Global Data and Cyber Handbook

United States

Select a Topic
Start Comparison
Security Requirements and Breach Notification
Jump to
Security Requirements and Breach Notification Start Comparison
Do data privacy laws or regulations impose obligations to maintain information security controls to protect personal data from unauthorized access or processing?

Last review date: 31 December 2024

Yes, although US laws vary. Some include requirements for:

☒   general obligation to take appropriate / reasonable technical, physical and/or organizational security measures

☒   obligation to take specific security measures e.g., encryption

☒   requirement to undertake third party due diligence (security assessment of third party providers)

☒   reasonable security controls. The CCPA, CPA and the VCDPA require businesses to adopt reasonable security procedures and practices appropriate to the nature of the information held by the business.

☒   encryption.  Required under HIPAA, although not strictly required by US privacy laws, in most instances, encryption of personal data (where the encryption key is not compromised) will provide an exception to notification under US breach notification laws. The GLBA Safeguards Rule requires that entities regulated by GLBA encrypt information both in transit and at rest.

☒   other

Numerous state laws establish various affirmative security requirements for the protection of Social Security Numbers, financial account numbers, health/medical data, and other sensitive personal data.

Do other laws or regulations impose obligations to protect systems from cyberattack?

Last review date: 31 December 2024

Yes.

  public company obligations (e.g., duties to maintain sufficient information security measures or ensure operational resilience to cyberattacks).

On 26 July 2023, the US SEC approved final rules for Cybersecurity Risk Management, Strategy, Governance, and Incident Disclosure (Final Rules). The Final Rules require companies to disclose material cybersecurity incidents in a Form 8-K (or Form 6-K for Foreign Private Issuers) within four business days of a determination that the incident is material. Companies will be obligated to disclose their cybersecurity risks annually in their Form 10-Ks or Form 20-Fs, including with respect to any previous cybersecurity incidents that have materially affected the company or are reasonably likely to materially affect the company, including its business strategy, results of operations, or financial condition. Companies also have an obligation to explain how such cybersecurity incidents either affected or are reasonably likely to affect the company. The Final Rules also require the new disclosures to be tagged with Inline eXtensible Business Reporting Language (Inline XBRL).

   health regulatory requirements. The HIPAA Security Rule requires covered entities to maintain reasonable and appropriate administrative, technical, and physical safeguards for protecting electronic protected health information.

☒   financial services requirements. The Gramm-Leach-Bliley Act, as implemented through various regulatory actions, as well as various other federal and state financial privacy laws, requires safeguards for the protection of nonpublic personal information.

   telecommunication requirements. The Federal Communications Commission has implemented rules that require carriers to protect customer proprietary network information (CPNI) relating to customers, and other rules apply.

   providers of critical infrastructure. Under CIRCIA, covered entities will be required to report cyberattacks and ransomware payments within specified timeframes to the Cybersecurity and Infrastructure Security Agency once the final rule implementing CIRCIA's requirements goes into effect in early 2026.

   digital or connected (IoT) products

☒   other

The GLBA Safeguards Rule mandates financial institutions to employ data protection measures such as multifactor authentication.

If yes, please provide brief details of the relevant law or regulation.

Has there been regulatory activity – including enforcement action, investigations, regulatory guidance or other public statements by the regulator – relating to cybersecurity by the following regulators in the last 12 months?

Last review date: 31 December 2024

☒   Data privacy

☒   Securities or public company

☒   network information security

☒   health

☒   financial services

☒   telecommunications

☒   critical infrastructure

☒   other

Does data privacy or cybersecurity law impose obligations to make notifications about personal data security breaches?

Last review date: 31 December 2024

Yes. Under various sector-specific federal regulations, breach notification obligations apply in particular sectors (e.g., energy, government contractors, healthcare, financial institutions, telecommunications, etc.). At the state level, each of the 50 states and Puerto Rico have established breach notification obligations that generally apply to unauthorized access or acquisition of categories of unencrypted sensitive personal data as specified in that state's law. Common data categories include Social Security Numbers, government-issued IDs, financial account information, health/medical information, and others. The definitions and conditions vary from state to state. For example, under California's security breach notification law, Cal. Civ. Code § 1798.82, "breach of the security of the system" means unauthorized acquisition of computerized data that compromises the security, confidentiality, or integrity of personal data maintained by the person or business, where the "personal data" at issue can include a wide variety of government identifiers, financial information, health/medical information and more. Other rules, such as those issued by the SEC as described above, also apply.

Controllers/Owners have to notify:

Last review date: 31 December 2024

US laws vary, but generally, a controller may have an obligation to notify:

☒   data protection authorities

Federal rules typically require notification to the appropriate federal regulators if the applicable thresholds are met. For example, HIPAA's Breach Notification Rule (45 C.F.R. §§164.400-414) requires covered entities to notify HHS and affected individuals for certain unauthorized acquisitions, accesses, uses or disclosures of protected health information (PHI) in certain circumstances.

Under certain state breach notification laws, in-scope entities that have experienced a data security breach must notify the applicable State Attorneys General if certain circumstances are met. For example, under Cal. Civ. Code § 1798.82(f), a company that is required to notify more than 500 individuals must also notify the California Attorney General. In certain states, such under Maryland Code, Commercial Law Section 14-3501 et seq., the Attorney General must be notified prior to notification to any individuals. 

☒   cybersecurity authorities. Telecommunications providers have duties to report cybersecurity incidents to law enforcement. Also, under CIRCIA, covered entities will be required to report cyberattacks and ransomware payments within specified timeframes to the Cybersecurity and Infrastructure Security Agency once the final rule implementing CIRCIA's requirements goes into effect.

☒   affected individuals, if applicable thresholds are met

☒   other

In certain circumstances and under various state laws, companies may be required to report certain cyber events to law enforcement and the United States Department of Defense. Depending on the volume of data impacted, state laws may require entities to notify consumer reporting agencies. Apart from privacy and regulatory duties, companies may also have contractual obligations to notify data incidents in certain cases, such as obligations to notify merchant banks and/or credit card brands of certain events involving payment card information.

Processors/Agents have to notify:

Last review date: 31 December 2024

Under certain state-, sector-, activity- specific data breach notification laws, certain entities can functionally be considered "data processors," such as "business associates" under HIPAA, and "service providers" or "data maintainers" under state breach notice laws. Additionally, contractual terms between the "data processor" and "controller" may require the processor to notify others, including affected individuals and regulators.

☒   controller/owner

Typically, these entities will have duties to notify the controllers/owners of the data. For example, at the federal level, the HIPAA Breach Notification Rule requires business associates to notify the relevant covered entity of a discovered data breach. Similar requirements apply under other federal and state data breach notification laws.

Are there any additional sector-specific or non-personal data security breach notification requirements?

Last review date: 31 December 2024

Yes.

☒   public company obligations (e.g., to notify security incidents that may materially affect an investor's decision)

☒   cybersecurity authorities (e.g., to notify CISA as described above)

☒   health regulatory requirements (e.g., to notify incidents affecting safety of medical devices)

☒   financial services requirements (e.g., to notify financial regulatory authorities as per GLBA and other requirements)

☒   telecommunication requirements

☒   providers of critical infrastructure

☒   other

Organizations need to assess additional sector-specific or non-personal data security breach notification requirements on a case by case basis, including specific contractual obligations. 

If so, please provide brief details of the relevant law / guidance and indicate which body/bodies must be notified of the breach.

{{ $store.state.loadingScreen.message }} ...