In the US, the Federal Trade Commission (FTC) is the primary regulator of privacy and cybersecurity, using its broad authority under the Federal Trade Commission Act to prosecute unfair or deceptive privacy and cybersecurity practices. However, there are numerous sector-specific laws that impose particular rules on the handling of data by covered entities, and these laws are often overseen by other federal agencies. For example:
- Financial institutions’ handling of non-public personal information is governed by the privacy and security provisions of the Gramm-Leach-Bliley Act, and is overseen by a variety of regulators, including the Securities and Exchange Commission, the Consumer Financial Protection Board, the Federal Reserve, the FTC, and others, depending on the exact nature of the financial institution in question.
- Healthcare providers’ and health insurance providers’ handling of protected health information is governed by the privacy and security provisions of the Health Insurance Portability and Accountability Act (HIPAA) and rules implemented by the Department of Health and Human Services.
Additionally, states are very active in the privacy and cybersecurity space. The primary data breach notification laws are all state-level laws, and some states have enacted laws or adopted regulations regarding privacy and cybersecurity that are stricter in some ways than federal law. For example:
- The California Consumer Privacy Act and California Online Privacy Protection Act include a number of requirements for companies doing business in the State of California or collecting information from California residents.
- The Illinois Biometric Information Protection Act includes a number of restrictions around the collection and use of certain biometric information – facial scans, retinal scans, fingerprints.
Violations of these laws are likely to result in monetary penalties, the size and scope of which are likely to be a function of the sensitivity of the data at issue and the nature of the violation.