How-to guide: How to manage your organization’s data privacy and security risks (USA)

Introduction

This guide will assist in-house counsel, private practice lawyers, and risk and compliance professionals to develop procedures and policies to manage data privacy and security. It covers the key data privacy and security laws, regulations, and standards. It also considers how to adapt security control frameworks and manage cybersecurity and risks.

This guide covers the following sections:

Data security risk oversight
Security control frameworks and templates
Cybersecurity and managing your organization’s data security risk
Data security and corporate governance

For further guidance, see How-to guides: How to develop, implement and maintain a US information and data security compliance program and How to develop a vulnerability disclosure program (VDP) for your organization to ensure cybersecurity; and Checklist: Completing a data privacy risk assessment.

Section 1 – Data security risk oversight

The terms cybersecurity, data security, and information security are often used interchangeably and refer to the same thing. They focus on protecting the following:

information systems (networks or software); and
data (eg, personally identifiable information about customers, or corporate financial information).

At the most basic level, security measures are designed to do as follows:

prevent events that compromise security (eg, unauthorized access, corruption, and theft);
detect breaches after they have occurred; and
react to security breaches, including stopping or containing the breach, and recovering information.

The objectives of security measures are to ensure the availability of, and control access to, protected data, and to maintain its confidentiality, integrity, and authenticity.

Federal and state involvement in data security issues is increasing. This critical area is covered by a vast and overlapping network of laws, regulations, and standards aimed at protecting data from malicious attacks. Nevertheless, data breaches are on the rise. Every organization should develop and implement a comprehensive data security program in order to protect it from hackers, to comply with legal requirements, and to preserve its reputation.

1.1 Federal, foreign, and state laws

Data security is the subject of both state and federal law and regulation. The list below discusses some of the more important laws. It should not be taken as a comprehensive list, and not all of the listed laws will apply to every organization.

1.1.1 Section 5 of the Federal Trade Commission Act of 1914

Section 5 of the Federal Trade Commission Act of 1914 (FTC Act) (15 USC section 45) is a federal law that prohibits ‘unfair or deceptive acts or practices in or affecting commerce.’ The Federal Trade Commission (FTC) has the power to enforce data security. This power includes the authority to bring actions against organizations that inadequately protect the security of personal information.

1.1.2 Gramm-Leach-Bliley Act of 1999

The Gramm-Leach-Bliley Act of 1999 (GLBA) is a federal law, also known as the Financial Modernization Act of 1999. It requires organizations that offer consumers financial products or services to explain their information-sharing practices to their customers, to safeguard sensitive data, and give customers the option to opt out if they do not want their information shared.

1.1.3 Sarbanes-Oxley Act of 2002

The Sarbanes-Oxley Act of 2002 (SOX) is a federal law that applies to all US public companies and the accounting firms that audit them. It requires covered organizations to demonstrate financial data security compliance in 90-day cycles.

1.1.4 Fair and Accurate Credit Transactions Act of 2003

The Fair and Accurate Credit Transactions Act of 2003 (FACTA) is a federal law that establishes broad consumer protections, especially against identity theft. It also includes a disposal rule that requires ‘reasonable measures’ for the proper disposal of consumer reports and records in order to protect against ‘unauthorized access to or use of the information.’

1.1.5 Health Insurance Portability and Accountability Act of 1996

The Health Insurance Portability and Accountability Act of 1996 (HIPAA) is a federal law that establishes strict legal requirements for handling protected health information (PHI). It includes rules on privacy, security, and breach notification. It applies broadly to health insurance plans, health care clearing houses, most health care providers (including doctors, clinics, hospitals, nursing homes, and pharmacies), and any of their business associates who handle PHI.

1.1.6 Family Educational Rights and Privacy Act of 1974

The Family Educational Rights and Privacy Act of 1974 (FERPA) is a federal law. It applies to all educational agencies and institutions that receive certain types of funds from the US Department of Education, and it protects the privacy of student education records.

1.1.7 Electronic Communications Privacy Act of 1986

The Electronic Communications Privacy Act of 1986 (ECPA) is a far-reaching federal law that prohibits interception, use, or disclosure of ‘any wire, oral, or electronic communication’ in transit or in storage. It also protects the privacy of the contents of files stored by service providers.

