HIPAA, FERPA, And CFAA Legislation

Defensive cybersecurity practices are sometimes driven by legislation like HIPAA (that protects health information) and FERPA (that protects academic information). Laws also exist to punish misuse of computer systems, like the Computer Fraud and Abuse Act.

Learning Objectives

You should be able to:

  • Describe how legislation shapes cybersecurity practices
  • Describe HIPAA, FERPA, and CFAA

HIPAA

The Health Insurance Portability and Accountability Act (HIPAA) of 1996 required that healthcare practitioners protect patient information. As healthcare data was increasingly stored in computer systems, legislators wanted to give citizens assurance that their data would be protected. HIPAA is the reason why every time you visit a new doctor you must sign a form consenting to have the doctors store and share your data with people to give you care. You can choose not to sign the form, but you will likely be turned away.

HIPAA

HIPAA is a law with teeth. Fines for HIPAA violations can be very expensive. Every healthcare provider needs to take HIPAA seriously. An employee who willfully violates HIPAA will be fined a minimum of $50,000 per violation. Even accidental violations can be expensive, especially with data breaches. In 2017, Memorial Health Systems was fined $5.5 million because employees had inappropriately accessed patient data.

FERPA

The Family Educational Rights and Privacy Act (FERPA) governs the use of academic information. Occasionally, a parent of a concerned university student will reach out to me to discuss their child's progress in my course. Because their children are legally adults, I cannot disclose any information to the parents without the express consent of the students. I cannot even tell the parent if their child has attended class. Educational records are treated as private information and must be protected by educators. Academic information must be shared for legitimate educational purposes. While HIPAA and FERPA both define strict penalties for inappropriate use of information, examples of FERPA fines are rare.

FERPA

CFAA

The Computer Fraud and Abuse Act (CFAA) was passed in 1986. Basically, the law makes hacking illegal. But, it has not always been entirely clear how hacking is defined. The law states that a person cannot access a computer without authorization, or exceed their authorization. Before CFAA, people who used computers maliciously were often prosecuted under wire fraud to mail fraud laws.

Alert

In one civil case, Craigslist sued a company called 3Taps that was scraping its data. Craigslist sent 3Taps a cease-and-desist letter telling 3Taps to stop scraping the data. Craigslist blocked 3Taps IP addresses to stop 3Taps from scraping its data. 3Taps then used anonymous proxies to access Craigslist's data. In the case, the judge ruled that 3Taps should have known that its authorization to access Craigslist's data had been revoked. Eventually, Craigslist settled with 3Taps, with 3Taps paying $1 million to Craigslist and promising not to scrape its data anymore.

Reflection

  • Are new laws needed to protect your information?
  • Do you have a meaningful choice when deciding to accept a doctor's privacy policy?
  • When is appropriate for a user to probe to determine if they can gain access to non-public information?

Key Terms

  • HIPAA (Health Insurance Portability and Accountability Act): A U.S. law enacted in 1996 that sets national standards for the protection of individuals' medical records and other personal health information. HIPAA requires healthcare providers, insurers, and their business associates to implement safeguards to ensure the confidentiality, integrity, and security of protected health information (PHI).
  • FERPA (Family Educational Rights and Privacy Act): A U.S. federal law enacted in 1974 that protects the privacy of student education records. FERPA grants parents certain rights regarding their children's education records, which transfer to the student when they turn 18 or attend a school beyond the high school level. It also restricts the disclosure of personally identifiable information from education records without the consent of the student or parent.
  • CFAA (Computer Fraud and Abuse Act): A U.S. federal law enacted in 1986 that criminalizes unauthorized access to computer systems and networks. The CFAA is designed to combat hacking and other forms of cybercrime by imposing penalties for accessing computers without authorization, exceeding authorized access, and causing damage or theft of data.