How-to guide: How to develop, implement and maintain a US information and data security compliance program (USA)

Introduction

This guide will assist in-house counsel, private practice lawyers and risk and compliance teams to develop, implement, and maintain a US information and data security compliance program. This guide provides an overview of the US data security legal environment and outlines a framework for compliance program development, implementation, and maintenance.

This How-to guide covers the following:

Legal framework
How to develop your compliance program
How to implement and maintain your compliance program

This guide does not cover specific data compliance laws or data security frameworks.

This guide can be used in conjunction with the following How-to guides: How to determine and apply relevant US privacy laws to your organization and How to manage third party supply chain data privacy and security risks and liability.

Section 1 – Legal framework

Every business that collects and maintains data needs to be aware of data security. Federal law imposes data security requirements on certain types of business. More significantly, every state now has laws relating to data security, and these laws generally apply to every type of business that collects data. While the specifics of these laws will differ, the overall structures will be similar. See IAPP US State Data Breach Notification Law Matrix for additional details.

See How-to guide: How to determine and apply relevant US privacy laws to your organization.

1.1 Useful key terminology

The following are the definitions of key terms as used in this guide.

Term	Definition
Data	Any record of information created in electronic or other forms.
Data security	The practice of safeguarding information from unrestricted access that could lead to theft or corruption of the data.
Data security compliance	Adherence to legal standards for managing, storing, and using data. Standards come from statutes and regulations, and also from the common law. The focus of data security compliance is often on consumer and client data but also encompasses other data, such as employee and contractor information.

See also Quick View: Key data privacy and data security terms.

1.2 Importance of having a data security program

Implementing a data security program is essential for organizations of all sizes that collect and store data. These programs help ensure that the organization complies with legal obligations and help to protect against data breaches and unauthorized access. Data security breaches can result in significant financial losses from fines and legal settlements. Additionally, such breaches cause can erode consumer trust.

Many businesses have paid an enormous financial price for data breaches, so this shows the importance of maintaining a robust data security program. For example, in 2017, Equifax, the credit agency, suffered a data breach due to their failure to maintain and fix their data security program. Due to the breach, 150 million people had personal and financial data stolen. The Federal Trade Commission concluded that Equifax had an enhanced duty to protect data because it was dealing with the personal data of individuals and it failed to meet that duty. As a result of the breach, Equifax has paid out over $600 million in settlements. According to the HIPAA Journal, cyberattacks on healthcare organizations in 2023 set two new records: the most reported data breaches and the most breached records. In 2023, 725 data breaches were reported to OCR and across those breaches, more than 133 million records were exposed or impermissibly disclosed, demonstrating the importance of a data security compliance program

1.3 Sources of data security obligations

1.3.1 Statutes and regulations

Federal and state statutes and regulations impose numerous data security obligations. Certain industries and some types of data are more heavily regulated than others. The most heavily regulated industries and sectors include health care, financial, and data collection industries, data brokers are also heavily regulated. Data that contains individuals’ sensitive information, such as health information, financial information, and data that identifies a particular individual, are subject to more regulation under state and federal privacy laws.

Some data security obligations stem from laws and regulations that are expressly data security laws, while other obligations come from other types of laws. These include privacy laws, unfair business practice laws, and digital transaction laws that encompass data security obligations directly or by inference.

See How-to guide: How to determine and apply relevant US privacy laws to your organization and Checklist: Understanding privacy laws in the US.

Data security is an area of the law that is in continuous flux, so it is important to check frequently for new legislation and regulations.

1.3.2 Common law

Common law claims, under a variety of causes of action, including general negligence, may be brought against organizations for their failure to adequately protect and safeguard data. A significant development in this regard was the 2018 decision by the Pennsylvania Supreme Court held that employers have a common law duty of reasonable care to protect their employees’ sensitive personal data. See Dittman v UPMC, 196 A.3d 1036 (Pa. 2018). Litigants in other states are likely to bring cases to establish similar new data-focused duties.

1.3.3 Contracts

Even if there is no federal or state regulation or common law claim that can arise from an organization’s data usage, organizations may be contractually obligated to undertake certain data security measures. These requirements may stem from contracts with business partners, clients, or third-party providers as well as agreements your organization drafted. See How-to guide: How to manage third party supply chains data privacy, security risk and liability.