1.1.8 Federal laws on disposal of data

The FTC’s disposal rule covers how to properly dispose of consumer reports to prevent unauthorized access or use. HIPAA also covers the safe disposal requirements for PHI.

1.1.9 State laws on unfair and deceptive acts and practices (UDAP)

Laws have been adopted in all 50 states to protect consumers from deception and abuse. These laws have been modeled on the FTC Act’s prohibition on ‘unfair or deceptive acts or practices.’ State UDAP laws can also apply to false and misleading statements in online privacy policies and other information posted online.

1.1.10 State safeguards laws

More than half of US states have enacted laws about the data security practices of organizations. These generally require ‘reasonable security procedures and practices’ to protect personal information about residents.

1.1.11 State disposal laws

At least 35 states have laws that require private and governmental organizations to destroy, dispose of, or otherwise make personal information unreadable or indecipherable.

1.1.12 State biometric information privacy laws

Several states have enacted biometric privacy laws aimed at protecting biometric data, defined as physiological and behavioral characteristics that identify an individual, for example, the fingerprints or the face. These laws require notification of the collection of the data, the purpose of its use, and safeguards, including disposal policies. Illinois is the most far reaching with its Biometric Information Privacy Act (BIPA). Other examples include the Texas Capture or Use of Biometric Identifier Act (CUBI), and Washington’s RCW Chapter 19.375, relating to biometric identifiers. The number of state laws addressing biometric data privacy is on the rise.

1.1.13 European Union General Data Protection Regulation

The European Union General Data Protection Regulation (GDPR) is vast EU regulation that has been implemented at the national level in EU member states. It applies to all businesses processing or controlling personal data linked to EU residents. Its territorial scope is not limited to EU entities, rather, the focus is on whether the processing is within the scope of the GDPR. The GDPR is based on the principle of limitation – that data should be collected and stored for the minimal purposes necessary. The GDPR also covers data transfers outside of the EU, and requires equivalent protections for data. The EU publishes extensive guidance on GDPR compliance.

1.1.14 The Uniform Personal Data Protection Act

The Uniform Personal Data Protection Act was approved and recommended by the Uniform Law Commission in 2021. The Act has not yet been adopted by any state. Although bills to adopt the Act were introduced in the District of Columbia in 2021, and in Oklahoma in 2022, they have not yet been passed. A bill to adopt the Act was also introduced in Nebraska, but it was indefinitely postponed in April 2022.

The Act attempts to strike a balance between providing protection for personal information and minimizing the costs and burdens of compliance on businesses. It has been criticized for not doing enough to protect privacy. Despite the criticism, the Act may provide an alternative model to states not wanting to adopt broader protections, such as those in the California law.

1.2 Other significant state data security laws and regulations

Other state-level measures worth noting include comprehensive privacy laws and efforts to promote awareness of cybersecurity.

1.2.1 Data Security

Some states already have comprehensive data protection and privacy requirements, and these topics appear to be gaining momentum at state level.

The California Consumer Privacy Act of 2018 (CCPA) codified in Cal Civ Code section 1798.100, et seq was one of the first consumer data privacy laws in the US. It protects California residents from unauthorized disclosure of personal information. Covered companies are required to maintain security procedures and practices that are reasonable in light of the nature of the personal information.

The CCPA applies to companies with at least $25 million in global revenue per year, to be adjusted every odd-numbered year to reflect any increase in the Consumer Price Index; who deal in the personal information of at least 50,000 California residents annually; or who earn at least 50% of their annual revenue from selling California residents’ information.

The CCPA defines personal information broadly. It includes traditional data such as name, address, email, phone number, Social Security number, etc. It also includes information such as biometric data, internet activity, GPS data, and employment information. The CCPA requirements include notifying the resident about the collection of the information, maintaining a compliant company privacy policy, and deleting the resident’s information upon request.

The California Privacy Rights Act of 2020 (CPRA), expands the CCPA and came into effect on January 1, 2023. Among the most significant changes are that it imposes important obligations on third parties who handle personal information. They must do as follows:

refrain from using personal data inconsistently with the use promised upon receipt of the data;
provide consumers with notice of changes in data use and security practices; and
provide consumers with notice of sales of personal information and give them the opportunity to opt out of the sale.

The California laws have received a great deal of attention, partly due to the large size of the California market for all types of goods and services.

