Select regional store:

Federal Cybersecurity and Data Privacy Laws Directory

Unlike the European Union, the US has no single federal law regulating cybersecurity and privacy.

Several states have their own cybersecurity and data breach notification laws.

This poses a considerable challenge for organizations conducting business across all 50 states and worldwide

This page summarizes the compliance requirements for US cybersecurity laws and federal cybersecurity laws.

Free PDF download: Cybersecurity 101 – A guide for SMBs

Cybersecurity requires careful coordination of people, processes, systems, networks, and technology.

Find out how to get started with the basics of cybersecurity while keeping costs to a minimum.

Download now


15 U.S. Code Chapter 98

The Sarbanes-Oxley (SOX) requires organizations to prove their cybersecurity credentials.


SOX applies only to public companies. Generally, a public company is listed on a public stock exchange.

The purpose of the legislation and regulations is to make sure these companies produce accurate financial statements from public companies.

Penalties and enforcement:

SOX has very tough penalties. Unlike many other cybersecurity or privacy statutes, SOX has criminal penalties.

In theory, a CEO or CFO can be liable for maximum fines of $1 million and 10 years imprisonment for false certification and $5 million and 20 years for a willfully false filing.

SEC Regulation S-P: Privacy of Consumer Financial Information and Safeguarding Personal Information

17 CFR Part 248, Subpart A

SEC rule 30, part of Regulation S-P (17 CFR 248.30), is an information security regulation requiring appropriate cybersecurity measures.


SEC rule 30 applies to US and foreign brokers, dealers, investment companies, and investment advisers registered with the SEC.

These organizations could also be subject to the New York Department of Financial Services (NYDFS) cybersecurity regulations. Under SEC rule 30, organizations must adopt written policies to safeguard customer records and protect against unauthorized access.

Penalties and enforcement:

Civil fines for violating this regulation can be up to $1,098,190 or triple the monetary gain. This rule can be enforced by an SEC action or by the Financial Industry Regulatory Authority (FINRA). FINRA is a private corporation that acts as a self-regulatory organization for the financial industry. It has the contractual power to fine its members.

  • Ensure the security and confidentiality of customer records and information
  • Protect against any anticipated threats or hazards to the security or integrity of customer records and information
  • Protect against unauthorized access to or use of customer records or information that could result in substantial harm or inconvenience to any customer
  • Provide initial and annual privacy notices to customers describing information-sharing policies and informing customers of their rights
  • Limit disclosures to third parties and reuse
  • Properly dispose of the information by taking reasonable measures to protect against unauthorized access to or use of the information in connection with its disposal

GLBA: Gramm-Leach-Bliley Act

15 U.S. Code Subchapter I

The Gramm-Leach-Bliley Act (GLBA) is both an information security and a privacy law.


The law applies to financial institutions, but the definition is very broad and includes banks, insurance companies, securities firms, non-bank mortgage lenders, auto dealers, and tax preparers.

There is a Security Rule and a Privacy Rule. The Security Rule (16 CFR Part 314) requires organizations to “develop, implement, and maintain a comprehensive information security program that is written in one or more readily accessible parts and contains administrative, technical, and physical safeguards that are appropriate to your size and complexity, the nature and scope of your activities, and the sensitivity of any customer information at issue.” (15 USC §6801 (a))

Penalties and enforcement:

Penalties for violation could exceed $1 million. There is also the possibility of termination of FDIC insurance, which could mean the end of the business for a financial firm.

Read on to learn how to comply with the GLBA more >>

FTC: Federal Trade Commission Act §5

15 U.S. Code § 45

FTC Act Section 5 is an information security regulation (which requires appropriate cybersecurity measures) and a privacy law.


The law applies to almost every organization in the US, except for banks and common carriers.

Penalties and enforcement:

The FTC is not shy about imposing civil liabilities, which have even reached $5 billion in the recent case concerning Facebook. It might seem odd that a law passed in 1914 to prohibit unfair or deceptive acts is one of the major sources of cybersecurity and privacy law in the US.  Read more >>

How to comply with the FTC:

The problem is that organizations must engage in all “reasonable and necessary” security practices, but these are generally undefined.

