The Top US Cyber Security and Privacy-related Regulations

​In contrast to the UK and EU, there is no single, general, nationally-applicable law in the US regulating the collection, processing, storing and safeguarding of personal data.

Instead, depending on their particular business niche, companies need to grapple with an assortment of federal and state laws, as well as various self-regulatory guidelines; several of which have a tendency to overlap.

To help you get to grips with what can be a daunting legal landscape, here’s a selection of some of the most prominent laws spanning privacy, data and cyber protection…

The Federal Trade Commission Act 15 U.S.C.

This is the Act under which the Federal Trade Commission (FTC) is granted its authority - and from which it derives wide-ranging powers to prevent unfair methods of competition and conduct injurious to consumers.

From a personal data perspective, its provisions relating to the prohibition of “unfair and deceptive practices” are especially relevant.

  • Application. The FTC relates to the majority of companies and individuals who do business in the US; exceptions include telecoms and finance, to which specific regulatory frameworks apply.
  • Privacy. This is an area where certain practices deemed “unfair or deceptive” have been outlawed. This includes failing to protect personal data, disclosure without permission and failure to comply with a published privacy notice.
  • Behavioural advertising. Covering areas such as use of cookies and ad-retargeting, the FTC is also the primary overseer of the Self-Regulatory Principles for Behavioural Advertising. At present, these are voluntary in nature, but awareness of them is highly recommended for those organisations looking to build a reputation as adherents to best practice.
  • Sanctions. The FTC can issue cease and desist orders, obtain restitution for consumers and can seek fines of up to $40,000 for violation of injunctions. Criminal penalties include unlimited fines and imprisonment of up to ten years.

Financial Services Modernization Act (Gramm-Leach-Bliley Act (GLB))

Recognising that the financial services sector warranted a tighter framework than that provided ‘general’ FTC Act, GLB regulates the collection, processing, use and safeguarding of financial information. As well as institutions such as banks and insurance companies, the Act can be relevant to a wide range of organisations “significantly engaged” in financial activities.

Under its “Safeguards Rule”, The Act obliges financial institutions to have a security programme in place to protect private personal information from unauthorised disclosure. Common standards that are relevant to this rule include data encryption, authentication, frequent monitoring and systems testing.

It also sets out detailed obligations regarding privacy procedures - with different rules applying to “consumers” as opposed to “customers” - i.e. depending on whether the individual has a longstanding relationship with the institution.

The Act carries a very wide range of financial and criminal penalties. At the upper end (e.g. involving fraud), these can include fines of up to $1million (for a company) and imprisonment of up to ten years.

The Health Insurance Portability and Accountability Act (HIPAA)

A wide-ranging Act setting out the standards for regulating medical information. As well as healthcare providers, it covers essentially all entities that come into contact (i.e. process, collect or store) medical information.

The Homeland Security Act (incorporating the Federal Information Security Management Act (FISMA))

This law relates to every US government agency; - and required each agency to undertake “the development and implementation of mandatory principles, standards and guidelines on information security”. This includes “those provided or managed by another agency, contractor or other source”.

On a practical level, it means that by law, any private company hoping to provide products or services to a US government agency can expect extremely rigorous scrutiny of its security framework.

The Computer Fraud And Abuse Act (CFAA)

This is America’s primary federal anti-hacking law. It first came into force in 1986 but since then has undergone a number of revisions - not least because it was so vaguely worded. Primarily, it makes it illegal to access a computer “without authorization”.

Under the USA Patriot Act, the maximum penalty for a first offence under the Act was raised from five to ten years for a first offence (and double that for a second offence). Since 1994 it has also been possible to bring civil claim for violation, meaning that breach of the Act effectively raises the possibility of uncapped damages if another party suffers loss or damage as a result of the hack.

It’s worth pointing out that California alone has more than 25 statewide privacy and data security laws on its books. Multiply this across the US and it becomes clear that covering your back in terms of data compliance can be a complicated matter. Detailed sector-specific and geography-specific examination of the law is a must before doing business with US customers.

Guarantee Your Cyber Security Career with the StationX Master’s Program!

Get real work experience and a job guarantee in the StationX Master’s Program. Dive into tailored training, mentorship, and community support that accelerates your career.

  • Job Guarantee & Real Work Experience: Launch your cybersecurity career with guaranteed placement and hands-on experience within our Master’s Program.
  • 30,000+ Courses and Labs: Hands-on, comprehensive training covering all the skills you need to excel in any role in the field.
  • Pass Certification Exams: Resources and exam simulations that help you succeed with confidence.
  • Mentorship and Career Coaching: Personalized advice, resume help, and interview coaching to boost your career.
  • Community Access: Engage with a thriving community of peers and professionals for ongoing support.
  • Advanced Training for Real-World Skills: Courses and simulations designed for real job scenarios.
  • Exclusive Events and Networking: Join events and exclusive networking opportunities to expand your connections.

TAKE THE NEXT STEP IN YOUR CAREER TODAY!

  • Nathan House

    Nathan House is the founder and CEO of StationX. He has over 25 years of experience in cyber security, where he has advised some of the largest companies in the world. Nathan is the author of the popular "The Complete Cyber Security Course", which has been taken by over half a million students in 195 countries. He is the winner of the AI "Cyber Security Educator of the Year 2020" award and finalist for Influencer of the year 2022.

>

StationX Accelerator Pro

Enter your name and email below, and we’ll swiftly get you all the exciting details about our exclusive StationX Accelerator Pro Program. Stay tuned for more!

StationX Accelerator Premium

Enter your name and email below, and we’ll swiftly get you all the exciting details about our exclusive StationX Accelerator Premium Program. Stay tuned for more!

StationX Master's Program

Enter your name and email below, and we’ll swiftly get you all the exciting details about our exclusive StationX Master’s Program. Stay tuned for more!