1.4 Commonly used standards and frameworks

1.4.1 ‘Reasonable’ or ‘appropriate’

The most common legal requirements for data security are ‘reasonable’ or ‘appropriate’ measures and practices. For example, the Health Insurance Portability and Accountability Act of 1996 (HIPAA) requires ‘reasonable and appropriate . . . technical . . . safeguards’ to protect the security of patient health information. See 42 USC 1320d-2(d)(2). California similarly requires ‘reasonable security procedures and practices appropriate to the nature of the information’ in connection with the collection, storage, and use of Californians’ personal information. See Cal Civil Code section 1798.81.5(b). For an example of the courts applying a reasonableness standard, see Purvis v Aveanna Healthcare, LLC, 563 F. Supp. 3d 1360 (N.D. Ga. 2021) (‘Plaintiffs specifically allege that, as a healthcare provider, Defendant knew or should have known that it faced a particularly high risk of a data breach but that Defendant nevertheless failed to properly guard against this foreseeable risk by implementing reasonable security measures, which ultimately led to Plaintiffs' injuries as a result of the Data Breach’).

1.4.2 Common IT frameworks

Security of digital data is the largest component of a data security program for many, if not most, organizations. Due to the complexity of securing digital data, multiple IT security frameworks have been developed. These frameworks are not legally mandated but provide good guidance for developing programs that are reasonable and appropriate.

The most commonly used frameworks are the National Institute of Standards and Technology's (NIST) Cybersecurity Framework and the International Organization for Standardization's (ISO) ISO/IEC 270001 Framework. The NIST framework was initially developed to assist critical infrastructure companies in the development of a cybersecurity framework, but it is now used by many organizations. It is widely considered the framework with the broadest applicability and may become the go-to standard for all businesses. The NIST website provides perspectives to help small- and mid-sized businesses tailor the framework to their needs. The ISO/IEC 270001 Framework is also widely used but has been criticized for being too flexible. This is because it provides management guidelines without providing specifics for the implementation of the standards.

Section 2 – How to develop your compliance program

2.1 Assign responsibility

2.1.1 In-house compliance staff

Data security compliance involves the intersection of the law with the operation of the business. Accordingly, in-house responsibility for data security compliance should be multi-departmental, with the legal, compliance, and IT departments typically carrying the greatest responsibility.

In-house responsibility has the advantage of having the responsible personnel readily available for consultation. They should be intimately familiar with the organization’s operations.

See Checklist: Understanding privacy laws in the US.

2.1.2 External compliance assistance

Data security compliance is increasingly complex and can be difficult for some organizations to manage fully in-house. There are an increasing number of third-party providers that offer assistance in the form of:

conducting compliance audits;
advice; and
information security management.

A provider outside of the organization has the advantage of being able to give an unbiased outsider’s perspective. They can also make recommendations without institutional biases (eg, inertia or departmental loyalty) that may hinder the implementation of a new approach to a problem.

2.2 Key components of program

2.2.1 Identify information assets

Information assets are assets that are valuable to an organization. The value is often derived from the assets being confidential or sensitive in nature. Trade secrets, customers’ personal information, and protected health information are all examples of information assets. Information assets may be in physical or digital form; the latter is increasingly more common.

When identifying information assets, organizations should identify the asset, its location, who has access to it, and whether the asset is or may be subject to data compliance laws or other requirements.

2.2.2 Conduct a risk assessment

When conducting a data security risk assessment, consider the key points listed below.

Legal environment – consider what statutes and contractual obligations apply to your organization’s data as well as the penalties or potential civil liability for noncompliance. Also consider legislative trends, such as proposed legislation.
Types of data – certain types of data create higher risk. Some data, such as protected health information, carries a heightened risk because it is highly regulated under privacy laws. For further guidance see Checklist: Completing a data privacy risk assessment. Other data, such as financial information, carries a heightened risk because it is sought after by hackers. Note categories of higher risk during the assessment.
Industry – an organization’s industry impacts risk in multiple ways. Some industries, such as the health care, finance, and data collection industries, are more highly regulated than others. Other industries by nature involve storage and management of large amounts of sensitive information assets.
Scope of harm if incident occurs – consider what harm will occur if a data security breach occurs. Evaluate the worst case scenario, but also consider the impact of lower level, or smaller, breaches.
Security measures currently in place – organizations with few or outdated security measures are at particularly high risk of data security issues.
Likelihood of incident – evaluate the likelihood of a data security breach occurring. Determining likelihood requires an evaluation of the frequency with which threats arise and the security measures in place. To do this, consult with your IT team to obtain their assessment and locate relevant reports or guides that address data breach likelihood in your business or industry.

For further guidance see Checklist: Completing a data and information security risk assessment.

