6 Data Protection Laws for US Organizations
The data protection landscape of the United States is comprised of a patchwork of federal and state laws and regulations. As there is no general federal legislation, which regulates the collection and use of personal data, the federal data protection laws address specific industries and sectors, like financial services and healthcare, or focus on particular types of data.
Lately a broadening list of states, including California, New York, Nevada, Oregon, Texas and Washington, have started developing and enacting privacy bills; however the discrepancies between the bills could lead to a jumble of different state-level privacy legislations with slightly different specifications and requirements. Although the US was strongly in favor of self-regulation, the possibility of a federal data protection law that would harmonize data protection nationwide is gaining momentum.
Let’s check out 6 of the most important laws and regulations that organizations in the United States need to be aware of.
The California Consumer Privacy Act (CCPA) leads the pack of state-level privacy legislations and has the potential of being a game-changer in the the data privacy landscape not just in California, but across the US. The law will go into effect on January 1, 2020, and enforced on July 1, 2020.
Taking key points of the EU’s General Data Protection Regulation (GDPR), the new law aims to provide California citizens rights to access and control their personal information and imposes technical, notice and financial obligations on affected businesses. Like the GDPR, the CCPA is able to ensure better data security as it protects consumers from any undisclosed collection and use of their personal information.
Passed in 1996, the Health Insurance Portability and Accountability Act (HIPAA) provides data privacy and security provisions for safeguarding sensitive patient data. With the proliferation of health data breaches in recent years, HIPAA has gained greater prominence.
Organizations that handle protected health information (PHI) must have physical, network, and process security measures in place and follow them in order to ensure compliance with the law. HIPAA applies to all covered entities who provide treatment, payment and operations in healthcare, as well as to their business associates who have access to patient information and provide assistance in treatment, payment or operations. PHI includes information in medical records, conversations regarding medical treatment and billing information related to the patient’s health.
The Payment Card Industry Data Security Standard (PCI DSS) is a set of standards and guidelines for organizations to manage and secure credit card related personal data. Established in 2006 by major credit card companies – American Express, Discover, JCB, Mastercard and Visa -, it is aimed to help prevent breaches, fraud and theft of credit card information. PCI DSS applies to all organizations worldwide that accept, transmit or store any cardholder data, regardless of size or number of transactions.
PCI DSS comes as a 12-step plan and involves basic security measures like installing firewalls and antivirus software as well as more complex requirements such as developing and maintaining secure systems and applications.
The Gramm-Leach-Bliley Act (GLBA) also known as the Financial Modernization Act of 1999 is a US federal law that requires financial institutions to explain their information-sharing practices to their customers and to safeguard sensitive information.
Enforced by the Federal State Commission (FTC), the law consisting of three sections ( Financial Privacy Rule, Safeguards Rule, Pretexting provision) applies to all companies that offer consumers financial products or services like loans, financial or investment advice or insurance. To be GLBA compliant, financial institutions are required among others to implement a written information security program, to ensure the security, confidentiality and integrity of customers’ sensitive data, to give customers written privacy notices that explain their information-sharing practices and inform them of their right to opt-out.
SOX, sometimes called also Sarbox, stands for the Sarbanes-Oxley Act, a US law that was implemented on July 30, 2002 and came in response to highly publicized financial frauds earlier that decade. The law applies to all publicly traded companies in the US and it also regulates accounting firms that audit companies. SOX addresses codes of ethics, financial reporting and procedures and processes with the intention to protect investors and the public against corporate financial fraud and mismanagement. The law also added stricter criminal penalties for violating security laws.
SOX does not include any specific IT requirements within its text, but still has a great impact on publicly traded companies must secure their information security systems. This is due to the fact that financial information covered under the law is processed and stored by IT systems.
NIST SP 800-171
NIST SP 800-171 is a set of guidelines designed to ensure that information shared by federal agencies remains confidential when shared with non-federal entities. Published by the National Institute of Standards and Technology (NIST) in 2015, mandatory compliance with the new standards is required as of December 31, 2017 for any entity that accesses US government data.
The publication sets security requirements in 14 different categories, which can be summed up in two broad ones – administrative and technical. NIST SP 800-171 works as a guide for federal agencies to guarantee that Controlled Unclassified Information (CUI) is protected when processed, stored and used in non-federal information systems. CUI is federally-released, non-military data and includes personally identifying information (PII), financial data, court records, patents as well as other sensitive information in which the country holds an interest.