak law. Its foundation is opt-out consent. There are no safeguards for civil rights. No private right of action exists. Many of the provisions support various company models. The act essentially permits big data collection businesses to carry on as before. None of that should come as a surprise, given that Amazon had a significant influence on the creation of Virginia’s statute.

At least four other states, including Massachusetts, New York, North Carolina, and Pennsylvania, are currently debating important, comprehensive legislation pertaining to the protection of consumer data. In the beginning, laws in other states differ. The International Association of Privacy Professionals offers a tracker that displays which states have privacy legislation in development and where those laws are in the process to be issued. It can be challenging to keep track of the status of all these proposals. At least 14 of the ideas are identical (or almost identical) to Virginia’s laxer statute.

There are state-level laws that specifically protect certain facets of data privacy, similar to how there are regulations at the federal level. Missouri has laws governing e-book privacy. People have privacy rights over their biometric information, such as fingerprint or face scans, thanks to the Illinois Biometric Information Privacy Act (BIPA). Knowing your rights when it comes to data-breach notifications is particularly difficult because there are at least 54 distinct regulations that differ by location.

Such state regulations are nevertheless helpful, despite the fact that they can be difficult to understand. While the idea is to raise the privacy bar, it’s worth noting that when regulatory requirements are raised, businesses frequently decide to apply the tougher, more protective norm across the board for everyone.

Additionally, there is a chance that having too many state rules may make things confusing for both businesses and customers. A nationwide law would simplify things for everyone. In fact, to ensure that customers are aware of and have reasonable expectations regarding their rights over their data, there has to be federal legislation that takes a much more consistent approach to problem-solving.

The FTC

The FTC is an independent body of the US government whose main duties include promoting consumer protection and upholding civil (non-criminal) US antitrust law. Together with the Department of Justice Antitrust Division, the FTC is responsible for overseeing federal civil antitrust enforcement. The Federal Trade Commission Building in Washington, DC, serves as the organization’s headquarters.

In reaction to the monopolistic trust crises of the 19th century, the Federal Trade Commission Act, which became law in 1914, formed the FTC. Since its founding, the FTC has enforced both the provisions of the FTC Act, 15 U.S.C. 41 et seq., as well as the provisions of the Clayton Act, a significant antitrust act. The FTC has issued a number of regulations and has been given authority to enforce more company regulation laws over time.

The FTC currently has the broadest federal authority over safeguarding customer privacy. Through the FTC Act of 1914, Congress initially established the agency to enforce antitrust laws. However, in 1938, Congress expanded the agency’s authority under Section 5 of the FTC Act to include the prohibition of unfair or deceptive acts or practices, adding consumer protection issues to its purview. Since then, through laws like the Fair Credit Reporting Act and the COPPA, Congress has also granted the FTC greater statutory authority to protect privacy.

Despite these extra regulations, the FTC’s scope of authority is constrained, which makes it difficult to trust the organization to protect privacy. The agency is not only underequipped to enforce privacy laws, but it also lacks a track record of doing so. It is uncertain whether tougher enforcement would result from Congress giving the agency more power and funding to protect privacy.

An overview of Section 5 of the FTC Act

Consumer privacy has been compromised by unfair data-gathering methods and spying, and this constant and unwanted observation causes consumers significant harm. This paper makes the case that the FTC ought to use its Section 5 unfairness authority to create a data minimization rule that would forbid all secondary data uses with a few exceptions, ensuring that people can use apps and online services without fear of being tracked without taking additional precautions. A right to opt out of secondary data use, including worldwide opt-out controls and databases, is also mandated. The FTC is allowed to decide whether to restrict certain secondary data uses, such as behavioral advertising or the use of sensitive data.

The FTC should also adopt data security requirements, access, portability, correction, and deletion rights, as well as obligations for data transparency for initial data use and civil rights protections over discriminatory data processing. These additional provisions would supplement the data minimization rule. Additionally, the FTC ought to forbid the use of dark patterns in data processing.