Another comprehensive system of data protection and privacy requirements is found in the Massachusetts Data Privacy Regulations. They outline specific requirements for organizations to protect residents’ personal data. They apply to any business that deals with the personal information of Massachusetts residents. The regulations require a risk-based approach and each covered organization must implement a written information security program that is appropriate to the following:

size, scope, and type of business of the person obligated to safeguard the personal information under such comprehensive information security program;
amount of resources available to such person;
amount of stored data; and
need for security and confidentiality of consumer and employee information.

In addition, several states - including Colorado, Connecticut, Delaware, Florida, Montana, New Jersey, Oregon, Tennessee, Texas, Utah and Virginia - have recently passed comprehensive privacy laws. Further bills pending in Indiana will go into effect on January 1, 2026. There appears to be a strong trend for states to enact privacy legislation, so organizations should be diligent in monitoring those states where they conduct business.

1.2.2 Cybersecurity

Cybersecurity is also a growing focus of state legislation. In 2022, at least 40 states introduced or considered bills dealing significantly with the topic. Most require state entities to provide relevant training or develop procedures, while some also introduce incentives for broader workforce educational efforts.

1.3 Industry-specific requirements: financial services and payment processing sectors

Not surprisingly, cyberattackers target financial institutions, and as such, there is a large volume of security standards that apply to the financial sector. Indeed, as discussed below, finance and banking are some of the most heavily regulated business sectors.

1.3.1 FTC Safeguards Rule

In 2021, the FTC finalized amendments to the regulations for the Standards for Safeguarding Customer Information (Safeguards Rule). The Safeguards Rule requires covered financial institutions to engage in a detailed, written risk assessment process covering:

evaluation and categorization of identified security risks or threats;
assessment of confidentiality, integrity, and availability of customer information;
adequacy of existing controls; and
mitigation measures for identified risks.

The Safeguards Rule enumerates required safeguards, including those set out below:

access controls for authorized users;
data inventory and classification according to importance and risk strategy;
encryption in transmission and storage;
secure disposal procedures;
monitoring;
testing;
incident response plan; and
designation of a ‘qualified individual’ responsible for oversight and implementation of the program.

The FTC’s Safeguards Rule applies to non-banking financial institutions as well as to traditional types of banks. These include mortgage brokers, motor vehicle dealers, and payday lenders. It requires covered organizations to develop, implement, and maintain systems for protecting their customers’ personal information. According to the FTC’s announcement, under the new rule ‘institutions must also explain their information sharing practices, specifically the administrative, technical, and physical safeguards the financial institutions use to access, collect, distribute, process, protect, store, use, transmit, dispose of, or otherwise handle customers’ secure information.’

1.3.2 New York’s cybersecurity regulations for financial services

In 2017, the New York Department of Financial Services (DFS) Cybersecurity Regulation (23 NYCRR Part 500) established cybersecurity requirements for financial services companies. It covers all entities operating under New York’s Banking Law, Insurance Law, or Financial Services Law. It includes the following requirements for financial services companies:

to establish a detailed security plan;
to increase the monitoring of third-party vendors;
to appoint a chief information security officer; and
to report breaches to the Superintendent of the Department of Finance within 72 hours of discovery.

1.3.3 Payment Card Industry Data Security Standards (PCI-DSS)

Merchants, service providers, and financial institutions involved with credit and debit card transactions must observe the Payment Card Industry Data Security Standards (PCI-DSS). This is a set of security standards formed by major credit card companies to secure credit and debit card transactions against data theft and fraud. It is a requirement for any business involved with payment card transactions. In order to meet the minimum requirements, organizations must have the following data protections in place:

firewalls;
data transmission encryptions; and
antivirus software.

1.4 Industry-specific requirements: health care sector

As mentioned above, HIPAA protects individually identifiable health information known as PHI. The HIPAA Security Rule includes a variety of measures, such as proper disposal of electronic PHI (ePHI).

HIPAA also covers business associates of covered health care entities. For the purposes of HIPAA, a ‘business associate’ is a person or entity that performs functions or activities involving the use or disclosure of PHI on behalf of a covered entity, or that provides services to a covered entity. Business associate functions and activities include claims processing or administration; data analysis, processing or administration; utilization review; quality assurance; billing; benefit management; practice management; and repricing.

