This website uses cookies. View our cookie policy
Select regional store:

Federal Cybersecurity and Privacy Laws Directory

Unlike the European Union, the US has no single federal law that regulates information security/ cybersecurity and privacy throughout the country. Several states have their own cybersecurity laws in addition to their data breach notification laws. These areas are currently regulated by a patchwork of industry-specific federal laws and state legislation whose scope and jurisdiction vary.

The challenge of compliance for organizations that conduct business across all 50 states and potentially across the world is considerable.

This page provides a summary of applicability, penalties, and compliance requirements that pertain to key federal laws that concern cybersecurity and privacy professionals.


15 U.S. Code Chapter 98

The Sarbanes-Oxley Act (SOX)) requires organizations to prove their cybersecurity credentials.


SOX applies only to public companies.

The purpose of the legislation and regulations are to make sure these companies produce accurate financial statements from public companies.

Penalties and enforcement:

SOX has very tough penalties. Unlike many other cybersecurity or privacy statutes, SOX has criminal penalties. In theory, a CEO and CFO can be liable for maximum penalties of $1 million and ten years’ imprisonment for a false certification, and $5 million and 20 years for a willfully false filing.


The following five components of internal controls are generally thought to be required. Read more >>

SEC Regulation S-P: Privacy of Consumer Financial Information and Safeguarding Personal Information

17 CFR Part 248, Subpart A

SEC Rule 30, which is part of Regulation S-P (17 CFR 248.30), is an information security regulation, which requires appropriate cybersecurity measures.


SEC Rule 30 applies to US and foreign brokers, dealers, investment companies, and investment advisers that are registered with the SEC. These organizations could also be subject to the concurrent jurisdiction of the New York Department of Financial Services (NYDFS) cybersecurity regulations (23 NYCRR 500). Under SEC Rule 30, organizations must adopt written policies to safeguard customer records and protect against unauthorized access.

Penalties and enforcement:

Civil fines for violating this regulation can be up to $1,098,190 or triple the monetary gain. This rule can be enforced by an SEC action or by the Financial Industry Regulatory Authority (FINRA). FINRA is a private corporation that acts as a self-regulatory organization for the financial industry. It has the contractual power to fine its members.


Rule 30 of Regulation S-P requires organizations to have written policies and procedures that: Read more >>

SEC Regulation S-ID: Identity Theft Red Flag Rule

17 CFR Part 248, Subpart C

SEC Regulation S-ID (17 CFR 248, Subpart C) is a cybersecurity law.


It applies to financial institutions and creditors (including broker-dealers, investment companies, and investment advisers). The purpose of SEC Regulation S-ID is to require organizations to develop programs designed to detect, prevent, and mitigate identity theft.

Penalties and enforcement:

SEC Regulation S-ID is subject to the same penalty as S-P. Civil fines for violating this regulation can be up to $1,098,190 or triple the monetary gain. This rule can be enforced by a SEC action or by FINRA.


The organization’s written identity theft prevention program must include the following elements: Read more >>

GLBA: Gramm-Leach-Bliley Act

15 U.S. Code Subchapter I

Gramm-Leach-Bliley Act (GLBA) is both an information security and a privacy law.


The law applies to financial institutions, but the definition is very broad. Included within the definition are banks, insurance companies, securities firms, non-bank mortgage lenders, auto dealers, and tax preparers.

There is a Security Rule and a Privacy Rule. The Security Rule (16 CFR Part 314) requires organizations to “implement, and maintain a comprehensive information security program that is written in one or more readily accessible parts and contains administrative, technical, and physical safeguards that are appropriate to your size and complexity, the nature and scope of your activities, and the sensitivity of any customer information at issue.” (15 USC §6801 (a)) Read more >>

FTC: Federal Trade Commission Act §5

15 U.S. Code § 45

Like the GLBA, the FTC Act Section 5 is both an information security regulation, (which requires appropriate cybersecurity measures) and a privacy law.


The law applies to almost every organization in the US with the exception of banks and common carriers.

Penalties and enforcement:

The FTC is not shy about imposing civil liabilities, which have even reached a hundred million dollars. It might seem odd that a law passed in 1914 to prohibit unfair or deceptive acts is one of the major sources of cybersecurity and privacy law in the US. Read more >>

HIPAA: Health Insurance Portability and Accountability Act

45 CFR Part 160, 45 CFR Part 164

Like many other federal laws, HIPAA also has security, privacy, and breach notification rules.


The law applies to a health care provider, a health plan, a health care clearing house, and, in certain cases, business associates of these types of businesses called covered entities. So, the act can cover organizations as diverse as a health insurance company to a pharmaceutical company. Unlike other laws, HIPAA has very specific rules to determine compliance.

Penalties and enforcement:

Fines depend on the nature and extent of the violation as well as the extent to which the organization has attempted to protect information. The largest fine to date was more than $5 million.


