Important: US law is highly fragmented (federal + 50 states). This overview is not legal advice. Confirm every obligation with US counsel, especially for HIPAA, GLBA, defense contracts, and securities regulation.

1. All businesses (baseline)

Any US organization that handles personal data faces a mix of federal sector laws (if applicable), FTC expectations, and a growing patchwork of state privacy laws.

FrameworkWhat it requires (summary)
FTC Act (Section 5)Prohibits unfair or deceptive practices. Poor security or misleading privacy claims can trigger enforcement.
FTC Safeguards Rule (under GLBA, applies to many financial institutions)Written information security program, risk assessments, access controls, encryption where appropriate, incident response, qualified individual, periodic reporting to boards.
State comprehensive privacy lawsCalifornia CPRA (amends CCPA), Virginia, Colorado, Connecticut, Utah, and additional states: consumer rights (access, delete, opt-out of sale/sharing), contracts with processors, DPIAs in some states, and breach notification timelines.
State data breach notification lawsAll states require notification to individuals and often attorneys general after certain security incidents involving personal information.
SHIELD Act (New York)Requires reasonable safeguards for private information of NY residents and expands breach notification.
Example risk scenario: A mid-size manufacturer stores employee SSNs without encryption. A laptop theft triggers notification to multiple state AGs, a class action under state law, and an FTC inquiry after customers complain about misleading “bank-grade security” marketing.

2. Healthcare and HIPAA

HIPAA (Health Insurance Portability and Accountability Act) and HITECH govern covered entities (providers, plans, clearinghouses) and business associates that handle PHI. The Security Rule requires administrative, physical, and technical safeguards; the Breach Notification Rule sets timelines for HHS and individual notice.

OCR (Office for Civil Rights) enforces penalties that can reach millions for willful neglect.

Example risk scenario: A clinic’s vendor exposes a patient portal API. OCR investigates, issues a corrective action plan, fines apply, and malpractice insurers raise rates.

3. Financial services

GLBA (Gramm-Leach-Bliley Act)Privacy notices and safeguards for non-public personal information held by financial institutions.
SEC (Securities and Exchange Commission)Registered entities face cybersecurity risk management rules and disclosure obligations for material incidents (e.g. Form 8-K Item 1.05 for public companies under SEC rules in effect from 2023).
NYDFS Part 500If you are a covered financial institution under New York law, cybersecurity program requirements include CISO reporting, penetration testing, and incident notification.
FFIEC guidanceExamination expectations for banks and credit unions on authentication, resilience, and vendor risk.
Example risk scenario: A registered investment adviser fails to implement MFA on email. A BEC wire fraud loss leads to SEC enforcement, client arbitration, and exclusion from cyber coverage for social engineering sublimits.

ABA Model Rules (adopted in substance by many states) require competence with technology, confidentiality, and reasonable safeguards. State bars may mandate breach notification to clients. Malpractice carriers increasingly audit encryption, MFA, and email fraud controls.

Example risk scenario: A firm’s email is spoofed to redirect settlement funds. Clients sue; the bar association opens an ethics investigation; insurance covers only part of the loss due to a social engineering exclusion.

5. Retail, e-commerce, and PCI

PCI DSS is contractual through card brands and acquirers, not a federal statute, but failure means loss of processing, assessments, and fraud liability. State privacy laws still apply to customer PII.

Example risk scenario: An e-commerce site stores CVV data against PCI rules. After a breach, the acquirer terminates the merchant account and assesses six-figure penalties.

6. Public companies and SOX

SOX (Sarbanes-Oxley) requires internal controls over financial reporting. IT general controls (access, change management, logging) are in scope for audits. SEC cyber disclosure rules require timely reporting of material cybersecurity incidents for registrants.

Example risk scenario: A ransomware event delays quarterly reporting. The company files a late 10-Q; shareholders allege securities fraud over delayed disclosure; auditors expand ITGC testing fees.

7. Defense and federal contractors (CMMC)

The DFARS clause 252.204-7012 and the CMMC program require protection of CUI (controlled unclassified information) and alignment with NIST SP 800-171. Primes flow requirements down to subcontractors.

Example risk scenario: A machine shop mishandles CUI on a personal Dropbox. The prime contractor terminates the relationship; the shop is debarred from future awards until remediation is certified.

8. Technology and SaaS

B2B contracts often require SOC 2 Type II, penetration tests, and subprocessors list. FTC has pursued vendors for deceptive security claims. AI products may face future Federal or state AI transparency duties (landscape evolving in 2025–2026).

Example risk scenario: A vendor claims “zero data retention” while logs retain payloads. California AG investigates under unfair competition law; enterprise customers churn and withhold payments.

9. Charities and nonprofits

501(c)(3) organizations must protect donor PII under state charity regulations and state privacy laws. Payment card and website tracking technologies can create unexpected “sale” or “sharing” issues under CPRA.

Example risk scenario: A nonprofit’s donor list is scraped after a weak admin password. Donors file complaints; state attorney general charity division requests corrective action.

Cyber insurance (United States)

US underwriters mirror global standards: MFA everywhere, EDR, immutable backups, separation of duties, and tabletop exercises. War/clauses and systemic risk exclusions have tightened; read policies with broker and counsel.

Canadian readers: Compare with Regulatory and compliance requirements in Canada, by industry for PIPEDA, provincial laws, Bill C-26, and Bill C-27.

US-ready security without building a second IT team

Hexafusion helps Canadian and cross-border teams meet insurer and customer security questionnaires aligned with NIST, CIS, and common US contract clauses.

Discuss cross-border IT and security

← Back to Blog