Cybersecurity 2025

USA Law and Practice Contributed by: Beth George, Timothy Howard, Brock Dahl and Megan Kayo, Freshfields

1. General Overview of Laws and Regulators 1.1 Cybersecurity Regulation Strategy The USA does not regulate cybersecurity under a single, general, nationwide regime. Instead, multiple overlapping regulatory regimes at both the federal and state level address cybersecu - rity in a sector- or jurisdiction-specific manner. The scope and substantive obligations imposed by each of these regulations address specific aspects of cybersecurity. These aspects can include: • technical measures that can be implemented to mitigate the risk of unauthorised access to data; • incident response procedures for when data breaches occur; and • transparency and reporting requirements. These regulations serve purposes such as protecting national security, safeguarding per - sonal information (including specific regulations addressing sensitive financial data or health information), and promoting collaboration and innovation. For more information on sector-spe - cific and national security-specific regulations, see 2. Critical Infrastructure Cybersecurity , 3. Financial Sector Operational Resilience Regu- lation , and 6.3 Cybersecurity in the Healthcare Sector . 1.2 Cybersecurity Laws At the federal level, the main laws and regula - tions governing cybersecurity include: • the Gramm-Leach-Bliley Act (GLBA) of 1999, which imposes security and transpar - ency requirements on financial institutions’ handling of non-public personal information of customers (see 3.1 Scope of Financial

Sector Operational Resilience Regulation for more detail); • the Health Insurance Portability and Account - ability Act (HIPAA), which regulates the protection of sensitive healthcare-related information (see 6.3 Cybersecurity in the Healthcare Sector for more detail); • the Cyber Incident Reporting for Critical Infra - structure Act of 2022 (CIRCIA), which regu - lates disclosure of cyber-incidents by critical infrastructure companies (see 2.1 Scope of Critical Infrastructure Cybersecurity Regula- tion for more detail); • laws and regulations imposing cybersecurity obligations on federal government agencies and contractors, such as the Defense Federal Acquisition Regulation Supplement (DFARS) and the Federal Information Security Manage - ment Act; and • the SEC’s Cybersecurity Risk Management, Strategy, Governance, and Incident Disclo - sure rules requiring some publicly traded companies to report certain cybersecurity incidents and make disclosures about their cybersecurity strategy, cybersecurity govern - ance, and cybersecurity risk management in public filings. A number of federal laws and regulations crimi - nalise hacking and otherwise regulate the use of information technology by individuals and law enforcement entities alike. By way of example, the Computer Fraud and Abuse Act criminalises unauthorised access to computer systems, and the Stored Communications Act regulates ISPs’ ability to voluntarily provide stored electronic communications and data to the government and also regulates the manner in which the gov - ernment may seek compelled access to stored electronic communications and data through legal process. In addition, the Wiretap Act and the Pen Register Act criminalise the unlawful

346 CHAMBERS.COM

Powered by