In the US, the Federal Trade Commission (FTC) is the primary regulator of privacy and cybersecurity, using its broad authority under the Federal Trade Commission Act to prosecute unfair or deceptive privacy and cybersecurity practices. However, there are numerous sector-specific laws that impose particular rules on the handling of data by covered entities, and these laws are often overseen by other federal agencies. For example:
- Financial institutions’ handling of non-public personal information is governed by the privacy and security provisions of the Gramm-Leach-Bliley Act, and is overseen by a variety of regulators, including the Securities and Exchange Commission, the Consumer Financial Protection Board, the Federal Reserve, the FTC, and others, depending on the exact nature of the financial institution in question.
- Healthcare providers’ and health insurance providers’ handling of protected health information is governed by the privacy and security provisions of the Health Insurance Portability and Accountability Act (HIPAA) and rules implemented by the Department of Health and Human Services.
Additionally, states are very active in the privacy and cybersecurity space. The primary data breach notification laws are all state-level laws, and some states have enacted laws or adopted regulations regarding privacy and cybersecurity that are stricter in some ways than federal law. For companies doing business in these jurisdictions, these laws may act as a functional floor in terms of minimum compliance. For example:
- The California Consumer Privacy Act and California Online Privacy Protection Act include a number of requirements for companies doing business in the State of California or collecting information from California residents.
- The Illinois Biometric Information Protection Act includes a number of restrictions around the collection and use of certain biometric information – facial scans, retinal scans, fingerprints.
- The New York Stop Hacks and Improve Electronic Data Security Act (SHIELD Act) requires businesses that own or license New York residents’ private information to institute and maintain certain security safeguards. It includes a more expansive view of personal data, the exposure of which triggers notification requirements, and it broadens the definition of a data breach to include unauthorized ‘access’ to personal information, rather than its ‘acquisition.’
Violations of these laws are likely to result in monetary penalties, the size and scope of which are likely to be a function of the sensitivity of the data at issue and the nature of the violation.
Certain criminal statutes also touch on cybersecurity issues. For instance, the Computer Fraud and Abuse Act is the primary Federal anti-hacking law; it prohibits unauthorized access to protected computers, and for users to knowingly exceed their authorization. Particularly as to the latter, interpretations about the scope of activities deemed improper vary by jurisdiction, with open questions as to certain practices such as webscraping.