U.S. privacy and cybersecurity laws — an overview
Information security professionals can improve themselves and their ability to serve their organizations by learning about the laws applying to privacy and cybersecurity.
In earlier articles, I discussed why infosec pros should learn about the law, the foundations of U.S. law, and the Certified Information Privacy Professional (CIPP)/U.S. learning path. Now it is time to zoom in on privacy law.
Privacy vs. cybersecurity
Privacy intersects significantly with cybersecurity. The quick general takeaway is that every privacy law impacts cybersecurity. For example, all these laws recognize that consumer data should be held with a reasonable degree of security to prevent breaches or leaks and require notification of any data breaches. This Venn diagram shows how they intersect.
Privacy vs. Information Security and Cybersecurity
Copyright John Bandler 2022. All rights reserved.
The intersection of the two circles is not to scale — it is probably a greater overlap, but it is not a science.
As many readers will appreciate, cybersecurity and information security are about protecting an organization's information assets, keeping data and systems secure and ensuring their confidentiality, integrity and availability. Organizations in some regulated sectors may be legally required to take measures to protect and keep systems running. Other laws and regulations may require notification after certain personal data breaches or require consumer data to be secured with reasonable cybersecurity.
Organizations may hold personal data of consumers, customers, clients and employees. This data is regulated by privacy laws that include the above provisions (breach notification and reasonable cybersecurity) plus consumer notice and choice.
There are four main types of privacy:
- Information privacy (data privacy)
- Communications privacy
- Territorial privacy
- Bodily privacy
Our primary focus is on information privacy—consumer data and how it is collected, stored, used and shared. This emerging area of law gives consumers rights and imposes obligations on organizations. One part of privacy is cybersecurity for consumer data plus breach notification. Other aspects of privacy include consumer notice and choice, privacy practices and the collection, use and sharing of data.
Federal vs. state
It is often said that U.S. privacy and cybersecurity law is a patchwork of different rules from many places and with varying applicability. Some come from the federal government and some from the fifty states, plus districts and territories.
Federal laws and regulations may apply generally throughout the country or only to specific sectors, such as finance or health. The Federal Trade Commission (FTC) Act protects consumers against unfair or deceptive trade practices, which provides certain privacy protections for consumers, but it is not a dedicated privacy law.
No generally applicable federal law specifically extends privacy rights to consumers or requires security measures or data breach notifications. Bills have been submitted on these issues, but none have passed yet. Some federal laws and regulations pertain to regulated sectors, such as finance, health, and education.
Each state can pass laws relating to data breach notification, cybersecurity and privacy, and many have chosen to do so. California, Connecticut, Virginia and others have enacted comprehensive privacy laws. Every state has data breach notification laws, and many require specific cybersecurity measures.
Organizations need to evaluate what federal and state laws apply to them.
Law vs. regulation
Here’s the difference between a law and a regulation and how they relate.
A law is passed through the legislative process. After being approved by the legislature, it goes to the executive (president or governor), who signs it into law.
Some laws create a regulator (e.g., the FTC, Federal Deposit Insurance Corporation (FDIC), or Department of Health and Human Services, and empower the regulator to issue more detailed rules or regulations and enforce them. GLBA and HIPPA are federal privacy-related laws allowing a regulator to create more detailed regulations. A regulated organization must comply or face the consequences such as monitoring, fines, or loss of the license needed to operate.
There are many federal and state regulators. States license hospitals, banks and other businesses; with those licenses comes the responsibility to comply with the state rules, including those on privacy.
Should we panic and feel overwhelmed or learn, synthesize and improve?
We have a large and complex patchwork of laws and regulations on privacy and cybersecurity from state and federal governments. Even experienced lawyers might feel overwhelmed, but they should not, and neither should you.
We need to keep our eyes on the spirit of these legal requirements and try in good faith to comply and continually improve with effective management, protection, and transparency. I suggest four main points:
- Inform consumers about their data— what is collected, stored, shared, and used. Give them choices. Keep your promises.
