With more and more businesses going online, security is becoming a major concern. Enter data privacy laws. While the European Union (EU) has the GDPR, the United States has a more segmented regulatory approach. Let’s take a closer look at the 5 main US data privacy laws you need to abide by in 2022 and beyond.
What is Data Privacy?
Data privacy involves the safeguarding of personal information like names, email IDs, addresses, credit card numbers, and other private data that can expose identities. Furthermore, besides taking the obvious security measures to protect networks and databases, online businesses are also required to take the right permissions from users before saving or using this personal information and data.
Not taking care of data privacy can lead to data breaches or leaks that can put this sensitive information in hackers hands, after which it can be sold to third-parties to conduct ransomware attacks or auctioned on the dark web.
Related: Zero Trust Security
The exponential rise in online application and service usage has led to a rise in privacy awareness and created a massive shift in the way governments look at these risks. Privacy laws like the GDPR started the new trend in privacy enforcement and the USA is also now enforcing a series of laws that are safeguarding key sectors like healthcare, banking, insurance, and of course eCommerce.
US-based startups and SMBs now need to watchout for the implications of these privacy laws. As we’ll learn in this article, fines by regulatory bodies can be up to $50,000 per violation. For example, if 2000 records were stolen and the event went undetected, the organization will be required to shell out $100 million in fines. The financial risk of cybercrime is only going to increase as we go ahead.
Top 5 US Data Privacy Laws
Without further ado, let’s go over the top 5 US data privacy laws that small businesses need to look out for before scaling up. As bodies that are handling thousands of personal records with sensitive data, privacy has to be taken seriously.
1. Health Insurance Portability and Accountability Act (HIPAA)
Applies to: Healthcare Providers, Insurance Providers, Healthcare Clearinghouses
A federal law signed by Bill Clinton in 1996, HIPAA provides data privacy and security provisions for the purpose of safeguarding medical information. Besides ensuring ongoing health insurance coverage, this privacy law helps in preventing fraud, fighting abuse, and optimizing healthcare delivery to US citizens by enforcing secure transmission of financial and logistic communications between all sides involved.
The five main pillars of HIPAA are:
- HIPAA Title I: Health Insurance Reform
- HIPAA Title II: Administrative Simplification
- HIPAA Title III: Tax-Related Health Provisions
- HIPAA Title IV: Enforcement of Group Health Plan Requirements
- HIPAA Title V: Revenue Offsets
All involved organizations and bodies must enforce secure Electronic Data Interchange (EDI) mechanisms and make sure that all stakeholders have proper records with information like a unique 10-digit NPI number, amongst other HIPAA requirements. HHS Office for Civil Rights (OCR) is the official regulatory body responsible for enforcing HIPAA compliance and punishing offenders.
Related: Phishing: The Cyberpandemic That’s Not Going Away
2. Gramm-Leach-Bliley Act (GLBA)
Applies to: Banks, Financial Organizations, Stock Brokers
Also known as the Financial Modernization Act of 1999, the GLBA is another privacy enforcing set of laws for the US financial sector. Transparency has been addressed closely by this law, where all organizations need to be transparent about data collection and how it’s shared with third-parties (data processors). All customers should also have the option to opt out of the sharing of personal information.
All key requirements of GLBA can be found in the Safeguards Rule and Financial Privacy Rule sections. The GLBA is enforced by the FTC and relevant federal banking agencies, along with selected state insurance oversight agencies.
3. 23 NYCRR 500
Applies to: Banks and Financial Organizations Based in New York State
Commonly known as the NYDFS Cybersecurity Regulation, the 23 NYCRR 500 is a privacy law that’s meant to safeguard financial information and data in the state of New York by optimizing security protocols and using modern risk management processes. The New York State Department of Financial Services (NYDFS) is the regulatory body that’s in charge of this law’s implementation and enforcement.
Here are the main 23 NYCRR 500 requirements:
- Investing adequately in cybersecurity and data protection measures.
- Being fully transparent with Personal Identifiable Data (PII) and financial information storage/processing at all times
- Have effective containing and remediation plans in place
- Creating good incident response plans that include the updating of the NYDFS within 72 hours in case of a data leak or breach
- Be prepared for annual (or on-demand) audits
- How can you achieve 23 NYCRR 500 compliance? The main things needed include the encryption of all data – both in-transit and in-storage. These guidelines also require the appointment of a CISO/CIO or an external MSSP.
Related: Risk Management: A Digital Security Essential
4. Virginia Consumer Data Protection Act (VCDPA)
Applies to: eCommerce and Online Businesses Based in the State of Virginia
Virginia’s very own updated privacy law took effect in early 2021. It’s largely based on the proven and tested European GDPR guidelines. Due to the massive mindset adjustments and security refinements required to comply with the VCDPA, the Governor Ralph Northam has determined that businesses have till the start of 2023 to align themselves and prepare for the new requirements.
What can customers do with the VCDPA rules in place?
- Give consent (or not) to data collection
- Request to access personal data that has already been collected
- Ask to modify or delete this personal information
- Obtain copies of all collected information and data from the business
- Opt out of advertising and data sales to third-parties
Besides enforcing encryption technologies and implementing network security solutions, the online business or service controlling the personal data must also have the ability to respond to the aforementioned requests within 45 days.
5. California Consumers Protection Act 2018 (CCPA)
Applies to: eCommerce and Online Businesses Based in the State of California
Following the relative lack of coverage by old privacy laws in California, the CCPA as we know it today took effect in 2018. Many aspects of this new privacy law are similar to the GDPR, but all apply only to businesses based in the State of California. Online businesses, also known as data handlers as per the CCPA, are now responsible for safe data collection with prior consent and secure storage in their databases.
Got a California-based business? You’ll have to comply with CCPA if:
- The business generates a gross revenue of over $25 million annually
- You engage with more than 50,000 California-based customers per year
- Selling Californian data generates 50% of you business annual revenue
Related: Multi-Factor Authentication
Cyber Insurance: When Data Privacy Goes Wrong
The aforementioned privacy laws are helping improve security standards in the United States, but cybercrime isn’t going away anytime soon. Ransomware attacks, Phishing campaigns, and supply-chain exploits are still multiplying due to the achilles heal – humans. Social engineering can always potentially take advantage of undertrained or unsuspecting individuals in your organization.
CCPA fines can start with $2500 per record (customer) for every unintentional violation and this number can climb up to $7,500 for intentional violations. Hanna Andersson has already paid $400,000 in a CCPA-related breach lawsuit back in 2020. The bad news is that smaller businesses and SMBs can find it hard to bounce back from such hefty fines. This is where cyber insurance comes to the rescue.
Cyber insurance, when combined with the right cybersecurity toolkit, can help you recover faster from data breaches and leaks, allow you to complete your legal and regulatory obligations on time, and improve your overall financial resilience.