• Services
    • [Tabs]
      • Application Security
        • [Column]
          • SERVICES
          • Web Application Penetration Testing
          • Mobile Application Pentesting
          • Web Services & API Assessment
          • Secure Code Review
        • [Column]
          • RESOURCES
          • [Dynamic Posts]
      • Network Security
        • [Column]
          • SERVICES
          • Network Vulnerability Assessment and Penetration Testing
          • VoIP Vulnerability Assessment & Penetration Testing
          • Wireless Penetration Testing
        • [Column]
          • RESOURCES
          • [Dynamic Posts]
      • Cloud Security
        • [Column]
          • SERVICES
          • Cloud Auditing & Hardening for AWS
          • Cloud Auditing & Hardening for Azure
          • Cloud Auditing & Hardening for GCP
        • [Column]
          • RESOURCES
          • [Dynamic Posts]
      • Threat Simulation
        • [Column]
          • SERVICES
          • Red Team Assessment
          • Red Team VS Blue Team
          • Social Engineering Assessment
        • [Column]
          • RESOURCES
          • [Dynamic Posts]
      • Container Security
        • [Column]
          • SERVICES
          • Docker CIS Benchmark Hardening
          • Container Vulnerability Assessment
        • [Column]
          • RESOURCES
          • [Dynamic Posts]
      • Compliance
        • [Column]
          • SERVICES
          • ISO 27001 Auditing
          • PCI DSS Prepardness
          • HIPAA Auditing
        • [Column]
          • RESOURCES
          • [Dynamic Posts]
  • Solutions
    • [Column]
      • ENTERPRISE SECURITY
      • Managed Security
      • DEVSECOPS SOLUTIONS
      • Continuous Secrets Monitoring
      • Continuous Container Security
      • Continuous Application Security
      • Continuous Cloud Monitoring
    • [Column]
      • RESOURCE
      • [Dynamic Posts]
  • Products
    • AppDagger
    • Strobes
  • Resources
    • Blog
    • Datasheets
    • Case Studies
    • Whitepapers
    • Podcasts
  • Company
    • [Tabs]
      • About
        • [Column]
          • Journey Timeline
          • timeline-image
        • [Column]
          • Mission,Vision, Values
          • mission-vision-image
      • Media
        • [Column]
          • Media title
        • [Column]
          • Media Image
      • Partners
        • [Column]
          • Partners title
        • [Column]
          • Partners Image
      • Careers
        • [Column]
          • Careers title
        • [Column]
          • Careers Image
  • Careers
  • Company
    • About us
    • Partners
Menu
  • Services
      • Application Security
          • SERVICES
          • applicationWeb Application Penetration Testing
          • mobile_phoneMobile Application Pentesting
          • touchWeb Services & API Assessment
          • code-syntaxSecure Code Review
          • RESOURCES
          • new-blog-post-–-11 The Return of Ryuk Ransomware
      • Network Security
          • SERVICES
          • network-1Network Vulnerability Assessment and Penetration Testing
          • telephone (1)VoIP Vulnerability Assessment & Penetration Testing
          • wireless_modem (1)Wireless Penetration Testing
          • RESOURCES
          • new-blog-post – 13 Internet and Data Privacy
      • Cloud Security
          • SERVICES
          • AWS-2Cloud Auditing & Hardening for AWS
          • Union-5Cloud Auditing & Hardening for Azure
          • AwsCloud Auditing & Hardening for GCP
          • RESOURCES
          • Web-1920-–-14-1536×864 3 Clear Warnings To Tell If You’re Breached
      • Threat Simulation
          • SERVICES
          • global-securityRed Team Assessment
          • firewall-1Red Team VS Blue Team
          • insights-1Social Engineering Assessment
          • RESOURCES
          • Web-1920-–-9-1536×864 (1) Exploiting UN-attended Web Servers To Get Domain Admin – Red Teaming
      • Container Security
          • SERVICES
          • dockerDocker CIS Benchmark Hardening
          • constructContainer Vulnerability Assessment
          • RESOURCES
          • Web-1920-–-11 Top 7 cyber security measures that enterprises shouldn’t neglect
      • Compliance
          • SERVICES
          • global–strategyISO 27001 Auditing
          • global_finance_sterlingPCI DSS Prepardness
          • medical_1_ (1)HIPAA Auditing
          • RESOURCES
          • new-1536×864 Persistent XSS to Steal Passwords – Paypal
  • Solutions
      • ENTERPRISE SECURITY
      • secure–data (1) (1)Managed Security
      • DEVSECOPS SOLUTIONS
      • Secrets MonitoringContinuous Secrets Monitoring
      • Container ScanningContinuous Container Security
      • Application SecurityContinuous Application Security
      • Cloud MonitoringContinuous Cloud Monitoring
      • RESOURCE
      • Blog-background-1536×864 Why Startups Need CyberSecurity
  • Products
    • AppDagger
    • Strobes
  • Resources
    • Blog
    • Datasheets
    • Case Studies
    • Whitepapers
    • Podcasts
  • Careers
  • Company
    • About us
    • Partners
Contact

