The United States does not have one comprehensive data protection law. Therefore, many laws focus on different types of data found in different industries. They also focus on how that data is used. Several federal agencies regulate compliance with these types of laws.
The Health Insurance Portability and Accountability Act (HIPAA) regulates some kinds of health information. The Department of Health and Human Services (HHS) and Office of Civil Rights (OCR) oversee HIPAA compliance. The Gramm-Leach-Bliley Act (GLBA) protects some types of consumer financial information. The Federal Trade Commission (FTC) ensures compliance. TABLE 1-2 lists several important laws, the information they regulate, and the agency that enforces them. Many of these laws will be further explored in this book.
TABLE 1-2 Laws That Influence Information Security
NAME OF LAW | INFORMATION REGULATED | REGULATING AGENCY |
---|---|---|
Gramm-Leach-Bliley Act |
Consumer financial information |
Federal Trade Commission |
Red Flags Rule |
Consumer financial information |
Federal Trade Commission |
Payment Card Industry Standards* |
Credit card information |
Credit card issuers via contract provisions |
Health Insurance Portability and Accountability Act |
Protected health information |
Department of Health and Human Services |
Children’s Online Privacy Protection Act |
Information from children under the age of 13 |
Federal Trade Commission |
Children’s Internet Protection Act |
Internet access in certain schools and libraries |
Federal Communications Commission |
Family Educational Rights and Privacy Act |
Student educational records |
U.S. Department of Education |
Sarbanes-Oxley Act |
Corporate financial information |
Securities and Exchange Commission |
Federal Information Systems Management Act |
Federal information systems |
Office of Management and Budget, and Department of Homeland Security |
State breach notification acts |
State information systems containing protected health information |
Varies among states |
*The Payment Card Industry (PCI) Standards are not a law. Organizations that wish to accept credit cards for payment of goods and services must follow these standards.