The US Department of Health and Human Services (HHS) has guidance on HIPAA and cloud computing. Cloud services providers (CSP) involved in creating, receiving, maintaining, or transmitting ePHI must comply with HIPAA rules. This is true even if the data is encrypted and the CSP lacks the encryption key.

1.5 Industry-specific requirements: critical infrastructure companies

The Cyber Incident Reporting for Critical Infrastructure Act of 2022 (CIRCIA) will require covered entities to report, to the US Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (CISA), certain cyber incidents within 72 hours and ransomware payments in response to ransomware attacks within 24 hours. Enacted in March of 2022, the Act obliges the director of CISA to propose a rule establishing this requirement within two years. The rule will apply to ‘critical infrastructure companies’, which include entities engaged in sixteen sectors, such as communications, energy, financial services, and healthcare and public health.

Section 2 – Security control frameworks and templates

Security control frameworks set out an organization’s standards, guidelines, and best practices for managing risks. They aim to protect data and systems by minimizing security risks. Set out below are the basic components of these frameworks:

statement of purpose and objectives;
definition of scope of application;
classifications of data and data use;
controls in place;
definition of authorities and access, including enforcement; and
security training.

2.1 Control sets, standards, and templates for designing a data security program

There are many security control sets, standards, and templates available to assist in the design and implementation of a comprehensive data security program suited to your organization’s individual needs. While it is not likely that you will adopt a sample set, standard, or template in its entirety without alteration, they can nonetheless provide guidance for developing a program that fits your organization’s needs. For instance, the non-profit Center for Internet Security (CIS) publishes a prioritized list of Critical Security Controls to mitigate the most prevalent cyberattacks against systems and networks.

Additionally, the National Institute of Standards and Technology (NIST), a division of the US Department of Commerce, provides a library of standards and guidelines. It includes, for instance, SP 800-53 Security and Privacy Controls for Information Systems and Organizations. That publication describes itself as a catalog of security and privacy controls for information systems and organizations to protect organizational operations and assets, individuals, other organizations, and the nation from a diverse set of threats and risks, including hostile attacks, human errors, natural disasters, structural failures, foreign intelligence entities, and privacy risks.

NIST standard compliance is mandatory for all federal agencies and their contractors. NIST compliance is voluntary for private sector organizations that do not contract with the federal government. NIST has also issued a Cybersecurity Framework, a voluntary system of standards, guidelines, and best practices for managing cybersecurity risk.

The International Organization for Standardization (ISO) is an independent non-governmental organization. It publishes information security standards, such as ISO/IEC 27001 on information security management systems (ISMS), which includes all legal, physical, and technical controls involved in information risk management. Its goal is to ‘provide a model for establishing, implementing, operating, monitoring, reviewing, maintaining and improving’ an organization’s ISMS.

Additionally, the Securities Exchange Commission's (SEC) Division of Examinations has issued observations on how to enhance cybersecurity preparedness and operational resiliency for publicly traded companies.

2.2 Examples of measures and controls

Security measures and controls currently in use include a variety of tools for ensuring the security of systems and data. Some prominent examples follow.

Experian – after experiencing massive breaches of personal data, including personal data on 15 million consumers over a two-year period in 2013 – 2015, this provider of consumer credit reports implemented elaborate security requirements and best practices for its users. For instance, the measures include detailed requirements and recommendations for web access control and internet security, including the appointment of designated security officers, password security, and best practices. Experian keeps data on 1.3 billion people and 166 million businesses.
Yahoo – this provider of websites, apps, and advertising uses a variety of data security measures, multi-factor verification and on-demand passwords. Yahoo also ensures that it has confidentiality agreements in place with third-party partners and vendors with whom it shares personal data. Finally, it has a company-wide security education and training program. These measures follow on from lessons learned after a series of massive data breaches that affected at least 1.5 billion users.
Amazon Web Services (AWS) – this global cloud platform includes elaborate controls to secure both physical and digital access such as access review, logging, and monitoring, as well as ongoing risk assessments, and third-party security certifications. It also uses NIST 800-88 guidelines for media sanitization to securely decommission media storage devices that hold customer data. AWS has suffered breaches over the years that have exposed the personally identifying information of millions of people, generally because of mistakes made by its client businesses.