Schedule a Meeting
  • Services
    • Application Security
      • Web Application Penetration Testing
      • Mobile Application Pentesting
      • Web Services & API Assessment
      • Secure Code Review
    • Network Security
      • Network Vulnerability Assessment and Penetration Testing
      • VoIP Vulnerability Assessment & Penetration Testing
      • Wireless Penetration Testing
    • Cloud Security
      • Cloud Auditing & Hardening for AWS
      • Cloud Auditing & Hardening for Azure
      • Cloud Auditing & Hardening for GCP
    • Threat Simulation
      • Red Team Assessment
      • Red Vs Blue Team
      • Social Engineering
    • Container Security
      • Docker CIS Benchmark Hardening
      • Container Vulnerability Assessment
    • Compliance
      • ISO 27001 Auditing
      • PCI DSS Prepardness
      • HIPAA Auditing
  • Solutions
    • Enterprise Security
      • Managed Security Solutions
    • Devsecops Solutions
      • Continuous Secrets Monitoring
      • Continuous Container Security
      • Continuous Application Security
      • Continuous Cloud Monitoring
  • Products
    • AppDagger
    • Strobes
  • Resources
    • Blog
    • Datasheets
    • Case studies
    • White Papers
    • Podcasts
  • Careers
  • Company
    • About us
    • Partners
  • Contact
Menu
  • Services
    • Application Security
      • Web Application Penetration Testing
      • Mobile Application Pentesting
      • Web Services & API Assessment
      • Secure Code Review
    • Network Security
      • Network Vulnerability Assessment and Penetration Testing
      • VoIP Vulnerability Assessment & Penetration Testing
      • Wireless Penetration Testing
    • Cloud Security
      • Cloud Auditing & Hardening for AWS
      • Cloud Auditing & Hardening for Azure
      • Cloud Auditing & Hardening for GCP
    • Threat Simulation
      • Red Team Assessment
      • Red Vs Blue Team
      • Social Engineering
    • Container Security
      • Docker CIS Benchmark Hardening
      • Container Vulnerability Assessment
    • Compliance
      • ISO 27001 Auditing
      • PCI DSS Prepardness
      • HIPAA Auditing
  • Solutions
    • Enterprise Security
      • Managed Security Solutions
    • Devsecops Solutions
      • Continuous Secrets Monitoring
      • Continuous Container Security
      • Continuous Application Security
      • Continuous Cloud Monitoring
  • Products
    • AppDagger
    • Strobes
  • Resources
    • Blog
    • Datasheets
    • Case studies
    • White Papers
    • Podcasts
  • Careers
  • Company
    • About us
    • Partners
  • Contact
Menu
  • Services
      • Application Security
          • SERVICES
          • applicationWeb Application Penetration Testing
          • mobile_phoneMobile Application Pentesting
          • touchWeb Services & API Assessment
          • code-syntaxSecure Code Review
          • RESOURCES
          • new-blog-post-–-11 The Return of Ryuk Ransomware
      • Network Security
          • SERVICES
          • network-1Network Vulnerability Assessment and Penetration Testing
          • telephone (1)VoIP Vulnerability Assessment & Penetration Testing
          • wireless_modem (1)Wireless Penetration Testing
          • RESOURCES
          • new-blog-post – 13 Internet and Data Privacy
      • Cloud Security
          • SERVICES
          • AWS-2Cloud Auditing & Hardening for AWS
          • Union-5Cloud Auditing & Hardening for Azure
          • AwsCloud Auditing & Hardening for GCP
          • RESOURCES
          • Web-1920-–-14-1536×864 3 Clear Warnings To Tell If You’re Breached
      • Threat Simulation
          • SERVICES
          • global-securityRed Team Assessment
          • firewall-1Red Team VS Blue Team
          • insights-1Social Engineering Assessment
          • RESOURCES
