In light of the rulings in FTC v Wyndham and In Re TerraCom and YourTel, it is evident that government agencies are taking the position that they can pursue “common law” cyber security negligence claims rather than relying on standards set by regulation or statute. At least some of these standards seem to be created by the government agencies in the form of statements, rulings, and various publications/guidelines.
In prior posts, we’ve been trying to identify the relevant agency publications on cyber security standards.
Here’s a cumulative collection:
Department of Defense (DOD)
Interim Rule amending Defense Federal Acquisition Regulation Supplement (contractors and subs of govt). Here’s prior post.
Department of Homeland Security (DHS)
CyberSecurity: Getting Started for Small and Midsize Businesses (US Computer Emergency Readiness Team).
Department of Justice (DOJ)
Prosecuting Computer Crimes (2015).
Federal Communications Commission (FCC)
Federal Trade Commission (FTC)
Office of National Coordinator for Health Information Technology
National Institute for Standards and Technology (NIST)
National Security Agency (NSA)
Securities Exchange Commission (SEC)
Cybersecurity Guidance Update (April 2015) – proposes a three step (assessment, strategy, policies) process for financial advisers.
Small Business Administration (SBA)