Use the Lexology Navigator tool to compare the answers in this article with those from other jurisdictions.

Jurisdiction snapshot

Trends and climate Would you consider your national data protection laws to be ahead or behind of the international curve?

In recent years the United States has been a leader in the global data privacy and security regulatory arena. Privacy and data security mandates are promulgated at federal, state and local levels by legislators, regulators and courts. In addition to relevant treaties, constitutions, statutes, regulations and court decisions, the US privacy and security landscape is marked by self-regulatory codes, policies and contractual obligations. The information privacy practices of businesses and other organisations are driven not only by applicable rules, but also by the impending threat of civil litigation (particularly class action lawsuits), regulatory pressures and the reputational risk associated with potential data privacy and security infractions. 

Recently the focus of US privacy law has shifted from restraining the government's access to personal information and protecting against harmful uses of such information to restricting private sector uses of information, including those that do not necessarily result in a risk of harm to individuals. US data security laws in particular have seen explosive growth, primarily resulting from the establishment of breach notification laws following the enactment of California’s breach law in 2003. US breach notification laws have influenced the development of data security laws outside the United States significantly, particularly in Europe where aggressive breach notification requirements have been incorporated into the General Data Protection Regulation (GDPR), which is due to take effect in May 2018. Even before the promulgation of the GDPR’s breach notification requirements, a number of EU member states established their own notification obligations which closely mirrored the related US notice requirements.

Are any changes to existing data protection legislation proposed or expected in the near future?

The data privacy and security legal and regulatory landscape in the United States is constantly evolving as advancements in technology and the ever-changing cybersecurity threat landscape have led to the proliferation of new legislation and proposed amendments to existing US sectoral and state privacy and data security laws and regulations. This trend has shown no signs of abating. Although the United States does not have an omnibus federal data protection law like its European counterparts, numerous bills have been introduced (such as those concerning federal breach notification requirements) which would serve to regulate data privacy and security matters comprehensively across industry sectors at a federal level. 

The state breach notification and data security laws are regularly amended to address the emerging threat landscape, cover a broader set of data and impose more aggressive timing and regulatory notification requirements. Aside from new or amended legislation, various federal regulators (including the Federal Trade Commission, Federal Communications Commission, Securities and Exchange Commission, Consumer Financial Protection Bureau and Department of Health and Human Services) routinely introduce new regulations, rules and policy statements that further define and refine data privacy and security obligations in the United States. 

Electronic Communications Privacy Act reform has also has been high on the federal legislative agenda in 2017. In February, the House of Representatives passed the Email Privacy Act, which would eliminate the Electronic Communications Privacy Act’s 180-day rule, under which communications providers can be compelled by subpoena or court order, without a warrant, to disclose emails and text messages older than 180 days. In July, three Electronic Communications Privacy Act reform bills were introduced in the Senate:

  • the Email Privacy Act, which, like its house counterpart, would require a warrant for law enforcement agencies to access consumer communications regardless of how long they have been in storage;
  • the Electronic Communications Privacy Act Modernisation Act, which would likewise include a warrant requirement for stored communications and allow communications companies to notify users about government requests for such communications; and
  • the International Communications Privacy Act, which would affect law enforcement’s access to data stored overseas.

While various government and industry leaders have long called for reform, experts say that such reform is unlikely to happen quickly.

Legal framework

Legislation What legislation governs the collection, storage and use of personal data?

A patchwork of privacy and data security laws at federal and state levels comprises the legislative framework for the protection of personal information in the United States. While the United States does not have a comprehensive federal data protection law, regulations are promulgated primarily at the industry sector and state levels. Key data privacy and security requirements are contained in myriad sector-specific federal laws, including:

  • Title V of the Gramm-Leach-Bliley Act, which establishes privacy and security requirements for financial institutions;
  • the Health Insurance Portability and Accountability Act of 1996, which imposes privacy and security obligations on health plans, healthcare clearinghouses and healthcare providers (collectively ‘covered entities’) via the Privacy and Security Rules;
  • Section 5 of the Federal Trade Commission (FTC) Act, which prohibits “unfair and deceptive acts or practices in or affecting commerce” and has been used by the FTC to bring enforcement actions in the data privacy and security context;
  • the Electronic Communications Privacy Act, which applies to electronic communications;
  • the Computer Fraud and Abuse Act, which protects against computer crimes;
  • the Children’s Online Privacy Protection Act, which regulates the online collection of personal data from children under 13;
  • the Family Educational Rights and Privacy Act, which applies to educational records; and
  • the Fair Credit Reporting Act, which covers the use of consumer reports.

Outside of the specific regulatory contexts, limits on information collection, use and sharing in the United States generally are self-imposed through a company’s privacy policy. Compliance with representations made in privacy policies is subject to consumer protection law at state and federal levels. The FTC has brought numerous enforcement actions against companies under the deception prong of Section 5 of the FTC Act in connection with those representations. 