          • Web-1920-–-9-1536×864 (1) Exploiting UN-attended Web Servers To Get Domain Admin – Red Teaming
      • Container Security
          • SERVICES
          • dockerDocker CIS Benchmark Hardening
          • constructContainer Vulnerability Assessment
          • RESOURCES
          • Web-1920-–-11 Top 7 cyber security measures that enterprises shouldn’t neglect
      • Compliance
          • SERVICES
          • global–strategyISO 27001 Auditing
          • global_finance_sterlingPCI DSS Prepardness
          • medical_1_ (1)HIPAA Auditing
          • RESOURCES
          • new-1536×864 Persistent XSS to Steal Passwords – Paypal
  • Solutions
      • ENTERPRISE SECURITY
      • secure–data (1) (1)Managed Security
      • DEVSECOPS SOLUTIONS
      • Secrets MonitoringContinuous Secrets Monitoring
      • Container ScanningContinuous Container Security
      • Application SecurityContinuous Application Security
      • Cloud MonitoringContinuous Cloud Monitoring
      • RESOURCE
      • Blog-background-1536×864 Why Startups Need CyberSecurity
  • Products
    • AppDagger
    • Strobes
  • Resources
    • Blog
    • Datasheets
    • Case Studies
    • Whitepapers
    • Podcasts
  • Careers
  • Company
    • About us
    • Partners
Contact
Schedule a Meeting
  • Services
    • Application Security
      • Web Application Penetration Testing
      • Mobile Application Pentesting
      • Web Services & API Assessment
      • Secure Code Review
    • Network Security
      • Network Vulnerability Assessment and Penetration Testing
      • VoIP Vulnerability Assessment & Penetration Testing
      • Wireless Penetration Testing
    • Cloud Security
      • Cloud Auditing & Hardening for AWS
      • Cloud Auditing & Hardening for Azure
      • Cloud Auditing & Hardening for GCP
    • Threat Simulation
      • Red Team Assessment
      • Red Vs Blue Team
      • Social Engineering
    • Container Security
      • Docker CIS Benchmark Hardening
      • Container Vulnerability Assessment
    • Compliance
      • ISO 27001 Auditing
      • PCI DSS Prepardness
      • HIPAA Auditing
  • Solutions
    • Enterprise Security
      • Managed Security Solutions
    • Devsecops Solutions
      • Continuous Secrets Monitoring
      • Continuous Container Security
      • Continuous Application Security
      • Continuous Cloud Monitoring
  • Products
    • AppDagger
    • Strobes
  • Resources
    • Blog
    • Datasheets
    • Case studies
    • White Papers
    • Podcasts
  • Careers
  • Company
    • About us
    • Partners
  • Contact
Menu
  • Services
    • Application Security
      • Web Application Penetration Testing
      • Mobile Application Pentesting
      • Web Services & API Assessment
      • Secure Code Review
    • Network Security
      • Network Vulnerability Assessment and Penetration Testing
      • VoIP Vulnerability Assessment & Penetration Testing
      • Wireless Penetration Testing
    • Cloud Security
      • Cloud Auditing & Hardening for AWS
      • Cloud Auditing & Hardening for Azure
      • Cloud Auditing & Hardening for GCP
    • Threat Simulation
      • Red Team Assessment
      • Red Vs Blue Team
      • Social Engineering
    • Container Security
      • Docker CIS Benchmark Hardening
      • Container Vulnerability Assessment
    • Compliance
      • ISO 27001 Auditing
      • PCI DSS Prepardness
      • HIPAA Auditing
  • Solutions
    • Enterprise Security
      • Managed Security Solutions
    • Devsecops Solutions
      • Continuous Secrets Monitoring
      • Continuous Container Security
      • Continuous Application Security
      • Continuous Cloud Monitoring
  • Products
    • AppDagger
    • Strobes
  • Resources
    • Blog
    • Datasheets
    • Case studies
    • White Papers
    • Podcasts
  • Careers
  • Company
    • About us
    • Partners
  • Contact
Blog  ·  Compliance  ·  Cyber Security

