Federal Cyber Security and Data privacy Laws in US

This blog includes US-centric cyber-security and data privacy laws that have an impact on US-based industries. We will also discuss the regulatory requirements of those cyber-security laws. The laws which are governing information security and privacy are initially focused on the specific types of information and industries. For example- HIPAA is for health information only. Similarly, FERPA (The Family Educational Rights and Privacy Act of 1974) is for student information that is held by public schools.

This directory provides a summary of various cybersecurity laws, their applicability and, penalties.

1. Security and Exchange Commission (SEC) Regulation S-P: Privacy of Consumer Financial Information

Applicability: Rule 30 applies to the SEC-registered investment companies, investment advisers, foreign brokers, dealers, and entities that trade future.
Requirements of the privacy rules:

• Under rule 30 of SEC, the organizations must develop and implement policies to safeguard the customer data and protect it from unauthorized access.
• It also requires organizations to provide customers with initial and annual privacy notices to inform the customer about their rights and to describe the information-sharing policies.
•  The organizations must not disclose their consumer’s non-public personal information to non-affiliated third parties unless the financial institution has provided notice of their privacy policies and procedures to the consumers.

2. Sarbanes-Oxley Act

Applicability: It applies to publicly trade companies only inside the United States as well as wholly-owned subsidiaries and international companies outside the US that are publically traded and do business. Generally, private companies, non-profit, and charities are not required to comply with all of SOX. Those private companies which are planning an Initial Public Offering (IPO) should start preparing to comply with the requirements of SOX before they go public.

Most important requirements of SOX:

• The accuracy, documentation, and submission of all financial reports and internal control structure to the SEC is the direct responsibility of the CEO and CFO of the company. The officers risk imprisonment and monetary penalties in case of non-compliance whether intentional or not.
• SOX requires to state in an Internal Control report that management is accountable for their financial reports and an appropriate internal control structure. All the shortcomings must be reported up the chain as soon as possible for transparency.
• SOX requires the development and implementation of data security policies. The data security policies must be communicated and consistently enforced. Companies need to implement comprehensive data security strategies to protect the financial data stored and utilized.
• SOX requires that companies continuously monitor, update and maintain the documentation proving their SOX compliance.

3. Gramm-Leach Bliley (GLB) Act

Applicability: The Act is both an information security and privacy law that applies to the financial institutes regardless of their sizes including the banks, insurance companies, non-bank mortgage lenders, security firms, auto dealers, and tax preparers.

Information protection requirements of GLBA:

• The GLBA is consists of two main rules, the Security Rules, and Privacy Rules respectively.
•  The Security rules require organizations to develop and implement a written information security plan describing its processes and procedures for protecting client’s information. The covered entities must develop a thorough risk analysis on each department that is handling the non-public information, as well as develop, monitor, and test the program for information security. The safeguards must be updated if there is any change in how the information is collected, stored, and used.
• The Privacy Rules require financial institutions to provide a privacy notice to the consumers at the time of when the relationship is established and annually thereafter. The notice must explain that how the information collected about the consumer is going to be used, where is it going to be shared, and how that information is protected. The notice must also identify the right of the user, pursuant to the provisions of the Fair Credit Reporting Act, to opt-out of the information being exchanged with unaffiliated parties. Under the original relationship agreement, the unaffiliated parties receiving the non-public information are bound by the acceptance terms of consumers.

4. Health Information Portability and Accountability Act (HIPAA)

Applicability: As mentioned above HIPAA has very specific rules to determine compliance that is related to the individually identifiable health information. It applies to the health care providers, health care clearinghouses, health plans, and in certain cases, businesses associated with these types of businesses called covered entities.

Requirements for HIPAA compliance:

• Self-Audits: The covered entities and business associates are required to conduct annual audits of the organization to assess the administrative, technical, and physical gaps in compliance with the HIPAA privacy and security standard. A Security Risk Assessment is Not Enough under HIPAA to be compliant- it is only one important audit that HIPAA-beholden organizations are expected to conduct every year in order to ensure their compliance.
• Policies, Procedures, and Employee training: All the covered entities and business associated develop and implement policies and procedures corresponding to HIPAA regulatory requirements as outlined by HIPAA rules. Those policies and procedures should be regularly updated in case of any changes in the organization. HIPAA also requires to conduct annually to train the staff on the policies and procedures along with the attestation of each staff member that they have understood the purpose of the training and the organization’s policies and procedures.
• Remediation Plans: the remediation plans should take place as soon as the covered entities and business associates their gaps in compliance through the self-audits. These plans must be documented and should include the calendar dates by which the gaps will be remedied.
• Documentation: Organizations bound by HIPAA must document every effort they take to become compliant as this document is critical during a HIPAA investigation.
• Business Associate Management: The covered entities and business associates must document all the vendors; they share the Protected Health Information (PHI) with. They must also execute the business associate agreements to ensure that the PHI is handled by the vendors is secure and mitigate the liability. These agreements must be reviewed annually and at the time of any change in the nature of the organizational relationship with the vendors.
•  Incident management: In case of a data breach, the covered entity and business associate must have a process in place to document the breach and notify the patients that their data has been compromised. This process must be in accordance with the HIPAA Breach Notification Rule.

5. Federal Trade Commission (FTC)

Applicability: The FTC law applies to almost every organization in the US. FTC is the main federal consumer protection agency that is responsible to enforce the FTC Act’s prohibitions on unfair and deceptive practices or acts. With this authority, FTC frequently enforces minimum security requirements with respect to the entities that are collecting, storing, and maintaining the personal information of the consumers.

The requirement to comply with FTC: The problem is that the organizations must participate in all the measures that are reasonable and necessary but these are usually undefined. For companies within its jurisdiction that have to comply with the GLBA, the FTC has defined a law, the safeguards Rule (16 CFR 314). This rule is the same as the Protection Rule and will be a good beginning to establish the duties of a corporation under the Act.

Similarly, other laws like children’s Online Privacy Protection (COPRA), Commodity Futures Trading Commission (CFTC), Electronic Communications Privacy Act (ECPA), and Stored Communication Act (SPA) are also the laws that were introduced for the protection of consumer’s data in the United States.