Regimes¶
This site groups cases by legal and regulatory regime—the authority and legal theory that drives the outcome. Below are federal regulators, federal laws and regulations, state-level regimes, and executive orders that affect computer and cybersecurity.
Federal regulators¶
These entries align with the Federal laws and regulations section below: consumer and privacy, health, markets and intermediaries, banking and credit unions, then prosecution and intellectual property. Insurance data-security model law (NAIC) appears in the laws table and is enforced by state insurance regulators, not a single federal agency.
| Regulator | Official link | Summary |
|---|---|---|
| Federal Trade Commission (FTC) | ftc.gov | Enforces Section 5 of the FTC Act, the FCRA (with other agencies), and GLBA Safeguards/Privacy for non-bank financial institutions; “reasonable security” and breach-related cases. |
| Consumer Financial Protection Bureau (CFPB) | consumerfinance.gov | Enforces Title X / Consumer Financial Protection Act authorities and many consumer financial laws in its jurisdiction (including data practices for covered products and markets). |
| Department of Health and Human Services, Office for Civil Rights (HHS OCR) | hhs.gov/hipaa | Enforces HIPAA Privacy and Security Rules and HITECH breach-notification and enforcement provisions for covered entities and business associates. |
| Securities and Exchange Commission (SEC) | sec.gov | Administers the Securities Exchange Act of 1934 and disclosure rules; cybersecurity and incident disclosure for public companies and registrants. |
| Commodity Futures Trading Commission (CFTC) | cftc.gov | Oversees derivatives markets under the Commodity Exchange Act; system safeguards, reporting, and operational resilience for registrants and designated market entities. |
| Financial Industry Regulatory Authority (FINRA) | finra.org | Self-regulatory organization for broker-dealers; rules and examinations on cybersecurity, vendor risk, and operational resilience (SEC oversees FINRA). |
| Board of Governors of the Federal Reserve System (Federal Reserve) | federalreserve.gov | Supervises bank holding companies and state member banks; applies interagency information-security guidelines and operational-risk expectations (with FFIEC handbooks). |
| Office of the Comptroller of the Currency (OCC) | occ.gov | Supervises national banks; implements interagency guidelines (e.g., 12 C.F.R. Part 30, Appendix B) and OCC cybersecurity and IT examination programs. |
| Federal Deposit Insurance Corporation (FDIC) | fdic.gov | Supervises insured state non-member banks; parallel interagency information-security standards and IT examination expectations. |
| National Credit Union Administration (NCUA) | ncua.gov | Charters and supervises federally insured credit unions; Part 748 security program and reporting; aligned interagency IT expectations. |
| Federal Financial Institutions Examination Council (FFIEC) | ffiec.gov | Interagency council (banking agencies plus NCUA); issues IT Examination Handbook and authentication guidance used in bank and credit union exams. |
| Department of Justice (DOJ) | justice.gov | Federal criminal prosecution of CFAA and Economic Espionage Act offenses; computer crime and national-security–related cyber cases (with FBI and U.S. Attorneys’ Offices). |
| U.S. Copyright Office | copyright.gov | Part of the Library of Congress; DMCA rulemaking (e.g., § 1201 anti-circumvention) and copyright registration that interacts with security research and technical controls. |
| U.S. Patent and Trademark Office (USPTO) | uspto.gov | Administers federal trademark registration; context for ACPA / Lanham Act disputes and domain-name conflicts involving marks. |
Federal laws and regulations¶
Entries are grouped consumer and privacy, health, markets and intermediaries, banking and credit unions, insurance model standards, then criminal, trade secrets, copyright, and trademark (cybersquatting)—all relevant to cybersecurity, data protection, and supervision of technology risk.
