Similar to privacy regulation, there is no comprehensive federal information security law in the US. Accordingly, the security obligations that are imposed on data owners and entities that process PII on their behalf depend on the regulatory context. These security obligations include:
The Safeguards Rule implemented pursuant to GLB requires financial institutions to ‘develop, implement, and maintain a comprehensive information security program’ that contains administrative, technical and physical safeguards designed to protect the security, confidentiality and integrity of customer information. The requirements of the Safeguards Rule apply to all non-public personal information in a financial institution’s possession, including information about the institution’s customers as well as customers of other financial institutions. Although the Safeguards Rule is not prescriptive in nature, it does set forth five key elements of a comprehensive information security programme:
- designation of one or more employees to coordinate the programme;
- conducting risk assessments;
- implementation of safeguards to address risks identified in risk assessments;
- oversight of service providers; and
- evaluation and revision of the programme in light of material changes to the financial institution’s business.
The Security Rule implemented pursuant to HIPAA, which applies to ePHI, sets forth specific steps that covered entities and their service providers must take to:
- ensure the confidentiality, integrity, and availability of ePHI;
- protect against any reasonably anticipated threats or hazards to the security or integrity of ePHI;
- protect against any reasonably anticipated uses or disclosures of ePHI; and
- ensure compliance with the Security Rule by the covered entity’s workforce.
Unlike other US information security laws, the Security Rule is highly prescriptive and sets forth detailed administrative, technical and physical safeguards.
State information security laws
Laws in several US states, including California, impose general information security standards on organisations that maintain personal information. California’s law, for example, requires organisations that own or license personal information about California residents to implement and maintain reasonable security procedures and practices to protect the information from unauthorised access, destruction, use, modification or disclosure. In addition, organisations that disclose personal information to non-affiliated third parties must contractually require those entities to maintain reasonable security procedures.
Massachusetts Standards for the Protection of Personal Information
In 2008, Massachusetts issued regulations requiring any person who holds personal information about Massachusetts residents to develop and implement a comprehensive, written information security programme to protect the data. The regulations apply in the context of both consumer and employee information, and require the protection of personal data in both paper and electronic formats. Unlike the California law, the Massachusetts law contains certain specific data security standards, including required technical safeguards, on all private entities with Massachusetts consumers or employees.
New York Department of Financial Services Cybersecurity Regulation
In 2017, the New York State Department of Financial Services (NYDFS) issued a regulation that establishes a robust set of cybersecurity requirements for financial services providers regulated by the NYDFS. The cybersecurity regulation applies to entities that operate under a NYDFS licence, registration or charter pursuant to New York banking, insurance or financial services law. The cybersecurity regulation requires such covered entities to maintain a comprehensive cyber-security programme and implement certain processes and technical controls related to risk assessments, user access privileges, software security, system auditing and monitoring, data encryption, data disposal and retention, and cybersecurity incident response. In addition, the regulation assigns cybersecurity oversight responsibilities to senior officials and boards of directors and requires entities to report cyber-security events to the NYDFS.
Nevada encryption law
Nevada law requires that organisations doing business in Nevada and that accept payment cards must comply with the Payment Card Industry Data Security Standard. It requires that other organisations doing business in Nevada use encryption when transferring ‘any personal information through an electronic, non-voice transmission other than a facsimile to a person outside of the secure system of the data collector’, and moving ‘any data storage device containing personal information beyond the logical or physical controls of the data collector or its data storage contractor’.
State Social Security number laws
Numerous state laws impose obligations with respect to the processing of SSNs. These laws generally prohibit:
- intentionally communicating SSNs to the general public;
- using SSNs on ID cards required for individuals to receive goods or services;
- requiring that SSNs be used in internet transactions unless the transaction is secure or the SSN is encrypted or redacted;
- requiring an individual to use an SSN to access a website unless another authentication device is also used; and
- mailing materials with SSNs (subject to certain exceptions).
A number of state laws also impose restrictions targeting specific SSN uses.
Key industry and government standards
There are several key industry standards in the area of information security. The Payment Card Industry Data Security Standard (PCI DSS) applies to all entities that process credit or debit cards. It obligates covered entities to comply with prescriptive information security requirements, which include:
- installing and maintaining a firewall configuration to protect cardholder data;
- encrypting transmission of cardholder data across public networks;
- protecting systems against malware and regularly updating anti-virus software or programs; and
- restricting physical access to cardholder data.
Entities subject to the PCI DSS are required to validate their compliance on an annual basis. The specific requirements necessary to certify compliance depend on the type of entity involved in the processing of payment cards and the number of payment cards processed by the covered entity pursuant to each payment card brand’s compliance validation programme.
The National Institute of Standards and Technology (NIST), which is part of the US Department of Commerce, has produced various publications and guidance on a host of information security topics that are intended to help businesses. The most significant of the NIST security publications is the NIST Cybersecurity Framework. This is a flexible document that gives users the discretion to decide which aspects of network security to prioritise, what level of security to adopt and which standards, if any, to apply. Other guidance documents address methods of media sanitisation, conducting risk assessments, security considerations in the information system development life cycle and storage encryption for end user devices.
In addition, the International Organization for Standardization (ISO) is a non-governmental organisation composed of the national standards institutes of 161 countries. The ISO sets international standards across a range of industries. In the area of information security, the ISO has promulgated two important standards: 27001 and 17799/27002. ISO 27001 provides a ‘process approach for establishing, implementing, operating, monitoring, reviewing, maintaining and improving an information security management system’. It is a flexible standard, and users are encouraged to:
- understand their information security requirements and the need to establish policy objectives for information;
- implement controls to manage information security risks in the context of the organisation’s overall business risks;
- monitor and review the performance and effectiveness of the Information Security Management System; and
- continually improve the Information Security Management System based on objective measurement.
Back to top