The FTC has a broad ability to enact prescriptive regulations in an effort to prevent commercial practices that could harm consumers. These privacy laws are likely to withstand First Amendment examination because the courts typically accord expert agencies wide deference when interpreting their substantive statutes.

NIST and FTC

The five core functions of the NIST Cybersecurity Framework can be used by businesses to establish or enhance a data security program, examine current data security procedures, or communicate data security requirements to stakeholders. The Framework’s five core functions can also be used as a model by businesses of all sizes to conduct risk assessments and mitigation. And as the FTC’s enforcement actions demonstrate, businesses might have better protected the information of their customers if they had adhered to basic security procedures, such as those outlined in the Framework.

Additionally, given that the FTC’s enforcement actions are in line with the core functions of the Framework, businesses should read Start with Security, a publication from the FTC that outlines the lessons learned from the agency’s data security cases and offers helpful advice for lowering cybersecurity risks. The nation’s cybersecurity standard will be raised, and more comprehensive consumer data protection will result from executing the risk management strategy outlined in the Framework with a reasonable amount of rigor, as businesses should do.

Positively, the FTC acknowledges that the NIST Cybersecurity Framework is consistent with the organization’s long-standing approach to data security and that it might be a helpful tool for businesses creating and assessing a data security program. There is no silver bullet to create acceptable data protection, as an old FTC blog post reiterates (https://www.ftc.gov/business-guidance/small-businesses/cybersecurity/nist-framework). In the end, solid policies and practices must be carefully designed, put into practice, and enforced in order to lessen the effects of cybersecurity events and intense regulatory scrutiny.

BYOD

You have probably wondered what BYOD is. The technology trend known as BYOD enables employees to execute work-related tasks on their personal mobile devices while also connecting to a corporate network and resources.

Employers are increasingly allowing employees to use their personal mobile devices to do work-related tasks and connect to the corporate network and resources (BYOD).

As a result, many businesses allow their employees to access the corporate network from home or to concentrate all company information on their personal smartphones, eliminating the need for them to carry two mobile devices.

There are several disadvantages associated with BYOD as well, including the risk that inadequate security measures pose to sensitive data.

BYOD is a notion that has many consequences for how a workplace is run and is not just about bringing your own gadgets to work.

And how did this phenomena become more widespread? The most frequent situation up until a few years ago was when users were less technologically advanced than businesses. For instance, a lot of people didn’t have a computer at home but did have one at work, and the majority of people who had a mobile phone or a laptop had them because their employer had given them to them. Consumer technology advancements have bucked this trend, and today it is more typical for users to have technology that is more sophisticated, effective, and efficient than that provided by the business itself.

Like every form of working, BYOD has advantages and disadvantages. Let's examine the benefits and drawbacks of this trend.

Benefits of BYOD

If it weren’t for the numerous benefits it offers, the BYOD phenomenon would not have taken off in the business world. Increased employee productivity is the biggest advantage; employees perform better and collaborate with coworkers more effectively because they feel more at ease using the apps and devices they choose for themselves, based on their personal preferences.

The second benefit mentioned by IT managers is that BYOD increases job satisfaction because employees can use the same terminals they typically use at work, which makes them happier and more content with their jobs. Another advantage, especially for those in control of European IT departments, is that BYOD reduces the cost of purchasing technology. Employees may pay the entire or partial cost of their mobile devices, and cloud-based software is available for them as well.

BYOD offers a lot more benefits. On one hand, it gives workers the freedom to choose when and where to do their work, giving them more flexibility. Additionally, since a worker frequently carries their smartphone, they are available to work anytime they need to, which enhances customer service.

Disadvantages of BYOD

BYOD is not entirely beneficial, and improper BYOD deployment can lead to a number of annoyances for both employers and employees.

The risk that BYOD poses to the security of a business network and the protection of sensitive company data is the main issue with its widespread adoption. Without adequate security measures or a remote data deletion system, the finder of, say, a lost employee’s smartphone could have access to confidential company data.