- Protect consumer data from breaches and leaks.
- Protect your organization’s information assets.
- Continually improve.
Once we master these concepts, we can start looking at each applicable law or regulation in more detail and how to synthesize various legal requirements for compliance and protection.
Get your free course catalog
Conclusion
Privacy intersects with cybersecurity, and we look to a mixture of federal and state laws and regulations. By looking at the big picture and the spirit of the laws as guides, we protect our organizations and comply with emerging requirements. The next step is diving into legal requirement details to ensure legal compliance and good business practices.
For more details on privacy, look at my Infosec CIPP/US certification learning path. And, if you are working on a privacy or cybersecurity document project, my learning path on policies and procedures is coming soon.
- Expert instruction
- Hands-on labs
- Unlimited access
In this Series
- U.S. privacy and cybersecurity laws — an overview
- Is AI cybersecurity in your policies?
- The top security architect interview questions you need to know
- Federal privacy and cybersecurity enforcement — an overview
- Common misperceptions about PCI DSS: Let’s dispel a few myths
- How PCI DSS acts as an (informal) insurance policy
- Keeping your team fresh: How to prevent employee burnout
- How foundations of U.S. law apply to information security
- Data protection Pandora's Box: Get privacy right the first time, or else
- Privacy dos and don'ts: Privacy policies and the right to transparency
- Starr McFarland talks privacy: 5 things to know about the new, online IAPP CIPT learning path
- Data protection vs. data privacy: What’s the difference?
- NIST 800-171: 6 things you need to know about this new learning path
- Working as a data privacy consultant: Cleaning up other people’s mess
- 6 ways that U.S. and EU data privacy laws differ
- Navigating local data privacy standards in a global world
- Building your FedRAMP certification and compliance team
- SOC 3 compliance: Everything your organization needs to know
- SOC 2 compliance: Everything your organization needs to know
- SOC 1 compliance: Everything your organization needs to know
- Overview: Understanding SOC compliance: SOC 1 vs. SOC 2 vs. SOC 3
- How to comply with FCPA regulation – 5 Tips
- ISO 27001 framework: What it is and how to comply
- Why data classification is important for security
- Threat Modeling 101: Getting started with application security threat modeling [2021 update]
- VLAN network segmentation and security- chapter five [updated 2021]
- CCPA vs CalOPPA: Which one applies to you and how to ensure data security compliance
- IT auditing and controls – planning the IT audit [updated 2021]
- Finding security defects early in the SDLC with STRIDE threat modeling [updated 2021]
- Cyber threat analysis [updated 2021]
- Rapid threat model prototyping: Introduction and overview
- Commercial off-the-shelf IoT system solutions: A risk assessment
- A school district's guide for Education Law §2-d compliance
- IT auditing and controls: A look at application controls [updated 2021]
- 6 key elements of a threat model
- Top threat modeling frameworks: STRIDE, OWASP Top 10, MITRE ATT&CK framework and more
- Average IT manager salary in 2021
- Security vs. usability: Pros and cons of risk-based authentication
- Threat modeling: Technical walkthrough and tutorial
- Comparing endpoint security: EPP vs. EDR vs. XDR
- Role and purpose of threat modeling in software development
- 5 changes the CPRA makes to the CCPA that you need to know
- 6 benefits of cyber threat modeling
- What is threat modeling?
- First Safe Harbor, then Privacy Shield: What EU-US data-sharing agreement is next?
- How to make cybersecurity budget cuts without sacrificing security
- How to mitigate security risk in international business environments
- Security theatrics or strategy? Optimizing security budget efficiency and effectiveness
- NY SHIELD Act: Security awareness and training requirements for New York businesses
- Time to update your cybersecurity policy?
- Ultimate guide to international data protection and privacy laws
Management, compliance & auditing
Management, compliance & auditing
The top security architect interview questions you need to know
Management, compliance & auditing
Management, compliance & auditing
Common misperceptions about PCI DSS: Let’s dispel a few myths