1. Across the 50 states and the federally-regulated industries, a...
Across the 50 states and the federally-regulated industries, a large number of statutes and
regulations govern cybersecurity. Proposals for new cybersecurity laws are constantly
being debated by Congress and state legislatures. Given the breadth of existing laws and the
possibility that new laws will be enacted in the near future, an important skill to develop is
the ability to read and analyze cybersecurity statutes and regulations on your own.
Choose one of the federal or state laws listed below to analyze. Use the internet to learn
about the scope and mechanics of the law. Using your own words, and drawing
appropriately from primary source materials (i.e., regulatory text and guidance produced by
agencies), memo that synthesizes what the law is and how it works with respect to
information security or privacy.
Federal: Children's Online Privacy Protection Act (COPPA)
• [Student Records] Family Educational and Privacy Rights Act
• [Websites Directed at Kids] Children's Online Privacy Protection Act
• [Public Companies] Securities and Exchange Commission (SEC) rules and guidance on
cybersecurity, including:
o SEC's February 2018 Guidance on Cybersecurity Risks and Disclosures Controls
o SEC Regulation S-P, Rule 30 (the "safeguards rule")
At a minimum, your memo should aim to address the following questions:
General:
• Is the law a statute or a regulation?
• If it's a regulation, what agency enacted it?
Scope:
• To whom does the law apply? What kinds of organizations?
• What kinds of information or activities does it target?
• What kinds of information or activities does it exclude or omit from its coverage?
Requirements or Prohibitions:
• What does the law prohibit or require of regulated organizations?
• Does an agency publish any implementation guidance? If so, what additional insights does
the guidance provide into the requirements or prohibitions?
• What, in your best estimation, is the purpose or spirit of the law? What does it seek to
accomplish through its prohibitions or requirements?
Enforcement:
• Which agencies, if any, are responsible for enforcement?
2. • How is the law enforced?
• Is there a private right of action that enables individuals to recover damages?
• Have there been any noteworthy or significant cases or enforcement actions related to the
regulation? If so, briefly describe one or two. What was the result?
Overall Reflections:
• As best you can tell, how does this law fit into the landscape of cybersecurity laws?
• Is there anything about the law that surprises you or that stands out as particularly
interesting?