Due to routine maintenance, this site may be unavailable on Wednesday, June 19 from 9am to 6pm. We apologize for any inconvenience.

State and Federal Cybersecurity Related Laws

Cuyahoga County – Administrative Code and Ordinances


State of Ohio – Laws and Directives


Federal – Laws and Directives

  • The National Cyber Incident Response Plan (NCIRP): The NCIRP describes a national approach to dealing with cyber incidents; addresses the important role that the private sector, state and local governments, and multiple federal agencies play in responding to incidents and how the actions of all fit together for an integrated response.
  • Cyber Incident Reporting Act of 2022: The Cyber Incident Reporting Act imposes four primary reporting and related requirements on “covered entities” in the event of a “covered cyber incident” or a ransomware payment.
  • Presidential Policy Directive - Critical Infrastructure and Resilience (PPD-21): An infrastructure protection and resilience directive in the United States that aims to strengthen and secure the country's critical infrastructure into 16 specific sectors.
  • Executive Order 13636 (Improving Critical Infrastructure Cybersecurity): Directed the Executive Branch to (1) Develop a technology-neutral voluntary cybersecurity framework, (2) Promote and incentivize the adoption of cybersecurity practices, (3) Increase the volume, timeliness and quality of cyber threat information sharing, (4) Incorporate strong privacy and civil liberties protections into every initiative to secure our critical infrastructure, and (5) Explore the use of existing regulation to promote cyber security.
  • Cybersecurity Enhancement Act of 2014: Mends the National Institute of Standards and Technology Act to permit the Secretary of Commerce, acting through the Director of the National Institute of Standards and Technology (NIST), to facilitate and support the development of a voluntary, consensus-based, industry-led set of standards and procedures to cost-effectively reduce cyber risks to critical infrastructure.
  • NIST Cybersecurity Framework (CSF): Recognizing the national and economic security of the United States depends on the reliable function of critical infrastructure, the President issued Executive Order (EO) 13636, Improving Critical Infrastructure Cybersecurity, in February 2013. The Order directed NIST to work with stakeholders to develop a voluntary framework – based on existing standards, guidelines, and practices - for reducing cyber risks to critical infrastructure. The Cybersecurity Enhancement Act of 2014 reinforced NIST’s EO 13636 role.
  • CISA Emergency and Binding Directives: Develops and oversees the implementation of “binding operational directives” and “emergency directives,” which require action on the part of certain federal agencies in the civilian Executive Branch.
  • Fair Credit Reporting Act: Protects information collected by consumer reporting agencies such as credit bureaus, medical information companies and tenant screening services.
  • Children’s Online Privacy Protection Rule (COPPA): Imposes certain requirements on operators of websites or online services directed to children under 13 years of age, and on operators of other websites or online services that have actual knowledge that they are collecting personal information online from a child under 13 years of age.
  • Traffic Light Protocol (TLP) Sharing Threat Information: Facilitate greater sharing of information. TLP is a set of designations used to ensure that sensitive information is shared with the appropriate audience. It employs four colors to indicate expected sharing boundaries to be applied by the recipient(s).
  • Rules for Commercial Email – CAN SPAM ACT: Sets the rules for commercial email, establishes requirements for commercial messages, gives recipients the right to have you stop emailing them, and spells out tough penalties for violations.
  • Computer Fraud and abuse Act (CFAA): A United States cybersecurity bill that was enacted in 1986 as an amendment to existing computer fraud law (18 U.S.C. § 1030), which had been included in the Comprehensive Crime Control Act of 1984. The law prohibits accessing a computer without authorization, or in excess of authorization. Prior to computer-specific criminal laws, computer crimes were prosecuted as mail and wire fraud, but the applying law was often insufficient.
  • Freedom of Information Act: The basic function of the Freedom of Information Act is to ensure informed citizens, vital to the functioning of a democratic society.
  • Health Insurance Portability and Accountability Act of 1996 (HIPAA): Federal law that required the creation of national standards to protect sensitive patient health information from being disclosed without the patient’s consent or knowledge. The US Department of Health and Human Services (HHS) issued the HIPAA Privacy Rule to implement the requirements of HIPAA. The HIPAA Security Rule protects a subset of information covered by the Privacy Rule - more information on HIPAA
  • Sarbanes-Oxley Act of 2002: The Act contains provisions affecting corporate governance, risk management, auditing, and financial reporting of public companies, including provisions intended to deter and punish corporate accounting fraud and corruption – more information on the Sarbanes-Oxley Act
  • Gramm-Leach-Bililey Act (GLBA): Requires financial institutions – companies that offer consumers financial products or services like loans, financial or investment advice, or insurance – to explain their information-sharing practices to their customers and to safeguard sensitive data.




How could we make it better?
   Please leave a comment before submitting.
Thank you for your feedback
Your feedback means a lot to us. We use it to improve the experience of all of our users.