In contrast to the UK and EU, there is no single, general, nationally-applicable law in the US regulating the collection, processing, storing and safeguarding of personal data.
Instead, depending on their particular business niche, companies need to grapple with an assortment of federal and state laws, as well as various self-regulatory guidelines; several of which have a tendency to overlap.
To help you get to grips with what can be a daunting legal landscape, here’s a selection of some of the most prominent laws spanning privacy, data and cyber protection…
The Federal Trade Commission Act 15 U.S.C.
This is the Act under which the Federal Trade Commission (FTC) is granted its authority - and from which it derives wide-ranging powers to prevent unfair methods of competition and conduct injurious to consumers.
From a personal data perspective, its provisions relating to the prohibition of “unfair and deceptive practices” are especially relevant.
- Application. The FTC relates to the majority of companies and individuals who do business in the US; exceptions include telecoms and finance, to which specific regulatory frameworks apply.
- Privacy. This is an area where certain practices deemed “unfair or deceptive” have been outlawed. This includes failing to protect personal data, disclosure without permission and failure to comply with a published privacy notice.
- Sanctions. The FTC can issue cease and desist orders, obtain restitution for consumers and can seek fines of up to $40,000 for violation of injunctions. Criminal penalties include unlimited fines and imprisonment of up to ten years.
Financial Services Modernization Act (Gramm-Leach-Bliley Act (GLB))
Recognising that the financial services sector warranted a tighter framework than that provided ‘general’ FTC Act, GLB regulates the collection, processing, use and safeguarding of financial information. As well as institutions such as banks and insurance companies, the Act can be relevant to a wide range of organisations “significantly engaged” in financial activities.
Under its “Safeguards Rule”, The Act obliges financial institutions to have a security programme in place to protect private personal information from unauthorised disclosure. Common standards that are relevant to this rule include data encryption, authentication, frequent monitoring and systems testing.
It also sets out detailed obligations regarding privacy procedures - with different rules applying to “consumers” as opposed to “customers” - i.e. depending on whether the individual has a longstanding relationship with the institution.
The Act carries a very wide range of financial and criminal penalties. At the upper end (e.g. involving fraud), these can include fines of up to $1million (for a company) and imprisonment of up to ten years.
The Health Insurance Portability and Accountability Act (HIPAA)
A wide-ranging Act setting out the standards for regulating medical information. As well as healthcare providers, it covers essentially all entities that come into contact (i.e. process, collect or store) medical information.
The Homeland Security Act (incorporating the Federal Information Security Management Act (FISMA))
This law relates to every US government agency; - and required each agency to undertake “the development and implementation of mandatory principles, standards and guidelines on information security”. This includes “those provided or managed by another agency, contractor or other source”.
On a practical level, it means that by law, any private company hoping to provide products or services to a US government agency can expect extremely rigorous scrutiny of its security framework.
The Computer Fraud And Abuse Act (CFAA)
This is America’s primary federal anti-hacking law. It first came into force in 1986 but since then has undergone a number of revisions - not least because it was so vaguely worded. Primarily, it makes it illegal to access a computer “without authorization”.
Under the USA Patriot Act, the maximum penalty for a first offence under the Act was raised from five to ten years for a first offence (and double that for a second offence). Since 1994 it has also been possible to bring civil claim for violation, meaning that breach of the Act effectively raises the possibility of uncapped damages if another party suffers loss or damage as a result of the hack.
It’s worth pointing out that California alone has more than 25 statewide privacy and data security laws on its books. Multiply this across the US and it becomes clear that covering your back in terms of data compliance can be a complicated matter. Detailed sector-specific and geography-specific examination of the law is a must before doing business with US customers.