Navigating Privacy Regulations in the U.S.

When it comes to cybersecurity and data privacy regulation, most U.S. businesses look at Europeans with a certain degree of smugness. After all, Europeans must deal with the onerous GDPR (General Data Protection Regulation). European organizations can use an individual’s data only in very specific circumstances and they have to allow them to exercise several rights. And if a European business fails to comply with the GDPR, they can be subject to very large fines: up to €20 million (about $16.3 million) or 4% of their global gross revenue.

In contrast, most American businesses feel that they do not have to worry about such regulations. However, this concept is totally false. Compliance for Americans can be far more complex than for Europeans and will undoubtedly get much, much more complicated.

That’s because, unlike Europe, we have a patchwork of data protection laws and regulations that may catch the unwary or the uninformed out, and that come in many different flavors. Europe only has one law – the GDPR.

There are four types of cybersecurity and privacy laws. Some only deal with cybersecurity, for example the NYDFS in New York. Others only deal with privacy, for example COPPA (Children’s Online Privacy Protection Act). And there are breach notification laws and hybrid laws. The GDPR is an example of a hybrid law, as it covers privacy, cybersecurity, and breach notification.

The Alphabet Soup of U.S. Privacy Law

Let’s start with federal laws. Not the laws passed by U.S. Congress that apply to private parties, but the laws that apply to the U.S. government. These would include the FPA, FISMA, FedRAMP, and now the CMMC (also known as 48 CFR § 252.204-7012 et seq.). These laws only apply to executive agencies of the federal government. This would substantially limit their application, except that they also apply to any businesses that have contracts with the federal government. So, if you have or intend to have contracts with any executive agency, you will be subject to some rather complex requirements.

Then of course there’s the alphabet soup of federal laws and regulations that apply to organizations in different sectors. The most well-known is HIPAA, which applies to health care providers. The financial industry has specific regulations in the form of FINRA and the GLBA. And public companies with shares listed on exchanges must comply with SEC rules like SEC P.

These are only the modern laws that specifically apply to cybersecurity and/or privacy issues associated with processing data. These laws have not decreased the purview of laws like the Federal Trade Act, which was signed into law by Woodrow Wilson in 1914. It outlaws unfair methods of competition, acts, or practices that affect commerce, and has been the basis of several major fines for improper processing, most notably a $5 billion fine for Facebook.

But wait, there’s more! A quick search of ‘cybersecurity’ bills pending in Congress yields an astonishing 250 hits with scores above 90%. A search using the word ‘privacy’ returns 350. While many of these proposed bills will not become law, the sheer number indicates that some will pass.

Filling the Data Privacy Uniformity Gap

Not to be outdone, in the absence of a federal law dealing with cybersecurity, individual states have attempted to fill the gap. Laws like the CCPA (California Consumer Privacy Act), now the CPRA (California Privacy Rights Act), are generally known. What might come as a surprise is that there are six other states that are considering similar legislation: Connecticut, Rhode Island, Maryland, Minnesota, Illinois, and New York.

While privacy law is rather new, other types of laws are not. More than 25 states have passed cybersecurity laws. Generally, these laws require organizations that process information to adopt reasonable cybersecurity protection appropriate to the type of data they process. This is the standard risk-appropriate model for cybersecurity legislation and regulation. The same model is used in the GDPR and in similar legislation around the world.

The third type of cybersecurity law, breach notification, has been adopted by all 50 states. Like the state privacy laws and cybersecurity laws, these laws vary significantly from jurisdiction to jurisdiction.

Cybersecurity and privacy regulations are not just limited to Europe and the U.S. There are approximately 20 countries around the world that have laws similar to the GDPR. For U.S. organizations, the law that will probably have the biggest impact will be the Canadian Consumer Privacy Protection Act. It is most notable for its fines: a maximum of $25 million CAD (roughly $19,650,000 U.S. dollars) or 5% of global revenue.

Privacy at your Service

With the constant threat of cyber attacks, many of these laws are likely to change. This will cause increasing headaches for organizations, but IT Governance USA can help. Compliance with the constantly changing kaleidoscope of laws, and keeping our clients and their customers safe are what we do. So, if you have any privacy concerns, please don’t hesitate to contact us

With the many different laws U.S. organizations have to navigate, the burden of compliance can be huge. Our latest offering, Privacy as a Service, provides a combination of services at different levels to support your privacy compliance program. This service can support compliance with the EU General Data Protection Regulation (GDPR), the UK GDPR and Data Protection Act (DPA) 2018, the California Privacy Rights Act (CPRA, previously the California Consumer Privacy Act), New York’s Stop Hacks and Improve Electronic Data Security (SHIELD) Act, and more.

Data Privacy