CYSE 406

Cyber Law

This coruse gives a broad knowledge of constitutional, civil, criminal, and related legal considerations that arise in the context of work or citizenship in an increasingly cyber/digital world. This broadened awareness will help everyone that take this course to successfully navigate and strengthen personal and professional choices as they move ahead.

Assignment 1

MEMORANDUM
To: Governor Karras
From: Mahmood Al Hasani
Class: CYSE 406
Date: September 28th, 2024
Title/Subject: Addressing Data Protection and Privacy Concerns in the State of Mongo

 

Greetings,

Governor Karras. In light of the concerns expressed by our constituents regarding the collection and utilization of personal data, I have composed this memorandum to explain main issues with data protection and privacy The absence of privacy legislation in the State of Mongo is leading to dissatisfaction among residents, especially concerning biometric data and other sensitive personal information. This memorandum outlines the necessity of tackling these concerns, clarifies essential terminology, and offers recommendations for potential legislative actions that Mongo might consider implementing.

 

  1. Understanding Data Protection and Privacy Concerns

Data protection and privacy concerns pertain to the gathering, retention, and utilization of personal information by organizations, frequently occurring without the awareness or consent of the individual. Constituents are concerned that their data is being accessed in ways that violate their privacy rights.

 

Those concerns are critical for multiple reasons:

  • Protection of Personal Information: in the absence of adequate protections, sensitive data, such as financial or medical records, may be misused or stolen, leading to fraud or identity theft.
  • Right to Privacy: Many constituents feel that they should have control over who can access their personal data and how it is used. They seek reassurance that their information is not being misused for purposes to which they have not agreed.

Given the right of citizens to understand how their personal information is managed and to safeguard themselves against potential risks like fraud and identity theft, it is crucial to address these concerns.

 

  1. Establishing Fundamental Terminology and Concepts

A few terms that were mentioned by our constituents need explanation to better understand the issues

  • Biometric Data: This is reference to personal data that is physical, or characteristics used to verify the identity of a person like fingerprints, voice recognition, facial recognition and retina scans. Most common use of Biometric data is to unlock smartphones; However, the unauthorized collection of this data can lead to considerable risks of that specific individual.
  • Personal Identifiable Information (PII): PII is any information that can identify a person such as names, address, social security number and even internet protocol address. When this data handled improperly, it will lead for identity theft and other privacy violations.
  • General Data Protection Regulation (GDPR): The GDPR is a law implemented in the European Union that allow people significant control over their personal data. Key points include:
    • The right to be informed about data collection.
    • The right to access, correct, or delete personal data.
    • Organizations are required to secure clear consent before collecting and processing personal data.

The United States has federal laws protecting specific types of data in place like HIPAA for health information and GLBA for financial data. However, there is no overarching federal legislation like the GDPR to protect all forms of personal data.

 

  1. Legislative Suggestions for the State of Mongo

Since Mongo has no law to cover data privacy at the moment, here are a few suggestions on some areas where the state could take action.

  • Biometric Data Protection: A new law could require organizations to get clear permission before collecting or storing biometric data. This would ensure the sensitive information isn’t used without the individual’s consent. Illinois’ Biometric Information Privacy Act (BIPA) is a great example for drafting this kind of legislation.
  • Data Breach Notification Law: A law could be put in place to require companies to notify people if their data gets compromised. This would give everyone a chance to take steps to protect themselves if a security breach happens.
  • Data Minimization: Mongo can also put in place laws that limit the amount of personal data companies and organizations can collect. This will reduce the amount of personal data outside which significantly lower the chances of misuse

 

  1. Feasibility of Enacting GDPR-like Laws in Mongo

Adopting a law like the GDPR could offer solid protections, but there are both advantages and challenges to think about.

Pros:

  • Better Privacy Protections: GDPR-style rules would ensure personal data is treated carefully and transparently, giving people more control over their information.
  • Boost in Consumer Trust: Businesses that follow strict data protection laws could build more trust with customers, making them feel safer about sharing their info.

Cons:

  • Impact on Small Businesses: Small and medium-sized companies might find it hard to meet the requirements, as following GDPR-style rules can be expensive and time-consuming.
  • Administrative Costs: Setting up and managing these laws would need a whole new regulatory system, which could be costly for the state.

While the GDPR is a strong model, it might make more sense for Mongo to take some of its ideas and adjust them to fit the state’s unique needs and economic situation.

Conclusion

Governor Karras, it’s clear that the people of Mongo are concerned about protecting their personal and biometric data. We need to pass laws that focus on getting clear consent, limiting how much data is collected, and making sure residents are informed quickly if a breach happens. By introducing these kinds of measures, we can create a safer and more transparent digital environment. While laws similar to GDPR can come with some challenges, they also offer a great opportunity to strengthen data protection and privacy for everyone in our state.