The FTC has established a regulation, the Safeguards Rule (16 CFR 314), for companies within its jurisdiction that have to comply with the GLBA. This rule is the same as the Security Rule (see above). It would be a good start to determine a company’s responsibilities under the Act.

HIPAA: Health Insurance Portability and Accountability Act

45 CFR Part 160, 45 CFR Part 164

HIPAA has security, privacy, and breach notification rules.


The law applies to health care providers, health plans, health care clearinghouses, and, in some instances, business associates of these businesses called covered entities.

As a result, the Act can cover organizations as diverse as health insurance companies and pharmaceutical companies. Unlike other laws, HIPAA has particular rules to determine compliance.

Penalties and enforcement:

Fines depend on the nature and extent of the violation and, the extent to which the organization has attempted to protect information.

The largest fine to date was more than $16 million. Penalties have been increasing dramatically recently. In 2018 the total number of penalties reached a record $28 million.


Read on to learn how to comply with HIPAA >>

DFAR: Defense Federal Acquisition Regulation

48 CFR 252.204-7012

DFAR is a cybersecurity regulation that applies to the US Department of Defense (DoD) contractors.


This regulation applies to US Department of Defense (DoD) contractors. It requires contractors and subcontractors that possess, store, or transmit “covered defense information” to provide adequate security to safeguard the covered defense information on unclassified information systems.

Penalties and enforcement:

Failure to comply may result in debarment.

How to comply with DFAR:

Unlike many other cybersecurity laws, the Regulation mandates compliance with a specific cybersecurity standard: the National Institute of Standards and Technology (NIST) Special Publication (SP) 800-171.

Read on to learn how to comply with the DFAR >>

COPPA: Children’s Online Privacy Protection Act

15 U.S. Code Chapter 91, 16 CFR Part 312

COPPA is a privacy and cybersecurity law.


COPPA applies to websites and online services that are directed at children under the age of 13. It also applies if the site poerator has actual knowledge that children under the age of 13 are using a website.

The Act's purpose is to regulate how these websites collect, use, and/or disclose personal information from and about children.

Penalties and enforcement:

The Act is enforced by the FTC. Fines have been increasing, with the largest penalty to date reaching $5.7 million.

Read on to learn how to comply with the COPPA >>

FDA: Regulations for the Use of Electronic Records in Clinical Investigations

21 CFR Part 11

The Food and Drug Administration (FDA) Regulations for the Use of Electronic Records in Clinical Investigations is a cybersecurity law.


It applies to organizations involved in clinical investigations of medical products, including sponsors, clinical investigators, institutional review boards (IRBs), and contract research organizations (CROs).

Most, if not all, of these people and organizations are also health care providers, so their operations would most likely fall under the HIPAA rules as well. The Regulations concern the IT systems of these organizations, including any electronic systems used to create, modify, maintain, archive, retrieve, or transmit records used in clinical investigations.

Penalties and enforcement:

The Regulations are enforced by the FDA, which will conduct investigations and audits. Since these records are to be used for validating the research by the FDA, the Regulations are geared more toward the integrity part of the confidentiality, integrity, availability triad.

How to comply with FDA:

The Regulations require the following:

  • Systems ensure accuracy, reliability, and consistent performance
  • Limiting system access to authorized individuals
  • Audit trails
  • Establishing and adhering to written policies that hold individuals accountable
  • Training

CFTC: Commodity Futures Trading Commission Derivatives Clearing Organizations Regulation

17 CFR Part 39, Subpart B, 17 CFR 39.18 - System safeguards


The CFTC Regulation applies to derivatives clearing organizations. These entities act as a medium for clearing transactions in commodities for future delivery or commodity option transactions. There are about 27 worldwide. These markets are at the heart of the global financial system.

Penalties and enforcement:

SEC regulation S-ID is subject to the same penalty as S-P. Civil fines for violating this Regulation can be up to $1,098,190 or triple the monetary gain. This rule can be enforced by an SEC action or by FINRA.

If this is accurate, please apply the same edits from earlier regarding the increase in the penalty.