Also, the entire business network may get contaminated if a user connects to it using a device that has malware on it.

Another disadvantage is that it uses up more network resources, necessitating an increase in those resources in order to support the connection of all devices. Additionally, since the most widely used applications incorporate multimedia components, more bandwidth is used.

Finally hand, the expansion of all kinds of terminals and applications necessitates the strengthening of IT support and maintenance teams, who must deal with the issues of a wide range of hardware and software.

Managing mobile devices

It is crucial to have a Mobile Device Management (MDM) system to control and monitor the devices that connect to a corporate network and ensure the security of the network and the company’s data.

These apps, among many other things, enable remote application installation, file syncing, and device tracking.

These are MDM applications’ most typical features:

• The extensive installation of applications on network-connected terminals
• Control over the available apps
• Device access management
• A device’s location and tracking
• Lock file synchronization as a functionality
• The restriction of telephone and data usage
• Setting a lock password from a server and remotely deleting data from any terminal

In conclusion, these are the crucial features that ensure corporate network management and business security.

Criteria and recommendations

The risks associated with BYOD are mitigated by a sound security policy. The majority of large businesses now have a policy of access to a corporate network by devices owned by third parties, the issue being that many businesses are not ready to implement mobile initiatives.

To ensure BYOD’s safety, a number of factors must be taken into consideration. First, corporate network services and access must be secured. All devices that connect to the network also require an extra layer of protection.

Finally, it’s critical to protect data transfer by encrypting the data. Giving employees the information they need to utilize a company network safely is a highly recommended practice.

Remote working

The last few years have seen a rising trend of employees wanting to work remotely. This idea expands the idea of merely working from home or a co-working place (the use of an office or other working environment by people who are self-employed or working for different employers) and allows you to work from anywhere.

Gig workers and digital nomads have become accustomed to this; according to data from 2020, about 5 million Americans identify as such. With the COVID-19 epidemic demonstrating the effectiveness of remote labor and several locations opening their doors to digital nomads, the idea seems certain to gain traction in the next few years.

Security issues

As more people started working remotely during the epidemic, cybersecurity incidents significantly rose, as thieves tried to profit from the pandemic’s stress and disruption as well as the larger attack surface they could now target.

Due to the epidemic, most industries shifted to remote work; however, this offered new attack surfaces for cybercriminals to exploit, such as the use of personal devices for work.

The pre-pandemic environment, when work was mostly carried out in a physical workspace, did not necessitate forcing employees and security teams to think about security in this way.

To set up safe and secure remote-working environments, companies require employees to be much more conscious of things that they wouldn’t need to be aware of when they’re working in the office. Who, for example, is standing behind us? Am I neglecting to watch my device? How well-protected is the network I’m using? Do I allow my family to use my device?

Important ramifications

The so-called insider danger that firms face has significantly increased as a result of a remote workforce. Insider risks have become more frequent and expensive during the COVID-19 era, as you can see by glancing at the statistics.

While we might imagine insider threat concerns as the domain of a disgruntled employee behaving deliberately, the vast majority of leaks and breaches are merely the result of carelessness and incompetence.

The results are consistent with those of a recent study by the University of Central Florida, which discovered that stressed-out personnel are far more prone to violate security rules and procedures. In fact, the researchers discovered that the most frequent type of violation occurs when observing the rules slows down employees and they break the rules to maintain their productivity.

However, the costs of such negligence have been estimated at up to $500,000, while major firms (those with 75,000 or more people) spent an average of $22.68 million to resolve insider-related problems.

Keeping a remote workforce secure

To do this, some steps are absolutely easy to implement that organizations can adopt right away, such as requiring more secure passwords, implementing two-factor authentication, making sure all devices are fully patched with the most recent software updates, and training staff members on secure practices, particularly in recognizing the types of phishing attacks that continue to make up the majority of cyberattacks today.

In an effort to provide secure remote access connections between employees and their private corporate network, virtual private networks (VPNs) are also frequently used. While VPNs can be very useful, they can also pose a lot of hazards, particularly if the network is not configured properly. Indeed, a standard VPN was used to carry out the Colonial Pipeline attack.