2.2.3 Implement preventative measures

To comply with legal obligations, and to avoid events that will disrupt an organization’s business, implement preventative measures designed to decrease the likelihood of a security incident. As noted above, ‘reasonable’ or ‘appropriate’ measures are common standards. What is reasonable will vary depending on an organization’s size, contractual obligations, the sensitivity of the data involved, and other factors.

Key preventative measures that every organization should take are listed below.

Physical measures and controls – these provide physical restrictions on access to devices or areas that house data. Common physical security measures include locks, ID badges, surveillance cameras, and security guards.
Technical access controls – these restrict access to data through use of technological tools. Common controls include unique log-on credentials, multi-factor authentication, firewalls, and network segmentation.
Data availability, integrity, and confidentiality (CIA) measures – preventative security measures, often in the form of technological security, aimed at ensuring data’s confidentiality, integrity, and availability during storage and transmission are a core part of an organization’s data security plan. CIA measures come in many forms, including encryption, backups, error detection software, and version controls.
Breach-detection measures – measures to detect unauthorized access and other security breaches must be in place.
Policies, procedures, and training – data security policies and procedures appropriate to the size and general operations of an organization should be in place. All personnel should receive training on data security as well as the organization’s applicable policies and procedures.
Data and hardware disposal and destruction – after its utility has elapsed, properly dispose of data to ensure it is destroyed and inaccessible. Appropriate destruction measures will depend on the sensitivity of data involved and could require the complete wiping of a device's digital data and the physical destruction of hardware – most often the hard drives – which held the data.

2.2.4 Detect vulnerabilities and breaches

Data security programs must include mechanisms for detecting vulnerabilities and data security breaches. Vulnerabilities are the areas that are the most prone to a data security breach or that are most open to compliance issues. Data breaches occur when data is accessed or taken without authorization.

Prior data security breaches can serve as indicators of areas of risk. Monitoring and alerts can help detect actual or potential breaches so that appropriate staff can swiftly respond to the incident.

2.2.5 Response and recovery

Organizations should have an incident response plan that covers exactly what should occur when a potential or actual security breach is detected. The following are key elements which should be addressed in the plan:

Containment – include steps to assess, contain, and control data breaches. Include details such as how to identify the root cause and lock down affected systems.
Contingency – provide a way for the organization to continue to operate after the security breach has occurred, for example, through the use of data backups.
Remediation – cover data recovery as well as legal remediation, such as providing legally required breach notices.
Responsible parties – identify who is responsible for leading and carrying out each part of the incident response plan.

2.2.6 Address third-party issues

Organizations must evaluate whether data security compliance risks are raised by their interactions with third parties, such as outside vendors and service providers.

Organizations must act reasonably to avoid liability. At the very least, an organization must conduct due diligence before working with a third party and contractually require that the third party comply with the organization’s own data security requirements. In some cases, to be compliant with legal standards or with an organization’s own standards, organizations must include data security provisions in contracts with third parties.

For further guidance see How-to guide: How to manage third party supply chain data privacy, security risks, and liability.

Section 3 – How to implement and maintain your compliance program

3.1 Draft notices, policies, and procedures

3.1.1 Internal policies and procedures

Draft internal policies, procedures, guidelines, training presentations, and other materials to convey the organization’s compliance program to personnel. Tailor the policies and procedures toward the organization’s business activities, the complexity and size of the organization, and the geographic scope of its operations. An organization that does business only in one locality, and that collects only a small amount of data from customers for a limited function (eg, processing credit card payments), will have different data security needs from an organization that does business nationwide and that collects a wide range of data for many different facets of its operations.

An effective internal data security policy should address at least the following eight areas:

Purpose and objectives of the policy – the most basic purpose of any policy is to avoid the financial, legal, and reputational consequences of a data breach. Use effective security measures to prevent or mitigate these risks. At the same time, the policy must not be so restrictive that the organization is unable to access or make legitimate use of the data it has collected.
References to laws, regulations, and compliance standards – include the benchmarks and standards for performance in the policy to allow for evaluation of the policy’s effectiveness as related to those standards. Laws, regulations, and standards are subject to change, so knowing the relevant provisions will give a starting point for checking for updates.
Classification of data – access, and the level of security, can be a function of the type of data that is being protected. For example, an organization that stores customer credit card numbers as well as data relating to the quantities of particular products sold at individual retail locations will implement stricter access and security measures for the credit card data.
Access control – data is collected and stored for a reason. Data is useless if no one has access to it, but a data security policy is likewise useless if the access allowed is too broad. The policy must delineate who is responsible for controlling or determining access to data, and the extent of the access that will be allowed.
Data operations – the mechanics of the security policy must be designed to comply with the applicable laws and regulations, as well as voluntary standards and industry best practices.
Security awareness and behavior – all personnel must be at least made aware of data security measures. Training will be necessary for those employees with access to data, with the amount and frequency of their training varying according to the need for the employee to access data and the extent of access they have. For example, a bank employee who sees customer Social Security numbers on loan applications will need more training in data security than an employee whose job does not entail any access to customer data.
Encryption policy – it is not always necessary to encrypt all data that an organization possesses, but encryption of data is often best practice. When drafting a policy, consider a ‘rebuttable presumption’ in favor of encryption: encrypt data unless there is some reason not to.
Data backup policy – all data should be backed up, with the frequency of the backup determined by the nature of the data. The backup policy should also indicate where and how the backed-up data will be stored, and how it will be restored to the system.