At state level, many states have enacted privacy and data breach notification laws, and some states have enacted information security legislation designed to regulate the safeguarding of personal information maintained by organisations and their service providers. 

Scope and jurisdiction Who falls within the scope of the legislation?

Because there is no comprehensive federal privacy or data protection legislation in the United States, the applicability of the different federal and state laws and regulations varies. In general, at federal level, the scope and applicability of privacy and data protection requirements vary by industry sector. At state level, privacy and data protection laws typically apply to organisations that maintain certain categories of personal information about residents of the relevant state, meaning that a business may be subject to a state’s privacy or data protection law if it maintains data about a resident of that state, even if it does not otherwise operate in or have a physical presence in that state.

What kind of data falls within the scope of the legislation?

The varying patchwork of federal and state laws and regulations typically applies to personal information, and its definition varies based on the underlying law or regulation. There is no uniform definition of ‘personal information’ applied across the various regulatory regimes. From a security breach law perspective, for example, many of the state breach notification laws define personal information to include an individual’s first name, or first initial and last name, in combination with:

  • a social security number;
  • a driving licence or state identification card number; or
  • an account number, credit or debit card number with any required security code, access code or password that would permit access to the individual’s financial account. 

Other state breach laws also include additional data elements in their definition of personal information, such as an email address or username in combination with a password or security question and answer that would permit access to an online account, or medical or biometric data. Regulation S-P, which sets forth privacy and security requirements for financial institutions, defines ‘personally identifiable financial information’ as information:

  • provided by a consumer to obtain a financial product or service;
  • about a consumer resulting from a financial transaction; or
  • about a consumer that the financial institution otherwise obtains in connection with providing a financial product or service. 

The Health Insurance Portability and Accountability Act Privacy Rule and Security Rule, on the other hand, apply to protected health information,  which is information created or collected by a covered entity about physical or mental health or condition, the provision of healthcare or payment for healthcare that can be linked to a specific individual.

Are data owners required to register with the relevant authority before processing data?

There is no registration requirement with respect to the processing of data.

Is information regarding registered data owners publicly available?

This question generally is not applicable in this jurisdiction. Certain industry certifications and frameworks maintain a published list of entities that have registered for relevant programmes. One example is the EU-US and Swiss-US Privacy Shield Frameworks, which were designed by the US Department of Commerce and the European Commission and Swiss Administration to provide companies in the United States and Europe with a mechanism to comply with data protection requirements when transferring personal data from the European Union and Switzerland to the United States. A list of participating companies is available at https://www.privacyshield.gov/list.

Is there a requirement to appoint a data protection officer?

There is no explicit requirement to appoint a data protection officer. However, pursuant to the Health Insurance Portability and Accountability Act, covered entities (eg, certain health plans, healthcare providers and healthcare clearinghouses) must designate:

  • a privacy official to oversee the development of privacy policies and procedures; and
  • a security official responsible for developing and implementing security policies and procedures. 

Additionally, state laws may require organisations to appoint information security personnel. For example, Massachusetts law requires organisations that own or license personal data about Massachusetts residents to maintain a comprehensive information security programme, including one or more employees designated to maintain the programme. The New York State Department of Financial Services Cybersecurity Regulation, effective March 1 2017, similarly requires financial institutions in that state to designate a chief information security officer responsible for overseeing and implementing the institution’s cybersecurity programme and enforcing its cybersecurity policy.

Enforcement Which body is responsible for enforcing data protection legislation and what are its powers?

The United States has no single regulatory authority dedicated to overseeing data protection law. At a federal level, because different privacy and data protection requirements apply to different industry sectors, the industry-specific regulatory authorities typically are responsible for enforcing the relevant regulatory requirements. The FTC is the primary federal regulator in the United States that enforces privacy and data security requirements. It has used its authority under Section 5 of the FTC Act to bring broad-sweeping privacy and data security enforcement actions against entities whose information practices have been deemed deceptive or unfair. In the healthcare sector, the Health Insurance Portability and Accountability Act (including its relevant privacy and data security regulations) is enforced by the Department of Health and Human Services’ Office for Civil Rights. At state level, attorneys general or other consumer protection authorities may enforce state privacy and data security laws. In general, relevant regulatory authorities are empowered to investigate and seek civil penalties for violations of state and federal privacy and data protection laws. The combined threat of regulatory enforcement actions, significant fines and litigation is an effective enforcement mechanism, raising the costs to companies of non-compliance with applicable US privacy and data security obligations.            

Collection and storage of data

Collection and management In what circumstances can personal data be collected, stored and processed?