With stronger security than Wi-Fi or even VPNs, 5G promises to provide distant workers with more robust connectivity. With remote workers having the choice to use unlimited data alternatives as their primary connection to the workplace, 5G is expected to be a viable alternative to Wi-Fi thanks to the reduced latency it promises.

Through the use of anti-tracking and anti-spoofing capabilities, 5G technology has encryption built in. It also makes use of network slicing, which enables the splitting of a network into a number of virtual networks, each with its own set of security safeguards. This would make it possible to assign significant individuals inside organization-specific controls in an effort to fend off whale phishing, which occurs when such VIPs are targeted by criminals because of their importance.

A multifaceted strategy

The improved capabilities of 5G mean that many more devices are likely to be connected, and IoT devices increase the number of potential vulnerabilities within your network. However, 5G is not without its own concerns. An expanding number of non-business IoT devices are now connected to corporate networks, such as pet feeders, coffee makers, and fitness equipment. These applications, or at least the majority of them, are dependent either on Wi-Fi or 5G. The latter provides greater authentication, so I can’t pretend to be you and you can’t pretend to be me, as you could in the past. However, from the perspective of corporate security, 5G technology might not be distinguished from other forms of connection because no technology should be trusted a priori

Following COVID-19, it appears that remote work will continue to be popular, thus businesses must master cybersecurity to prevent their remote workforce from becoming easy prey for hackers. Although 5G can play a role in this, the best security is likely to result from a mix of other network features that go beyond the connection method itself.

The majority of security teams don’t do care if you are working from office or home. They assume that connections outside your workplace are suspect and the workplace environment will be vulnerable to attack. Because of this, the great majority of assaults can be avoided by making sure passwords are safe, software is patched, and staff have a fundamental understanding of cyber hygiene and phishing awareness so that they don’t put themselves in vulnerable positions.

In order to give remote workers the flexibility they want while keeping the security that is so important to the modern organization, there is an entire program available that consists of policies, tools, training, and other elements.

Assisting the transformation

We now live in a society where workers are progressively demanding more flexibility; organizations shouldn’t rush to resume regular programming (I mean, working from office on a daily basis, but at least a hybrid model is desirable). What makes sense for hybrid models today could not be as effective in 6 months; therefore, this is an opportunity to reconsider our strategy for hybrid working.

Remote workers value third spaces, such as cafes, bars, and even pubs, where they can work remotely. The pandemic has seen much of the cybersecurity focus on making sure that home environments are as secure as possible.

Working in a third space raises the stakes, since these spaces, while giving workers the flexibility they seek, also significantly raise the risk from a cybersecurity standpoint. At the same time, every organization can see flexibility as a business requirement, so they have to find out how to make it work.

Computer safety

Fortunately, attaining adequate cyber hygiene to thwart the vast majority of intrusions doesn’t necessitate cutting-edge equipment or a highly qualified security group. Organizations must just make sure that the fundamentals of cyber hygiene are followed. This comprises the following:

• A two-factor authentication (2FA) process. Most credential-based assaults are thwarted by multi-factor authentication (MFA) or 2FA. With the kind of passwordless technology that is becoming more and more common in contemporary software, this is simpler than ever. Wherever it is feasible, MFA should be enabled.
• Least privilege accessibility. Using MFA to protect login to vital accounts is important, but it’s also crucial to make sure that each account has access to only the systems they actually require. In fact, researchers contend that different accounts should be used for email and internet browsing than for accessing privileged systems.
• Maintain device updates. Having the most recent patches and updates from a manufacturer is a fundamental necessity for every device connected to a network. Using endpoint management software, you can help make sure this occurs throughout the network.
• Install malware-detecting software. Ensuring malware protection software is installed and used in addition to more conventional antivirus software is another easy measure to take. This software frequently offers both protection from assaults and alerts that an attack is being attempted.
• Safeguard data. All of the aforementioned measures can prove to be quite efficient in protecting crucial organizational data, but it’s also crucial that businesses have a clear awareness of the data they possess, as well as its relative sensitivity and significance. In fact, this is frequently required by laws such as the GDPR and supports a risk-based approach to data governance.

