Cybersecurity 2025

USA Law and Practice Contributed by: Beth George, Timothy Howard, Brock Dahl and Megan Kayo, Freshfields

interception of content and non-content data, respectively. In addition to these cybersecurity-specific laws and regulations, some more general regulations have been enforced with regard to cybersecu - rity. By example, Section 5 of the Federal Trade Commission Act empowers the Federal Trade Commission (FTC) to regulate and enforce against unfair or deceptive trade practices in general. The FTC and federal courts have inter - preted this regulation to permit the regulation and enforcement of cybersecurity where com - panies’ security practices (and public represen - tations concerning those practices) may qualify as unfair or deceptive. Finally, in addition to federal regulation, many states impose cybersecurity obligations through statute or regulation. Some states require by statute that companies take reasonable meas - ures to protect sensitive personal information of state residents, with varying levels of specific - ity as to what measures are required or will be deemed reasonable if employed. Other states have more developed regulatory regimes, including the California Consumer Privacy Act. For more details on cybersecurity regulations promulgated by New York State’s Department of Financial Services (NYDFS), see 6.2 Cyber- security and AI . 1.3 Cybersecurity Regulators At the federal level, the main cybersecurity regu - lators include: • the FTC, which – as noted in 1.2 Cybersecu- rity Laws – regulates cybersecurity as part of its broad authority to regulate and enforce against unfair or deceptive trade practices; • the Department of Justice (DOJ), the Federal Bureau of Investigation (FBI), and the Depart -

ment of Homeland Security (DHS), which investigate and prosecute federal criminal activity, including cyber-intrusions and cyber- enabled crime; • the DHS, which regulates critical infrastruc - ture and other aspects of national security; • the Department of Health and Human Servic - es (HHS), which enforces HIPAA regulations – including those related to data protection – over covered providers; and • the SEC, which regulates publicly traded companies and imposes disclosure obliga - tions following cybersecurity breaches. Federal regulators have the authority to prom - ulgate regulations with the force of law follow - ing a public notice-and-comment process, as well as to enforce those regulations through civil investigations (including compulsory disclosure of documents and testimony) and litigation. At the state level, cybersecurity may be regulated by state Attorneys General or subdivisions with - in their offices. Some states have established cybersecurity-specific agencies, such as the Utah Cyber Center, and others have conferred authority to sector-specific regulators, such as the NYDFS. For more detail on the NYDFS, see 6.2 Cybersecurity and AI . 2. Critical Infrastructure Cybersecurity 2.1 Scope of Critical Infrastructure Cybersecurity Regulation In the USA, CIRCIA requires critical infrastruc - ture entities to report covered cyber-incidents to the Cybersecurity and Infrastructure Security Agency (CISA) within 72 hours and ransomware payments within 24 hours. The applicable rules for covered entities under CIRCIA are still under

347 CHAMBERS.COM

Powered by