Section 3 - Cybersecurity and managing your organization's data security risk

Your organization’s data security program will depend on its unique characteristics such as size, location, and industry sector, as well as the type and amount of data handled. However, several technical key concepts are common to basic data security measures.

3.1 Common cyberthreats

Cyberthreats come from a variety of sources. For instance, two prominent internal threats are the following:

social engineering – deception by an outsider of someone inside the organization in order to obtain the organization’s private information; and
data sharing outside the organization – unauthorized sharing of confidential information by an organization insider with an outsider.

The following are the most common external threats:

hacking – gaining unauthorized access to data in a system or computer; and
malware (eg, malicious software) – intrusive software designed to damage and destroy systems and computers.

Catalogs of common threats are available online, for example, the MITRE Adversarial Tactics, Techniques, and Common Knowledge (ATT&CK) Matrix for Enterprise, which lays out common malicious techniques and methods of attacking systems and data.

3.2 Common cybersecurity solutions

There are a number of measures your organization can take to protect data and systems from malicious cyberattackers. A few of the most prominent are listed below.

Transport Layer security (TLS) – a protocol (eg, a set of rules for formatting and processing data) developed by the Internet Engineering Task Force (IETF) that encrypts communication between web applications and servers, as well as email, messaging, and Voice over Internet Protocol (VOIP) communications.
Multi-factor authentication – a second or even third step to sign-ins, often using an external communication method such as a text message sent to a telephone when attempting to sign into an email account.
Public key infrastructure (PKI) – a digital certificate to cryptographically prove a user’s or device’s identity even more securely than password-based or multi-factor authentication.
Least privilege – a principle of access, by which all access is restricted to the minimum that is needed.

The Cybersecurity and Infrastructure Security Agency (CISA) of the US Department of Homeland Security (DHS) publishes guidance on basic measures to help reduce the likelihood of a damaging cyber intrusion.

3.3 Preventative practices and building resiliency

Crisis preparedness is an important aspect of data security. This should include defensive measures such as creating backups of data. Backups mitigate the risk of unintended data loss or destruction.

Additionally, cyber insurance can help to protect your organization from losses resulting from a breach. Cyber insurance generally covers your organization’s liability and losses for a data breach. This can include helping with the costs of notifying customers, restoring identity protections, recovering compromised data, and repairing damaged systems. The FTC publishes guidance on cyber insurance, which includes coverage recommendations.

Another preventative measure would consist of implementing a Vulnerability Disclosure Program (VDP). A VDP is a program designed to enable researchers outside your organization to safely report security flaws in your IT systems back to the organization so that remedial action can be taken to negate the vulnerability. It can be an important component of your organization’s cybersecurity program. Many large corporations and federal agencies have implanted VDP’s, including Nestle Global, CVS Health, Pacific Gas & Electric Company, Capital One Financial Corporation, US Department of Defense, and the US Department of Commerce. See How-to guide: How to develop a vulnerability disclosure program (VDP) for your organization to ensure cybersecurity.

3.4 Basic tools for building data security

Use several foundational tools to build data security in any organization.

3.4.1 Assess data security risks

Carry out data security risk assessments to understand the type and size of the cyber risks your organization faces. The assessment process includes identifying its most important and its most vulnerable systems and data, critical obligations (whether legal or contractual), and determining how to protect them. Standards to guide the assessment include ISO/IEC 27001 and NIST SP 800-37. Additionally, required assessment steps are included in laws such as HIPAA and SOX and standards such as PCI-DSS.

3.4.2 Implement, maintain, and secure audit logs

Set up your organization’s software and systems to generate audit logs. These logs enable the examination of normal and abnormal events. They should capture all activity that potentially implicates security, such as access (including attempts) and activity by users. Many standards and legal requirements cover audit logging. Examples include PCI-DSS Requirement 10, and HIPAA rules 45 CFR sections 164.308(a)(1)(ii)(D) and 164.312(b). The logs themselves are attractive to attackers, so it is important to implement strong security around the logs just like other sensitive data.

3.4.3 Implement an information security policy

A basic information security policy includes rules for how employees of an organization must manage, protect, and distribute information. It should specify what information is to be protected from anticipated threats and how to protect it. Various templates are available to help with designing the policies. For instance, the Office of the National Coordinator for Health Information Technology (ONC) has developed an information security policy template for certain health care management settings and medical practices. Additionally, many states offer templates for their own governmental agencies to modify and adapt. A few examples include Virginia, Oregon, and Texas. These templates can be useful guides for private organizations as well.