The integration of cyber hygiene training into employee onboarding is going to be a vital component to ensure that a diverse workforce is a secure workforce, as we become more accustomed to a hybrid way of working.

What privacy rights are available to employees?

Because there are typically few employee privacy rights at work, employees have very few electronic privacy rights when working from home. Employers have the right to observe how you use company-provided technology and computer networks, including how you type, save your data, access websites, and use your work email, in accordance with federal law and legal precedent.

Email privacy rights only apply to personal accounts; they do not apply if you are using company hardware or a network. Additionally, if someone forwards a post you create to a password-protected social media site on your own time on a company laptop, your employer may still take legal action against you.

What exemptions exist to worker monitoring?

There are a few exceptions to worker monitoring. Generally speaking, it is against the law for companies to record employees in break rooms or restrooms; however, it’s unclear how this applies in the age of virtual meetings. Genetic information and union organizing-related messages cannot be legally read by employers, and union contracts may completely forbid monitoring.

While in the EU the situation is different, in the US barely half of the states prohibit companies from requesting employees’ social media passwords, while Connecticut and Delaware state laws compel employers to declare that they are monitoring employee email. Selective employee monitoring based on race, gender, or other demographics might be against the law.

And it’s unclear how closely businesses can watch what employees do on personal devices such as smartphones or PCs that they own but use for work, as there have been no legal precedents.

Do employees know what information employers can access?

The simplest method of preserving your right to digital privacy may be to learn what your employer is watching and refrain from doing any sensitive business through that channel.

The most crucial factor is to prevent your information and habits from being tracked. Choosing sites where your employer doesn’t have access to your information, as well as knowing exactly who has access to it, can be crucial for your peace of mind.

To learn what information a company can access, you might have to ask your employer, or you might find an explanation in the employment agreement or the company’s privacy policy. Unfortunately, most employers are not required to respond honestly, and refusing to give your permission could result in your termination. According to the workers’ rights charity Workplace Fairness, at least one instance saw a judge finding that a company had the right to monitor employees’ email, even when it explicitly stated it wouldn’t.

Should employees bring personal equipment to work?

The best approach to preserve your privacy is to conduct all personal business using technology that you individually own; however, some workplaces might not allow this. Anytime you utilize an employer’s hardware, email system, or software, it risks being exposed to your employer, and using, for instance, a BYOD device isn’t ideal if you’re looking to change jobs. Therefore, it’s even more crucial that you are cautious of the gadget you use, especially while you’re at home.

You shouldn’t be signed in to any workplace networks. When you are, if your computer is connected to a company’s network, your employer can see what you’re doing even when you’re not actively using the connection, as for background services.

There aren’t many straightforward legal issues. However, it’s safe to assume that unless you log on to your boss’s network, you are completely safe from intrusion by your boss when you use your personal computer for anything. The point is, since you are somehow using company infrastructure, company VPN, for instance, the company can check what you are doing.

However, when telecommuting becomes the norm, employees might be increasingly resistant to surveillance.

Employing these kinds of tools makes your staff more stressed. Additionally, it lowers employee morale. Therefore, it may not be an optimal company plan.

Summary

In this chapter, we looked at the status of US privacy, including FTC Section 5 and all the relevant bills (HISPAA, FRCA, FERPA, GLBA, ECPA, COPPA, VPPA, CCRA, CPRA, VCDPA, and ColoPA), trying to understand whether the US will eventually have just one national law. Then, we discussed common topics such as BYOD and using a business laptop to mind your own business, mostly from a privacy perspective.

With this chapter, our journey into cybersecurity and privacy has ended. I sincerely hope you enjoyed the reading and learned new things (or old things from a different perspective).

Stay safe, and remember – humans are the weakest link in the cybersecurity chain.