How to comply with CFTC:

To protect themselves, derivatives clearing organizations must develop an extensive and robust information security program that includes the following: 

  • An annual compliance report that must be sent to the board and CFTC
  • Vulnerability testing of independent contractors twice every quarter
  • Internal and external penetration testing at least annually
  • Control testing once every three years
  • Annual security incident response plan testing
  • Annual enterprise technology risk assessment (ETRA)

ECPA and SCA: Electronic Communications Privacy Act and Stored Communications Act

18 U.S. Code Chapter 119 and 18 U.S. Code Chapter 121

The Electronic Communications Privacy Act (ECPA) and the Stored Communications Act (SCA), also known as the Wiretap Act, are privacy statutes.


Originally designed to limit warrantless surveillance, these acts forbid the intentional use, disclosure, or access to any wire, oral, or electronic communication without authorization.

Penalties and enforcement:

The acts provide criminal penalties that could be used to jail malicious hackers. They also provide a private right of action. Read more >>

How to comply with the ECPA and SCA:

  • Policies should prohibit recording or disclosing any oral or electronic communications without obtaining consent from both parties
  • Policies should prohibit surveillance of non-employees unless there is consent
  • Policies allow surveillance, including video and email interception of employees, if there is a valid business reason for doing so

EU-US Privacy Shield


The Privacy Shield was developed to protect EU residents’ data held and processed by organizations in the US.

The protection of an individual’s data in the US does not come anywhere near what the EU considers adequate. The EU-US Privacy Shield was declared invalid by the European Court of Justice (ECJ) on July 16, 2020, following the decision in Schrems II.

Since an enormous quantity of data is exchanged between the US and the EU, the US government and EU commissioners came up with a method to circumvent the previous Data Protection Directive with a program called Safe Harbor.

The Safe Harbor agreement was overturned on October 6, 2015 by the European Court of Justice (ECJ), so the EU commissioners and US government had to act quickly to come up with an alternative that would meet the requirements of the EU’s General Data Protection Regulation (GDPR). Read more >>

FPA: Privacy Act of 1974


The FPA applies only to agencies of the US Federal Government. It governs the collection, maintenance, use, and dissemination of personally identifiable information about individuals maintained in systems of records by federal agencies.

It prohibits the disclosure of information from a system of records controlled by the federal agency without the subject's written consent, unless the disclosure is permitted under one of 12 statutory exceptions. Until recently, it only applied to lawful residents of the US.


Penalties and enforcement

Covered persons, including lawful residents of the US and citizens of certain foreign countries designated by the US Secretary of State, may sue in a US federal district court for actual damages or $1,000 (whichever is greater), attorney fees, and court costs. The court may also require the federal agency to amend or correct any information on file concerning the covered person.

How to comply with the FPA:

All US federal agencies must:

  • Not disclose any record that is contained in a system of records by any means of communication to any person, or to another agency, without a written request from, or the prior written consent of, the individual to whom the record pertains
  • Allow any individual to gain access to their record or to any information related to them that is contained in the system, and permit them and, if they request, a person of their choosing to accompany them, to review the record and have a copy made
  • Maintain any record concerning any individual, making reasonable efforts to ensure such records are accurate, relevant, timely, and complete
  • Assure fairness in any determination relating to the qualifications, character, rights, or opportunities of, or benefits to, the individual

Consumer Privacy Protection Act of 2017

The proposed Consumer Privacy Protection Act of 2017 has been designed to ensure the privacy and security of sensitive personal information, to prevent and mitigate identity theft, to provide notice of security breaches involving sensitive personal information, and to enhance law enforcement assistance and other protections against security breaches, fraudulent access, and misuse of personal information.


It will apply to organizations that collect, use, access, transmit, store, or dispose of sensitive personally identifiable information of 10,000 or more US citizens during any 12-month period.

Penalties and enforcement:

Civil penalty fines will not exceed $5 million unless the violation is found to be willful or intentional, in which an additional $5 million can be imposed.

Ready to simplify your security? Let’s get started.

Let us share our expertise and support you on your journey to cybersecurity best practices.

This website uses cookies. View our cookie policy