3.4.4 Educate staff on information security

Staff should be aware of information security policies. Having staff sign acknowledgements of the policies is just one part. Information security training helps to ensure that everyone in the organization understands the organization’s procedures and mechanisms for protecting data. Multiple laws and standards require data security training for staff. Examples include the FTC Safeguards Rule at 16 CFR section 314.4; the HIPAA Privacy Rule at 45 CFR section 164.530(b)(1); the HIPAA Security Rule at 45 CFR section 164.308(a)(5); PCI-DSS Requirement 12.6; and the American Bar Association (ABA) Standing Committee on Ethics and Professional Responsibility’s Formal Opinion 477R, ‘Securing Communication of Protected Client Information.’

3.4.5 Manage vendor, service provider, and supply chain risks

Your organization should take inventory of the third parties with whom it shares data. It should assess the risks involved, and review third-party data security controls. Various tools are available to aid in this investigation and ensure compliance with legal requirements. For example, your organization could require third parties with whom it does business to obtain System and Organization Controls (SOC) certification for cybersecurity. This is a voluntary compliance standard developed by the American Institute of Certified Public Accountants (AICPA). Additionally, specific legal requirements may apply directly to the third party for particularly sensitive data, such as using CSPs to store ePHI.

For further information, see also How-to guide: How to manage third party supply chain data privacy, security risks and liability.

Section 4 – Data security and corporate governance

Data security concerns corporate governance responsibility. This includes corporate disclosures to regulators attesting to compliance with legal requirements. Additionally, due diligence in mergers and acquisitions (M&A) concerns data security obligations and issues. Bankruptcy sales also implicate corporate data security obligations.

4.1 Board and management role in data security

Data security requires the active participation of CEOs and boards of directors. As cyber risks are constant and rapidly evolving, boards need to take a dynamic approach to oversight and management. For instance, the Sarbanes-Oxley Act (SOX) requires public companies to implement appropriate information security controls for financial information. The SOX compliance reports signed by CEOs declare that the organization’s ‘internal controls’ are legally compliant.

Additionally, the SEC has adopted rules on cybersecurity risk management, strategy, governance, and incident disclosure by public companies. These require reporting and updates about material cybersecurity incidents and risk management policies and procedures, among other requirements. The SEC has also published guidance on how public companies should prepare disclosures about cybersecurity risks and incidents.

Boards are developing new structures for overseeing cyber risks, and it is worth exploring some of these new structures to see how well they will work for your organization. For instance, an audit committee or a nomination and governance committee may take over responsibility for monitoring cyber risk, or a special cyber risk or technology subcommittee could take on the task. The FTC recommends that the board of directors hold regular security briefings, among other measures.

4.2 Data security issues in mergers and acquisitions (M&A) and bankruptcy sales

M&A transactions may trigger data security issues that can hamper a successful transaction. Due diligence for both stock and asset deals includes investigating the kinds of data collected by the target, especially if it is sensitive data subject to legal protections or transfer restrictions. Due diligence should also include, at a minimum, careful examination of the target’s data security practices and compliance. . One example of a merger transaction where insufficient due diligence was conducted involved the acquisition of Starwood hotels by Marriott International. Although the transaction occurred in 2016, there was evidence that the Starwood reservation system had been breached as early as 2014. It wasn’t until 2018 that it was finally revealed by Marriott International that hackers had breached its Starwood reservation system and had stolen the personal data of up to 500 million guests.

Similar issues can apply to an asset sale in bankruptcy. Bankruptcy sales present special risks, however, since transfers of personal data to anyone, including to a buyer, could violate the organization’s published privacy policy. This could in turn amount to a deceptive trade practice in violation of the FTC Act. Sections 332 and 363(b) of the US Bankruptcy Code seek to avoid this type of situation by providing for appointment of a consumer privacy ombudsman (CPO) by the bankruptcy trustee. A CPO protects the privacy interests of an organization’s customers during a bankruptcy sale.

Additional Resources

Federal Communications Commission, Cybersecurity for Small Businesses

National Initiative for Cybersecurity Careers and Studies, Cybersecurity Resources