Understanding data privacy in the United States

Data privacy laws in the United States are notoriously tricky. There are a patchwork of industry-specific federal laws and state legislations whose scope and jurisdiction vary. And to complicate matters further, each state has its own requirements for disclosing security incidents.

In this blog, we help clarify the matter, providing an overview of the key data privacy laws in the US. We explain what they are, who they apply to and how you can achieve compliance.

The CPRA (California Privacy Rights Act)

The CPRA (California Privacy Rights Act) is a data privacy law that takes effect on January 1, 2023. It enhances existing privacy laws in the State of California – the CCPA (California Consumer Privacy Act).

The CPRA applies to businesses that collect California residents’ personal information, and its privacy requirements are similar to those of the EU GDPR (General Data Protection Regulation). (More on that later.)

The CPRA applies to any legal entity that does business in California, collects consumers’ personal information, and:

  • Buys, sells, or shares the personal information of 100,000 or more consumers or households in a year; or
  • Derives 50% or more of its annual revenue from selling or sharing consumers’ data.

DFARS (Defense Federal Acquisition Regulation Supplement)

The DFARS is a Department of Defense-specific supplement to the FAR (Federal Acquisition Regulation).

It provides acquisition regulations that are specific to the DoD. DoD government acquisition officials and contractors and subcontractors doing business with the DoD must adhere to the regulations in the DFARS.

The DFARS contains:

  • Requirements of law
  • DoD-wide policies
  • Delegations of FAR authorities
  • Deviations from FAR requirements
  • Policies and procedures that have a significant effect on the public

The cybersecurity requirements under the DFARS mandate that DoD contractors and subcontractors must implement controls that are specified in the NIST SP (Special Publication) 800-171, “Protecting Controlled Unclassified Information in Nonfederal Information Systems and Organizations.”

CUI (Controlled Unclassified Information) requires safeguarding in accordance with applicable laws, regulations, and policies.

All contractors and subcontractors processing, storing, or transmitting CUI need to meet minimum security standards specified in the DFARS. Failing to meet these standards can end up in the loss of contracts with the DoD.

GDPR (General Data Protection Regulation)

The GDPR applies to any organization processing and storing EU residents’ personal data, irrespective of the organization’s location or where the data is processed.

North American organizations with any connection to the EU – whether through subsidiaries, customers, or suppliers – are likely to be affected.

Organizations should therefore take steps to determine whether the GDPR is applicable, and consider revising their information handling processes to ensure compliance.

FISMA (Federal Information Security Management Act)

FISMA is a United States federal law that was enacted as Title III of the E-Government Act of 2002.

It requires federal agencies to implement information security programs to ensure the confidentiality, integrity, and availability of their information and IT systems, including those provided or managed by other agencies or contractors.

FISMA recognizes “the importance of information security to the economic and national security interests of the United States” and is aimed at all federal agencies.

It mandates that directors of federal agencies should oversee information security policies and practices that:

  • Provide information security protections that adequately reflect the risk and magnitude of the harm resulting from unauthorized access, use, disclosure, disruption, modification, the destruction of information, or of information systems.
  • Comply with the requirements of FISMA and related policies, procedures, standards, and guidelines, as developed by NIST.
  • Ensure that information security management processes are integrated with agency strategic and operations planning processes.

HIPAA (Health Insurance Portability and Accountability Act)

HIPAA, also known as the Kennedy–Kassebaum Act, is a federal law that was enacted in 1996. It aims to make it easier for people to keep their health insurance when they change jobs, to protect the confidentiality and security of health care information, and to help the health care industry control its administrative costs.

Of the Act’s five titles, Title II concerns health care information security. It contains provisions that require the Department of Health and Human Services (HHS) to address the security of health care information.

It mandates the establishment of national standards for electronic health care transactions and national identifiers for providers, health insurance plans and employers, and addresses the security of health care data.

The New York SHIELD (Stop Hacks and Improve Electronic Data Security) Act

The New York SHIELD Act requires any person or business that owns or licenses computerized data that includes New York residents’ private information to “develop, implement and maintain reasonable safeguards” to protect its security, confidentiality, and integrity.

However, not all organizations are subject to New York state’s breach notification statute.

The SHIELD Act exempts organizations that are subject to U.S. federal laws and NY state laws that already require data breach notification, such as HIPAA (the Health Insurance Portability and Accountability Act) and the GLBA (Gramm-Leach-Bliley Act).

GLBA (Gramm-Leach-Bliley Act)

GLBA is both an information security and a privacy law. The law applies to financial institutions, but the definition is very broad and includes banks, insurance companies, securities firms, non-bank mortgage lenders, auto dealers, and tax preparers.

It requires organizations to “develop, implement, and maintain a comprehensive information security program that is written in one or more readily accessible parts and contains administrative, technical, and physical safeguards that are appropriate to your size and complexity, the nature and scope of your activities, and the sensitivity of any customer information at issue.”

Privacy as a service

With the many different laws U.S. organizations have to navigate, the burden of compliance can be huge.

But with IT Governance USA’s Privacy as a Service solution, we do the hard work for you. This subscription service gives you access to our data protection experts, who’ll help you review your policies and processes and ensure you comply with the relevant laws.