The security rule requires that:

DFAR: Defense Federal Acquisition Regulation

48 CFR 252.204-7012 – Safeguarding covered defense information and cyber incident reporting.


This regulation applies to US Department of Defense (DoD) contractors. It requires contractors and subcontractors that possess, store, or transmit “covered defense information” to provide adequate security to safeguard the covered defense information on its unclassified information systems.

Penalties and enforcement:

Failure to comply may result in debarment.

COPPA: Children's Online Privacy Protection Act

15 U.S. Code Chapter 91, 16 CFR Part 312

The Children's Online Privacy Protection Act (COPPA) is a privacy and a cybersecurity law.


COPPA applies to websites and online services that are directed at children under the age of 13. It also applies if the operator of the site has actual knowledge that children under the age of 13 are using a website. The purpose of the Act is to regulate how these websites collect, use, and/or disclose personal information from and about children.

Penalties and enforcement:

The Act is enforced by the FTC. Fines have been increasing.


Before websites and online services can collect any information about children they must do the following:

  • Provide notice of what information the website collects from children, how it uses such information, and its disclosure practices for such information Read more >>

FDA: Regulations for the Use of Electronic Records in Clinical Investigations

21 CFR Part 11

The Food and Drug Administration (FDA) Regulations for the Use of Electronic Records in Clinical Investigations is a cybersecurity law.


It applies to organizations involved in clinical investigations of medical products, including sponsors, clinical investigators, institutional review boards (IRBs), and contract research organizations (CROs).

Most, if not all, of these people and organizations are also health care providers, so their operations would most likely fall under the HIPAA rules as well. It concerns the IT systems of these organizations, including any electronic systems used to create, modify, maintain, archive, retrieve, or transmit records used in clinical investigations.

Penalties and enforcement:


CFTC: Commodity Futures Trading Commission Derivatives Clearing Organizations Regulation

17 CFR Part 39, Subpart B, 17 CFR 39.18 - System safeguards


The CFTC Regulation applies to derivatives clearing organizations. These entities act as a medium for clearing transactions in commodities for future delivery or commodity option transactions. There are about 27 worldwide. These markets are at the heart of the global financial system.

Penalties and enforcement:

SEC regulation S-ID is subject to the same penalty as S-P. Civil fines for violating this Regulation can be up to $1,098,190 or triple the monetary gain. This rule can be enforced by an SEC action or by FINRA.


To protect themselves, derivative clearing organizations must develop an extensive and robust information security program that includes the following: Read more >>

ECPA and SCA: Electronic Communications Privacy Act and Stored Communications Act

18 U.S. Code Chapter 119 and 18 U.S. Code Chapter 121

The Electronic Communications Privacy Act (ECPA) together with the Stored Communications Act (SCA), also known as the Wiretap Act, are privacy statutes.


Originally designed to limit warrantless surveillance, these acts forbid the intentional use, disclosure, or access to any wire, oral, or electronic communication without authorization.

Penalties and enforcement:

The acts provide criminal penalties that could be used to jail malicious hackers. They also provide a private right of action. Read more >>

EU-US Privacy Shield


The Privacy Shield was developed to protect EU residents’ data held and processed by organizations in the US. The protection of an individual’s data in the US does not come anywhere near what the EU considers adequate.

Since an enormous quantity of data is exchanged between the US and the EU, the US government and EU commissioners came up with a method to circumvent the previous Data Protection Directive with a program called Safe Harbor. The Safe Harbor agreement was overturned on October 6, 2015 by the European Court of Justice (ECJ), so the EU commissioners and US government had to act quickly to come up with an alternative that will meet the requirements of the EU’s General Data Protection Regulation (GDPR). Read more >>

FPA: Privacy Act of 1974

5 U.S.C. ch. 5 § 552a

The Privacy Act is a privacy act.


The FPA applies only to agencies of the US Federal Government. It governs the collection, maintenance, use, and dissemination of personally identifiable information about individuals that is maintained in systems of records by federal agencies.

It prohibits the disclosure of information from a system of records controlled by the federal agency absent of the written consent of the subject individual, unless the disclosure is pursuant to one of 12 statutory exceptions. Until recently, it only applied to lawful residents of the US. Read more >>

Consumer Privacy Protection Act of 2017

H.R. 4081

The proposed Consumer Privacy Protection Act of 2017 has been designed to ensure the privacy and security of sensitive personal information, to prevent and mitigate identity theft, to provide notice of security breaches involving sensitive personal information, and to enhance law enforcement assistance and other protections against security breaches, fraudulent access, and misuse of personal information.


It applies to organizations that collect, use, access, transmit, store, or dispose of sensitive personally identifiable information of 10,000 or more US citizens during any 12-month period. Read more >>

Penalties and enforcement:

Civil penalty fines may not exceed $5,000,000 unless the violation was found willful or intentional in which an additional $5,000,000 can be imposed.