| Law or regulation | Official link | Summary |
|---|---|---|
| Federal Trade Commission Act, Section 5 | FTC Section 5 | Prohibits unfair or deceptive acts or practices; basis for FTC “reasonable security” and breach-related enforcement. |
| Fair Credit Reporting Act (FCRA) | FTC – FCRA | Governs consumer reporting agencies, users of reports, and furnishers; imposes accuracy, permissible purpose, and disposal duties that affect breach response and vendor risk. |
| Gramm–Leach–Bliley Act (GLBA) | FTC – GLBA | Requires financial institutions to protect nonpublic personal information; includes Safeguards Rule and Privacy Rule enforced by FTC and banking agencies. |
| Dodd–Frank Wall Street Reform and Consumer Protection Act, Title X (Consumer Financial Protection Act of 2010) | CFPB – About us / statutory authority | Establishes the Consumer Financial Protection Bureau (CFPB) and assigns it rulemaking and enforcement authority over many consumer financial laws (including privacy and data practices in its markets). |
| Health Insurance Portability and Accountability Act (HIPAA) | HHS HIPAA | Sets privacy and security standards for protected health information; enforced by HHS OCR with civil and criminal referral. |
| Health Information Technology for Economic and Clinical Health Act (HITECH) | HHS HITECH / Breach Notification | Strengthens HIPAA enforcement and breach notification duties for covered entities and business associates. |
| Securities Exchange Act of 1934 and SEC disclosure guidance | SEC Division of Corporation Finance – Topic 2 (Cybersecurity) | Requires public companies to disclose material cybersecurity risks and incidents; SEC guidance clarifies timing and content of cyber disclosure. |
| Commodity Exchange Act and CFTC regulations (system safeguards, cybersecurity) | CFTC – Cybersecurity | Commodity Futures Trading Commission (CFTC) oversees derivatives markets; registrants face operational resilience, reporting, and system-safeguard expectations relevant to cyber risk. |
| Financial Industry Regulatory Authority (FINRA) rules and guidance | FINRA – Cybersecurity | FINRA is an SRO for broker-dealers; publishes rules and examination expectations for cyber programs, vendor risk, and operational resilience. |
| Interagency Guidelines Establishing Information Security Standards | eCFR – 12 C.F.R. Part 30, Appendix B (OCC) | Banking agencies’ baseline expectations for information security programs (also reflected in parallel parts for the Federal Reserve, FDIC, and NCUA). |
| Federal Financial Institutions Examination Council (FFIEC) | FFIEC – Cybersecurity resource page | Interagency body whose IT Examination Handbook and authentication guidance shape how examiners assess technology and cybersecurity at banks and related institutions. |
| Office of the Comptroller of the Currency (OCC) – cybersecurity and IT supervision | OCC – Cybersecurity | OCC bulletins and examination procedures for national banks’ information security, resilience, and third-party technology risk. |
| National Credit Union Administration (NCUA) – security program (e.g., Part 748) | NCUA – Part 748 | Requires federally insured credit unions to maintain a security program and report certain catastrophic acts; aligns with interagency expectations for cyber resilience. |
| National Association of Insurance Commissioners (NAIC) – Insurance Data Security Model Law (#668) | NAIC – Data security | Model law adopted in many states for insurers and producers: security program, breach investigation/notification, and oversight (state-variable implementation). |
| Computer Fraud and Abuse Act (CFAA) | 18 U.S.C. § 1030 | Criminalizes unauthorized access to protected computers and fraud in connection with computers; defines access boundaries and penalties. |
| Economic Espionage Act (EEA) | 18 U.S.C. Chapter 90 – Trade secrets | Criminalizes theft of trade secrets for the benefit of foreign entities or commercial advantage; shapes how organizations protect sensitive technical and business information. |
| Digital Millennium Copyright Act (DMCA) | U.S. Copyright Office – DMCA | Among other things, anti-circumvention rules (17 U.S.C. § 1201) affect security research, tooling, and how technical controls interact with copyright protection. |
| Anti-Cybersquatting Consumer Protection Act (ACPA) | 15 U.S.C. § 1125(d) | Civil remedies for bad-faith registration or use of domain names confusingly similar to distinctive marks or certain personal names; relevant to brand impersonation, phishing-related domains, and DNS abuse disputes. |
State and sector-specific¶
| Regime | Official link | Summary |
|---|---|---|
| New York Department of Financial Services, Part 500 (NYDFS 500) | NYDFS Cybersecurity | Cybersecurity regulation for covered financial institutions in New York; requires program, policies, CISO, and breach notification. |
| State attorneys general and state privacy laws | (varies by state) | State enforcement of consumer protection, data breach notification, and emerging comprehensive privacy statutes (e.g., CCPA-style laws). |
Executive orders (computer and cybersecurity)¶
Executive orders below directly affect federal or private-sector computer and cybersecurity policy. Links are to the official order or implementing agency summary.
| Executive order | Official link | Summary |
|---|---|---|
| Executive Order 13636 – Improving Critical Infrastructure Cybersecurity (2013) | CISA – EO 13636 | Directed development of the NIST Cybersecurity Framework and expanded threat-information sharing for critical infrastructure. |
| Executive Order 13800 – Strengthening the Cybersecurity of Federal Networks and Critical Infrastructure (2017) | Federal Register – EO 13800 | Required federal agencies to use the NIST Framework, report on risk management, and supported modernization of federal IT and critical infrastructure security. |
| Executive Order 14028 – Improving the Nation’s Cybersecurity (2021) | White House – EO 14028 | Established federal zero-trust and supply-chain security expectations, Cyber Safety Review Board, and improved incident detection and information sharing. |
| Executive Order on Combating Cybercrime, Fraud, and Predatory Schemes (2026) | White House – 2026 EO | Focuses on combating cybercrime and cyber-enabled fraud; coordinates enforcement and victim restoration. |
As the case library grows, each regime will link to the relevant case list and to “what’s technically expected” patterns.