| Online commerce and information protection |
Federal Trade Commission Act (FTCA) |
1914 |
Recently used to challenge organizations with deceptive claims regarding the privacy and security of customers’ personal information |
| Telecommunications |
Communications Act (47 USC 151 et seq.) |
1934 |
Includes amendments found in the Telecommunications Deregulation and Competition Act of 1996; this law regulates interstate and foreign telecommunications (amended 1996 and 2001) |
| Freedom of information |
Freedom of Information Act (FOIA) |
1966 |
Allows for the disclosure of previously unreleased information and documents controlled by the U.S. government |
| Protection of credit information |
Fair Credit Reporting Act (FCRA) |
1970 |
Regulates the collection and use of consumer credit information |
| Privacy |
Federal Privacy Act |
1974 |
Governs federal agency use of personal information |
| Privacy of student information |
Family Educational Rights and Privacy Act (FERPA) (20 U.S.C. 1232g; 34 CFR Part 99) |
1974 |
Also known as the Buckley Amendment; protects the privacy of student education records |
| Copyright |
Copyright Act (update to U.S. Copyright Law (17 USC)) |
1976 |
Protects intellectual property, including publications and software |
| Cryptography |
Electronic Communications Privacy Act (update to 18 USC) |
1986 |
Regulates interception and disclosure of electronic information; also referred to as the Federal Wiretapping Act |
| Access to stored communications |
Unlawful Access to Stored Communications (18 USC 2701) |
1986 |
Provides penalties for illegally accessing communications (such as e-mail and voicemail) stored by a service provider |
| Threats to computers |
Computer Fraud and Abuse (CFA) Act (also known as Fraud and Related Activity in Connection with Computers) (18 USC 1030) |
1986 |
Defines and formalizes laws to counter threats from computer-related acts and offenses (amended 1996, 2001, and 2006) |
| Federal agency information security |
Computer Security Act (CSA) |
1987 |
Requires all federal computer systems that contain classified information to have security plans in place, and requires periodic security training for all individuals who operate, design, or manage such systems |
| Trap and trace restrictions |
General prohibition on pen register and trap-and-trace device use; exception (18 USC 3121 et seq.) |
1993 |
Prohibits the use of electronic “pen registers” and trap-and-trace devices without a court order |
| Criminal intent |
National Information Infrastructure Protection Act (update to 18 USC 1030) |
1996 |
Categorizes crimes based on defendant’s authority to access a protected computer system and criminal intent |
| Trade secrets |
Economic Espionage Act |
1996 |
Prevents abuse of information gained while employed elsewhere |
| Personal health information protection |
Health Insurance Portability and Accountability Act (HIPAA) |
1996 |
Requires medical practices to ensure the privacy of personal medical information |
| Encryption and digital signatures |
Security and Freedom Through Encryption Act |
1997 |
Affirms the rights of persons in the United States to use and sell products that include encryption and to relax export controls on such products |
| IP |
No Electronic Theft Act amends 17 USC 506(a)—copyright infringement, and 18 USC 2319—criminal infringement of copyright (Public Law 105-147) |
1997 |
These parts of the U.S. Code amend copyright and criminal statutes to provide greater copyright protection and penalties for electronic copyright infringement |
| Copy protection |
Digital Millennium Copyright Act (DMCA) (update to 17 USC 101) |
1998 |
Provides specific penalties for removing copyright protection from media |
| Identity theft |
Identity Theft and Assumption Deterrence Act (18 USC 1028) |
1998 |
Attempts to instigate specific penalties for identity theft by identifying the individual who loses their identity as the true victim, not just those commercial and financial credit entities who suffered losses |
| Child privacy protection |
Children’s Online Privacy Protection Act (COPPA) |
1998 |
Provides requirements for online service and Web site providers to ensure the privacy of children under 13 is protected |
| Banking |
Gramm-Leach-Bliley (GLB) Act (also known as the Financial Services Modernization Act) |
1999 |
Repeals the restrictions on banks affiliating with insurance and securities firms; has significant impact on the privacy of personal information used by these industries |
| Accountability |
Sarbanes-Oxley (SOX) Act (also known as the Public Company Accounting Reform and Investor Protection Act) |
2002 |
Enforces accountability for executives at publicly traded companies; is having ripple effects throughout the accounting, IT, and related units of many organizations |
| General InfoSec |
Federal Information Security Management Act, or FISMA (44 USC 3541, et seq.) |
2002 |
Requires each federal agency to develop, document, and implement an agency-wide program to provide InfoSec for the information and information systems that support the operations and assets of the agency, including those provided or managed by another agency, contractor, or other source |
| Spam |
Controlling the Assault of Non-Solicited Pornography and Marketing (CAN-SPAM) Act (15 USC 7701 et seq.) |
2003 |
Sets the first national standards for regulating the distribution of commercial e-mail, including mobile phone spam |
| Fraud with access devices |
Fraud and Related Activity in Connection with Access Devices (18 USC 1029) |
2004 |
Defines and formalizes law to counter threats from counterfeit access devices like ID cards, credit cards, telecom equipment, mobile or electronic serial numbers, and the equipment that creates them |
| Terrorism and extreme drug trafficking |
USA PATRIOT Improvement and Reauthorization Act (update to 18 USC 1030) |
2006 |
Renews critical sections of the USA PATRIOT Act |
| Privacy of PHI |
American Recovery and Reinvestment Act |
2009 |
In the privacy and security area, requires new reporting requirements and penalties for breach of Protected Health Information (PHI) |
| Privacy of PHI |
Health Information Technology for Economic and Clinical Health (HITECH) Act (part of ARRA-2009) |
2009 |
Addresses privacy and security concerns associated with the electronic transmission of PHI, in part, through several provisions that strengthen HIPAA rules for civil and criminal enforcement |
| Defense information protection |
International Traffic in Arms Regulations (ITAR) Act |
2012 |
Restricts the exportation of technology and information related to defense and military-related services and materiel including research and development information |
| National cyber infrastructure protection |
National Cybersecurity Protection Act |
2014 |
Updates the Homeland Security Act of 2002, which established the Department of Homeland Security, to include a national cybersecurity and communications integration center to share information and facilitate coordination between agencies, and perform analysis of cybersecurity incidents and risks |
| Federal information security updates |
Federal Information Security Modernization Act |
2014 |
Updates many outdated federal information security practices, updating FISMA, providing a framework for ensuring effectiveness in information security controls over federal information systems, and centralizing cybersecurity management within DHS |
| National information security employee assessment |
Cybersecurity Workforce Assessment Act |
2014 |
Tasks DHS to perform an evaluation of the national cybersecurity employee workforce at least every three years, and to develop a plan to improve recruiting and training of cybersecurity employees |
| Terrorist tracking |
USA FREEDOM Act |
2015 |
Updates the Foreign Intelligence Surveillance Act (FISA); transfers the requirement to collect and report communications to/from known terrorist phone numbers to communications carriers, to be provided to select federal agencies upon request, among other updates to surveillance activities |