 

References

Electronic Privacy Information Center (EPIC). “Biometric Privacy.”

https://epic.org/issues/surveillance-oversight/face-surveillance/

European Union. “General Data Protection Regulation (GDPR).”

https://gdpr-info.eu/

National Conference of State Legislatures (NCSL). “Data Breach Notification Laws.”

https://www.ncsl.org/research/telecommunications-and-information-technology/security-breach-notification-laws.aspx

 

Assignment 2

MEMORANDUM

To: Representative Tito Canduit, 26th District of Virginia
From: Mahmood Al Hasani, Legislative Research Aide
Class: CYSE 406
Date: November 4th, 2024
Title/Subject: Cybersecurity Information Sharing Act (CISA) of 2015 – Background and Analysis

 

Greetings,

After researching recent cybersecurity legislation, I have found that they Cybersecurity Information Sharing Act (CISA) of 2015 stand out as a foundational law for strengthening our national cybersecurity defenses. Although this law has been in place for almost a decade, it’s especially relevant as cyber threats continue to evolve, impacting American citizens and businesses alike. Below, I have outlined the key points of the act. It is intentions and effectiveness along with recommendations that could help emphasize your commitment to securing our constituents against cyber threats.

Law Summary and Current Status

The Cybersecurity Information Sharing Act (CISA) was enacted in December 2015 as part of the broader Consolidated Appropriations Act. The purpose of CISA is to improve information sharing mechanisms between the federal government and the private sector to detect, prevent, and respond to cyber threats more effectively and within short time frame. Under CISA, companies can voluntarily share cyber threat indicators (CTIs) and defensive measures (DMs) with federal agencies without fearing legal repercussions, while the government shares cyber threat intelligence to help organizations protect their networks.

 

Problem Addressed by CISA

Before CISA, businesses often hesitated to disclose cyber threats or breaches due to concerns over liability, regulatory scrutiny, or reputational damage. This lack of communication created blind spots, as both government agencies and private companies had limited visibility into emerging threats and potential vulnerabilities across sectors. CISA aimed to address these issues by promoting a two-way flow of threat information, which helps both the government and businesses respond more quickly to attacks.

The timing of CISA’s passage was critical, as high profile breaches has occurred such as those impacting major retailers and government agencies had increased public awareness of cybersecurity vulnerabilities. These incidents highlighted the need for a coordinated response to cyber threats that transcends individual organizations. By fostering collaboration, CISA is designed to help entities better understand attack methods and trends, ideally reducing the overall impact of cyber incidents on U.S. infrastructure and the economy.

 

Does the Law Address the Problem?

CISA has made significant progress in fostering information-sharing, but there are areas for improvement. The law has allowed companies to share threat data with the Department of Homeland Security (DHS) and, through DHS, with other federal agencies. This has improved situational awareness and response times to cyber threats. However, CISA’s effectiveness has faced several challenges:

  1. Limited Private Sector Participation: Despite legal protections, some companies remain reluctant to share information, often due to privacy concerns, fears of regulatory backlash, or doubts about the effectiveness of shared data.
  2. Privacy and Data Security Concerns: There have been concerns that CISA could infringe on individual privacy rights if personal data gets swept up in threat information shared with the government. While the law includes guidelines to protect privacy, additional safeguards could strengthen public trust.
  3. Timeliness and Relevance of Shared Data: In a fast-moving threat environment, real-time information sharing is critical. Although CISA promotes sharing, the timeliness and usability of the information can sometimes be lacking, reducing its value in preventing or mitigating attacks.

Opportunities for Improvement

To address these issues, several adjustments to CISA could be considered to enhance its impact:

  • Incentives for Participation: Additional incentives or tax benefits could encourage more businesses to participate in the information-sharing process. As it stands, voluntary participation relies heavily on companies prioritizing cybersecurity over potential risks of data disclosure.
  • Enhanced Privacy Protections: Clearer protocols for anonymizing data before sharing could address privacy concerns, making participation more appealing to businesses and reassuring constituents who may worry about government surveillance.
  • Improved Feedback Loops: The government could work to provide more actionable, specific feedback to businesses, helping them respond more effectively to threats. Establishing a feedback mechanism for companies to learn the outcomes or benefits of their shared information could make participation feel more valuable.

 

Constituent-Focused Observations

For constituents, CISA’s voluntary approach is reassuring, as it avoids excessive government intervention. This balance between national security and privacy protection can appeal to both individual voters and small to mid-sized business owners who seek cybersecurity support without additional burdens. Emphasizing this balance highlights the law’s collaborative spirit, appealing to voters who value privacy alongside robust cybersecurity measures.

 

Overall, the Cybersecurity Information Sharing Act has laid essential groundwork for a coordinated national response to cyber threats. While it’s been effective in certain areas, reinforcing privacy protections, improving data-sharing feedback, and encouraging broader participation could further enhance its impact. Highlighting these provisions in your communication with constituents can demonstrate your commitment to a balanced, effective cybersecurity policy that protects both their safety and their privacy.

 

References

“Cybersecurity Information Sharing Act of 2015,” U.S. Congress, https://www.congress.gov/bill/114th-congress/house-bill/1731

Grady, M. “How CISA 2015 Shapes Cybersecurity Policy,” CSO Online, https://www.csoonline.com/article/568801/2020-outlook-for-cybersecurity-legislation.html

National Institute of Standards and Technology, “Cybersecurity Framework and Information Sharing,” https://www.nist.gov/cyberframework