Federal Cyber Security and Data privacy Laws in US

By user  Published On February 12, 2021

This blog includes US-centric cyber-security and data privacy laws that have an impact on US-based industries. We will also discuss the regulatory requirements of those cyber-security laws. The laws which are governing information security and privacy are initially focused on the specific types of information and industries. For example- HIPAA is for health information only. Similarly, FERPA (The Family Educational Rights and Privacy Act of 1974) is for student information that is held by public schools.

This directory provides a summary of various cybersecurity laws, their applicability and, penalties.

1. Security and Exchange Commission (SEC) Regulation S-P: Privacy of Consumer Financial Information

Applicability: Rule 30 applies to the SEC-registered investment companies, investment advisers, foreign brokers, dealers, and entities that trade future.
Requirements of the privacy rules:

  • Under rule 30 of SEC, the organizations must develop and implement policies to safeguard the customer data and protect it from unauthorized access.
  • It also requires organizations to provide customers with initial and annual privacy notices to inform the customer about their rights and to describe the information-sharing policies.
  •  The organizations must not disclose their consumer’s non-public personal information to non-affiliated third parties unless the financial institution has provided notice of their privacy policies and procedures to the consumers.

2. Sarbanes-Oxley Act

Applicability: It applies to publicly trade companies only inside the United States as well as wholly-owned subsidiaries and international companies outside the US that are publically traded and do business. Generally, private companies, non-profit, and charities are not required to comply with all of SOX. Those private companies which are planning an Initial Public Offering (IPO) should start preparing to comply with the requirements of SOX before they go public.
Most important requirements of SOX:

  • The accuracy, documentation, and submission of all financial reports and internal control structure to the SEC is the direct responsibility of the CEO and CFO of the company. The officers risk imprisonment and monetary penalties in case of non-compliance whether intentional or not.
  •  SOX requires to state in an Internal Control report that management is accountable for their financial reports and an appropriate internal control structure. All the shortcomings must be reported up the chain as soon as possible for transparency.
  • SOX requires the development and implementation of data security policies. The data security policies must be communicated and consistently enforced. Companies need to implement comprehensive data security strategies to protect the financial data stored and utilized.
  • SOX requires that companies continuously monitor, update and maintain the documentation proving their SOX compliance.

3. Gramm-Leach Bliley (GLB) Act

Applicability: The Act is both an information security and privacy law that applies to the financial institutes regardless of their sizes including the banks, insurance companies, non-bank mortgage lenders, security firms, auto dealers, and tax preparers.
Information protection requirements of GLBA:

  • The GLBA is consists of two main rules, the Security Rules, and Privacy Rules respectively.
  •  The Security rules require organizations to develop and implement a written information security plan describing its processes and procedures for protecting client’s information. The covered entities must develop a thorough risk analysis on each department that is handling the non-public information, as well as develop, monitor, and test the program for information security. The safeguards must be updated if there is any change in how the information is collected, stored, and used.
  • The Privacy Rules require financial institutions to provide a privacy notice to the consumers at the time of when the relationship is established and annually thereafter. The notice must explain that how the information collected about the consumer is going to be used, where is it going to be shared, and how that information is protected. The notice must also identify the right of the user, pursuant to the provisions of the Fair Credit Reporting Act, to opt-out of the information being exchanged with unaffiliated parties. Under the original relationship agreement, the unaffiliated parties receiving the non-public information are bound by the acceptance terms of consumers.

4. Health Information Portability and Accountability Act (HIPPA)

Applicability: As mentioned above HIPAA has very specific rules to determine compliance that is related to the individually identifiable health information. It applies to the health care providers, health care clearinghouses, health plans, and in certain cases, businesses associated with these types of businesses called covered entities.
Requirements for HIPAA compliance:

  • Self-Audits: The covered entities and business associates are required to conduct annual audits of the organization to assess the administrative, technical, and physical gaps in compliance with the HIPAA privacy and security standard. A Security Risk Assessment is Not Enough under HIPAA to be compliant- it is only one important audit that HIPAA-beholden organizations are expected to conduct every year in order to ensure their compliance.
  • Policies, Procedures, and Employee training: All the covered entities and business associated develop and implement policies and procedures corresponding to HIPAA regulatory requirements as outlined by HIPAA rules. Those policies and procedures should be regularly updated in case of any changes in the organization. HIPAA also requires to conduct annually to train the staff on the policies and procedures along with the attestation of each staff member that they have understood the purpose of the training and the organization’s policies and procedures.
  • Remediation Plans: the remediation plans should take place as soon as the covered entities and business associates their gaps in compliance through the self-audits. These plans must be documented and should include the calendar dates by which the gaps will be remedied.
  • Documentation: Organizations bound by HIPAA must document every effort they take to become compliant as this document is critical during a HIPAA investigation.
  • Business Associate Management: The covered entities and business associates must document all the vendors; they share the Protected Health Information (PHI) with. They must also execute the business associate agreements to ensure that the PHI is handled by the vendors is secure and mitigate the liability. These agreements must be reviewed annually and at the time of any change in the nature of the organizational relationship with the vendors.
  •  Incident management: In case of a data breach, the covered entity and business associate must have a process in place to document the breach and notify the patients that their data has been compromised. This process must be in accordance with the HIPAA Breach Notification Rule.

5. Federal Trade Commission (FTC)

Applicability: The FTC law applies to almost every organization in the US. FTC is the main federal consumer protection agency that is responsible to enforce the FTC Act’s prohibitions on unfair and deceptive practices or acts. With this authority, FTC frequently enforces minimum security requirements with respect to the entities that are collecting, storing, and maintaining the personal information of the consumers.
The requirement to comply with FTC: The problem is that the organizations must participate in all the measures that are reasonable and necessary but these are usually undefined. For companies within its jurisdiction that have to comply with the GLBA, the FTC has defined a law, the safeguards Rule (16 CFR 314). This rule is the same as the Protection Rule and will be a good beginning to establish the duties of a corporation under the Act.

Similarly, other laws like children’s Online Privacy Protection (COPRA), Commodity Futures Trading Commission (CFTC), Electronic Communications Privacy Act (ECPA), and Stored Communication Act (SPA) are also the laws that were introduced for the protection of consumer’s data in the United States.


Leave A Reply Cancel reply

Your email address will not be published. Required fields are marked *

*

*

E-Commerce: Relevant Threats and Preventive Measures
Previous Article
HIPAA: A US Federal law to protect health information
Next Article

Industries

BFSI

Healthcare

Government

Retail & eCommerce

Information Technology

Telecommunications

Services

Application Security

Network Security

Cloud Security

Container Security

Threat Simulation

Compliance & Auditing

Solutions

DevSecOps

Managed Security

products

Strobes

AppDagger

Resources

Blog

Datasheets

Case studies

White papers

Podcasts

Company

About

Partners

Careers

Testimonials

Contact

Industries

Banking

Healthcare

Government

Retail

Technology

Telecommunications

Services

Application Security

Network Security

Cloud Security

Container Security

Threat Simulation

Compliance & Auditing

CMS Security

Solutions

DevSecOps

Managed Security

Secret Monitoring

Incident Response

Remote SOC

Products

Strobes

For CXOs

For SecOps

For Dev & IT

appdagger

SAST

DAST

Resources

Blog

Datasheets

Case studies

White papers

Podcasts

Webinars

Company

About

Media Partners

Awards

Partners

Careers

Testimonials

Contact

© 2021 WeSecureApp. All rights reserved.

logo--facebook
logo--instagram
logo--linkedin
logo--twitter

Get Started!

Case Study Form
Enter the Captcha

Take a peek into sample report

Case Study Form
Enter the Captcha

By failing to prepare, you are preparing to fail

Case Study Form
Enter the Captcha

Get Started!

Case Study Form
Enter the Captcha

Take a peek into sample report

Case Study Form
Enter the Captcha

By failing to prepare, you are preparing to fail

Case Study Form
Enter the Captcha

Get Started!

Case Study Form
Enter the Captcha

Take a peek into sample report

Case Study Form
Enter the Captcha

By failing to prepare, you are preparing to fail

Case Study Form
Enter the Captcha
navy_bubble.png