Laws and regulations
Dissimilar to the EU, the United States lacks a specific comprehensive federal law to address cybersecurity and privacy for the nation. While several states have adopted some forms of privacy laws, dealing with this issue has raised substantial challenges for corporations and organizations when conducting multi-state or global activities.
First, let’s have a general picture of the current setting of the cybersecurity and privacy laws at two national and states level,
U.S. Federal Laws
As mentioned above, while there is no single holistic national privacy law, several federal laws address specific forms of data related to privacy, such as:
- Federal Trade Commission Act of 1914 (FCA)
Preventing unfair or deceptive methods and activities leading to privacy violations despite organizational obligations.
- US Privacy Act of 1974:
establishing principles of fair information practices, overseeing collection, process, maintenance, and distribution of information concerning citizens or lawful permanent residents. As per the department of justice comment “, this law applies only to a federal agency.”
- Health Insurance Portability and Accountability Act of 1996 (HIPAA):
The Healthcare industry oriented law for Personal Health Information (PHI) protection.
- Children’s Online Privacy Protection Act of 1998 (COPPA)
Mandating websites or online services to protect the online privacy of minors.
- Gramm-Leach-Bliley Act of 1999 (GLBA)
Targeting financial institutions to impose obligations for preventing unauthorized collection, use, and disclosure of Nonpublic Personal Information (NPI).
- Fair Credit Reporting Act (FCRA)
Ensuring accuracy and protecting personal information collected by consumer reporting companies.
- Family Educational Rights and Privacy Act (FERPA)
Protecting the privacy of student education records.
- Electronic Communication Privacy Act of 1986 (ECPA)
Protecting wire, electronic, and oral communication inaction, transit, or digitally stored. This law applies to phone, email, and digital storage.
- Video Privacy Protection Act of 1988 (VPPA)
Preventing disclosure of video records containing PII.
U.S. States Laws
Out of 50 states, only five of them have adopted comprehensive privacy laws, including:
- California Consumer Privacy Right Act of 2020, effective January 2023.
- Colorado Privacy Act 2021, effective January 2023.
- Connecticut Personal Data Privacy and Online Monitoring Act of 2022, effective July 2023.
- Utah Consumer Privacy Act of 2022, effective December 2023.
- VIRGINIA Consumer Data Protection Act of 2021, effective January 2023.
At this point, other states either have no laws or limited laws. In my home state of Texas, we have the Texas Privacy Act of 2019, which in fact, focuses on the Texas Medical Record Privacy, therefore, is known as “TMRPA,” protecting PHI.
Data privacy, security, and governance
In order to protect privacy adequately, organizations should develop a comprehensive privacy plan. The plan needs to underline the fundamental principles of “legitimate purpose, proportionality, transparency, and accountability” in accordance with the nature of the organizational business field, goals, and objectives. The plan also should address the risks, necessary security measures, and legal compliance based on the location of an organization by defining practical steps such as:
- Assembling privacy team
- Defining data handling procedures
- Assigning data handlers roles (data stewards, custodians, and…)
- Conducting privacy and security assessment
Frameworks, policies, and regulations
Policies are designed to carry out plans; regulations are the rules to enforce subjects to comply, and frameworks are the mechanism to implement and apply the policies and regulations.
The selection of privacy frameworks for an organization necessitates awareness of the organization’s information requirements, applicable laws, regulations, and policies. Some of the privacy frameworks to be considered are:
- NIST Privacy Framework by the National Institute of Standards and Technology.
- ISO 27701 by the International Organization for Standardization.
- Fair Information Practice Principles (FIPPs) by the Department of Homeland Security.
- OECD Privacy Framework. A group of 38 countries, including the United States, working together to present guidelines for governing privacy protection.
- GDPR is the most comprehensive privacy protection and security law by European Union.