3.1.2 External-facing notices and policies

Prepare external notices and policies. This should include the required notices, such as initial notices, annual notices of privacy policies (where mandated), and breach notices.

External-facing policies will also impose the organization’s standards on outside parties who may have access to an organization’s data. These parties may include contractors or consultants, or outside professionals such as auditors, accountants, and legal counsel.

3.2 Create a culture of compliance

‘Culture of compliance’ is a common expression. It refers to a workplace environment in which compliance is a routine matter, rather than a set of rules imposed by the authorities. When an organization has a culture of compliance, violations are less likely to occur. This culture fosters trust and accountability among management and employees, encourages open communication about potential issues, and makes compliance an integral part of everyday operations, rather than an afterthought. It reflects a commitment to high ethical standards and regulatory requirements, ultimately enhancing the organization's reputation and reducing risk.

3.2.1 Train personnel

Train all personnel – including contractors – on data security compliance. Tailor the training to the level of responsibility and role in the organization of the person being trained. For example, all IT personnel should receive detailed training on security as the department holds a key role in data security compliance. The personnel in other departments, such as marketing or advertising, who have no or minimal access to data may need only a reminder that internal data is not to be shared.

For further guidance, see Checklist: Privacy and data security training.

3.2.2 Easy access to policies and procedures

Policies and procedures should be easy to find, access, and review. The data security policy should be written in language that is understandable by anyone needing to apply it. Technical jargon cannot always be avoided, but it should be kept to the minimum amount necessary for the technical staff implementing the policy to know what to do.

3.2.3 Communicate changes

Give notice when substantive changes are made to data security policies and procedures. If possible, give personnel notice in advance of these changes to allow time to implement any necessary changes in procedure.

3.2.4 Foster compliance through incentives for personnel

Provide incentives to staff for meeting organizational, departmental, and compliance goals. Incentives may be financial – a monetary bonus, or a gift – or non-financial, such as paid time off. For example, if an organization has a goal for all new employees to receive data security training within five days of hiring, the organization could provide bonuses to the staff responsible for training when they meet the goal a certain percentage of the time.

Discipline personnel who do not comply with the organization’s data security policies and procedures. The level of discipline should depend on the severity of the noncompliance. The level should also depend on whether the noncompliance was intentional or inadvertent, and on whether the noncompliance was an isolated incident or represents a pattern of substandard behavior.

3.3 Monitor and modify

3.3.1 Provide oversight

An effective data security compliance program has multiple levels of oversight. At a high level, the directors will provide overarching oversight. More significantly, at an operational level, departmental directors and managers must provide oversight in their respective domains of control. The supervision at the departmental level is often more important because it is done by employees who deal with the issue on a day-to-day basis.

3.3.2 Conduct compliance audits

Compliance audits are a key component of a strong data security compliance program. They can be conducted by the organization itself or be outsourced to third parties that provide auditing services. When third parties are used, services that are tailored to the type of business should be selected when possible. For example, a health care provider should hire a third party that focuses on HIPAA and health care compliance.

3.3.3 Modify as appropriate

Regularly update and modify the compliance program as appropriate. Common reasons for updates include legal changes, security breaches, new lines of business, and changes in security best practices.

3.3.4 Compliance is an ongoing process

Compliance of all types is an ongoing process. This is particularly true for data security compliance as technology is ever changing and with it, the legal environment as well as best practices for ensuring security.

Additional resources

NIST Cybersecurity Framework

NIST Small and Medium Business Perspectives

ISO/IEC 270001 Framework

Colorado Department of Law, Data Security Best Practices

Federal Trade Commission, Financial Privacy

General Services Administration, Information Security

Related contract templates: