If you’re doing business in the US 2022 and have access to people’s personal information, you need to know about data protection law (sometimes called “cyber-security law”).
These are laws that govern what companies need to do to protect personal information or systems. There is no uniform standard federal legal requirement for cyber security. Instead there are about 30 different state laws and a patchwork of federal laws and regulations that apply based on industry and the type of data a company processes.
Okay here goes:
The main federal law is the FTC Act, which prohibits unfair trade practices. The FTC Act passed in 1914, so they probably weren’t thinking about cyber-security. But since then, the FTC has interpreted unfair trade practices to include “unreasonable security practices.” Many state laws are similarly written to require reasonable or appropriate security.
OK - so what does that mean? This reasonableness usually involves:
- Risk Analysis: companies should assess their potential risks, the cost of mitigations, and thus the value of mitigation options; and
- Industry customs - what are other companies in the industry doing
One of the ways businesses address these risks by building out a security program that is tied to a recognized industry framework - which addresses key security controls, like
- Encryption
- Monitoring
- Authentication, and
- Training.
This doesn’t guarantee legal compliance, but it’s a great start. This is the core of many cyber security laws but there are also many other, more specific cybersecurity laws - like for Defense (DFARS),
DFARS? Yeah, it’s real! It stands of the Defense Federal Acquisition Regulation Supplement Or HIPAA for healthcare, the GBLA for finance; or the NERC CIP standards for energy and utility companies. HIPAA, GBLA, NERC CIP oh my! All of these sectors have more rigorous cyber-security requirements that address issues like encryption, monitoring, and authentication.
So that’s it - your overview of US Data Protection laws.