Get the inside scoop with LoginTC and learn about relevant security news and insights.
October 02, 2023 •
As more of our personal and private information is stored and transmitted online, data privacy has become a major concern for individuals and businesses alike. In the United States, there have been numerous attempts to establish comprehensive data privacy legislation, but progress has been slow and often contentious.
In this blog post, we’ll take a closer look at the current state of data privacy legislation in the United States and what it means for you and your company.
Data privacy refers to the protection of an individual’s personal information from unauthorized access or misuse. It involves ensuring that data is collected, processed, and stored in a way that respects individuals’ rights and prevents the data from falling into the wrong hands. This can include sensitive information such as financial data, health records, and personal identifiers like Social Security numbers.
With the rise of cloud data storage, the IoT, and the dominance of social media, individuals recognized the potential risks associated with sharing personal data online. High-profile data breaches and unauthorized data access incidents also contributed to growing concerns about the privacy and security of personal information.
As greater awareness about data privacy rights and concerns has grown, governments around the world have responded by introducing legislation governing the use, storage, and transmission of personal and private data. Consequently, many individuals and organizations advocated for greater transparency, accountability, and protection of personal data.
Through these efforts, the first pieces of data privacy legislation began.
Below are some of the major pieces of privacy legislation that have been introduced in the United States over the years.
The Privacy Act of 1974 is a federal law that aims to protect individuals’ privacy rights by regulating the collection, use, and disclosure of personal information by federal agencies. It ensures that people are informed about the information collected by the government and have the right to access and correct it if needed. Additionally, the Privacy Act establishes guidelines for federal agencies to use and share personal information while imposing penalties for any unauthorized disclosure.
The Health Insurance Portability and Accountability Act (HIPAA) is a federal law that aims to safeguard individuals’ medical records and personal health information from unauthorized disclosure. HIPAA sets national standards to regulate the handling of personal health information by healthcare providers, insurance companies, and other entities. Furthermore, the law grants individuals the right to manage and access their medical information, and violations of its provisions are subject to penalties.
Financial institutions are required by federal law to safeguard their customers’ personal financial information under the Gramm-Leach-Bliley Act (GLBA). This act includes provisions for protecting information, providing privacy notices, and allowing customers to opt-out of information sharing. GLBA applies to banks, credit unions, and other financial institutions, and violations can result in fines and legal action. Non-compliance with GLBA can have serious consequences.
In order to safeguard the privacy and personal data of children under the age of 13 who utilize the internet, the federal government has enacted the Children’s Online Privacy Protection Act (COPPA). Websites and online services must obtain parental consent before collecting any personal information from children, which includes details like name, address, phone number, and email address. Additionally, companies must provide a clear explanation of their data collection practices and offer parents the ability to review and delete their child’s personal information.
The General Data Protection Regulation (GDPR) is a regulation in the European Union that gives individuals greater control over their personal data. Businesses are required to obtain explicit consent before collecting and processing personal data, as well as giving individuals access to their data and the ability to request its deletion. Additionally, it imposes severe penalties for non-compliance.
The GDPR is considered one of the strongest pieces of data privacy legislation in the world today. It’s changed the landscape of data protection in the United States for two different reasons.
Firstly, companies that are not based in the EU, but interact with EU citizens, are also required to comply with the GDPR standards. Secondly, it’s changed the way that modern data privacy legislation is being written in the United States. Where most laws used to cover specific industries, new legislation being passed at the state level is industry agnostic, and focuses on the need for individuals’ data to be protected regardless of what type of business is obtaining and storing it.
This has meant that even more businesses, especially smaller businesses in previously low-risk industries, are being required to comply with stringent data protection requirements.
There are now wide-ranging data privacy laws in twelve different US states, including:
There’s also some new proposed federal legislation, including the Consumer Online Privacy Rights Act (COPRA) and the Information Transparency and Personal Data Control Act.
Modern data privacy laws in the United States have requirements that fall into two main categories: consumer protections and business obligations.
Through these laws, consumers are granted the right to access their information, correct it, and have it deleted. They are also granted the right to opt out of data being processed in the first place, or transported from one place to another.
On the other hand, businesses are obligated to:
The other element of data privacy legislation is data breach notification and remediation requirements. These can require businesses to:
The effects of a data breach on your company can be far-reaching and damage your long-term business outlook. Luckily, there are things you can do to keep in compliance with data privacy laws, and protect your client’s data and your business from damaging attacks.
So far, data privacy legislation has made a point to not require specific cybersecurity tools in order to remain compliant, but instead has called for a risk-assessment based recommendations for keeping your clients and business secure.
In many cases, robust security tools implemented comprehensively can help you meet compliance regardless of your risk profile.
For example, official GDPR regulations recommend that high-risk assessed companies should implement some form of two-factor authentication. Similarly, HIPAA requires that healthcare organizations have secure authentication practices in place, and official guidelines say that depending on your risk assessment, MFA is the recommended way to meet that requirement.
More stringent is the updated standards of the GLBA, which does require MFA implemented on all accounts that have access to customer data. The updated GLBA requirements could be a sign of changing thinking around how essential MFA is to secure authentication.
Like GLBA, it’s likely that more privacy legislation will require more than one authentication factor for accounts with access to customer information.
As data privacy laws expand to more areas of jurisdiction and industries, it’s important for businesses to be aware of the rules and regulations around the storage, transportation and processing of private data.
Avoiding data breaches — which come with costly repercussions — through improved security tooling and awareness is a critical step that businesses can take to protect consumers and businesses alike.