This blog includes US-centric cyber-security and data privacy laws that have an impact on US-based industries. We will also discuss the regulatory requirements of those cyber-security laws. The laws which are governing information security and privacy are initially focused on the specific types of information and industries. For example- HIPAA is for health information only. Similarly, FERPA (The Family Educational Rights and Privacy Act of 1974) is for student information that is held by public schools.
This directory provides a summary of various cybersecurity laws, their applicability and, penalties.
Applicability: Rule 30 applies to the SEC-registered investment companies, investment advisers, foreign brokers, dealers, and entities that trade future.
Requirements of the privacy rules:
Applicability: It applies to publicly trade companies only inside the United States as well as wholly-owned subsidiaries and international companies outside the US that are publically traded and do business. Generally, private companies, non-profit, and charities are not required to comply with all of SOX. Those private companies which are planning an Initial Public Offering (IPO) should start preparing to comply with the requirements of SOX before they go public.
Most important requirements of SOX:
Applicability: The Act is both an information security and privacy law that applies to the financial institutes regardless of their sizes including the banks, insurance companies, non-bank mortgage lenders, security firms, auto dealers, and tax preparers.
Information protection requirements of GLBA:
Applicability: As mentioned above HIPAA has very specific rules to determine compliance that is related to the individually identifiable health information. It applies to the health care providers, health care clearinghouses, health plans, and in certain cases, businesses associated with these types of businesses called covered entities.
Requirements for HIPAA compliance:
Applicability: The FTC law applies to almost every organization in the US. FTC is the main federal consumer protection agency that is responsible to enforce the FTC Act’s prohibitions on unfair and deceptive practices or acts. With this authority, FTC frequently enforces minimum security requirements with respect to the entities that are collecting, storing, and maintaining the personal information of the consumers.
The requirement to comply with FTC: The problem is that the organizations must participate in all the measures that are reasonable and necessary but these are usually undefined. For companies within its jurisdiction that have to comply with the GLBA, the FTC has defined a law, the safeguards Rule (16 CFR 314). This rule is the same as the Protection Rule and will be a good beginning to establish the duties of a corporation under the Act.
Similarly, other laws like children’s Online Privacy Protection (COPRA), Commodity Futures Trading Commission (CFTC), Electronic Communications Privacy Act (ECPA), and Stored Communication Act (SPA) are also the laws that were introduced for the protection of consumer’s data in the United States.