Requirements for the collection, storage and processing of data vary across the different state and federal privacy laws.  As a general matter, data must be processed in accordance with the terms of representations the organisation has made to consumers (eg, in a privacy policy) in order to avoid a deceptive practice under Section 5 of the Federal Trade Commission (FTC) Act. Regarding healthcare, using individuals’ health information for marketing purposes under the Health Insurance Portability and Accountability Act generally requires authorisation from the individual.  

Are there any limitations or restrictions on the period for which an organisation may (or must) retain records?

Privacy laws in the United States typically do not restrict an organisation’s ability to retain personal information held by an organisation. However, thousands of records retention laws at federal and state level impose specific obligations on organisations with respect to the retention of certain types of records. Many of these records retention laws apply to records that contain individuals’ personal information.   

Do individuals have a right to access personal information about them that is held by an organisation?

In general, individuals do not have a right to request access to personal information about them that is held by an organisation, subject to a few exceptions. 

The Children’s Online Privacy Protection Act, for example, provides for certain data access rights, requiring entities to enable parents to review personal information collected online from children. Additionally, under the Health Insurance Portability and Accountability Act, a data subject has a right to request access to and the amendment of his or her protected health information held by a covered entity. The Fair Credit Reporting Act similarly provides a right of access for information about an individual that is held in the files of a consumer reporting agency. Another example at state level is California’s Shine the Light Law, which requires businesses that disclose consumer personal information to third parties for direct marketing purposes to, on request, provide consumers with information about the categories of personal information disclosed for such purposes and information about how to opt out of such disclosures at no cost to the consumer.

Do individuals have a right to request deletion of their data?

Under state and federal law, individuals generally do not have an express right to request the deletion of their personal information, with some exceptions. With respect to minors, for example, the Children’s Online Privacy Protection Act permits parents to request the deletion of data regarding their children under 13 years old. California also passed a law (Cal Bus and Prof Code 22580-81) that requires website operators to honour requests made by minors who are registered users to remove content that the minor posted on the site; however, this does not require the website operator to delete such data from its systems. Aside from the child privacy laws, the Fair Credit Reporting Act and similar state laws offer individuals a right to dispute inaccurate or incomplete information in the files of a consumer reporting agency.  

Consent obligations Is consent required before processing personal data?

There is no general, broadly applicable requirement in the United States to obtain data subjects’ consent before processing personal data. However, certain federal laws do impose consent requirements for the disclosure of certain types of personal information. For example, the Children’s Online Privacy Protection Act requires operators of websites directed at children to obtain verifiable parental consent before collecting the personal information of children under 13. The Gramm-Leach-Bliley Act requires an annual notice of a financial institution’s information sharing practices and the ability for a customer to opt out of certain disclosures, as well as a reasonable means for the customer to opt out of those disclosures. The Health Insurance Portability and Accountability Act similarly requires a data subject’s authorisation for certain disclosures of protected health information. 

In guidance documents and reports (eg, “Self-Regulatory Principles for Online Behavioral Advertising” and “Protecting Consumer Privacy in an Era of Rapid Change: Recommendations for Businesses and Policymakers”), the FTC has stated that companies should obtain affirmative express consent before collecting and using certain sensitive personal information, including:

  • children’s data;
  • financial and health information;
  • social security numbers; and
  • geolocation data.  

If consent is not provided, are there other circumstances in which data processing is permitted?

As mentioned above, there is no overarching requirement in the United States to obtain consent before the processing of personal information. Accordingly, the absence of consent typically does not restrict data processing activities, as long as such activities do not violate representations made to relevant data subjects (eg, in privacy policies).

What information must be provided to individuals when personal data is collected?

Various federal and state laws require organisations that collect personal data to provide notice of their information privacy practices to relevant individuals. For example, at a federal level, financial institutions subject to the Gramm-Leach-Bliley Act must abide by the Privacy of Consumer Financial Information Rule (also known as the FTC’s Privacy Rule), which requires financial institutions to provide notice to customers about information sharing practices and how the customer may exercise his or her right to opt out of having personal information shared with non-affiliated third parties. The Children’s Online Privacy Protection Act similarly requires organisations that collect personal information online from children under 13 to post a privacy policy describing:

  • the organisation’s practices for handling children’s personal data; and
  • the information handling practices of any third parties which collect children’s personal data on the operator’s website or online service. 

Health Insurance Portability and Accountability Act covered entities also must provide written notice of privacy practices pursuant to the Privacy Rule. 

At state level, three states (California, Delaware and Nevada) have enacted legislation requiring website operators to post a public privacy notice. Organisations which collect personal information online from California residents must comply with the California Online Privacy Protection Act, which requires organisations to provide a privacy notice detailing, among other things, the types of personal data the organisation collects and how it is used. The Delaware Online and Privacy Protection Act also requires operators of commercial internet services to provide notice to users of personal data collection practices. In July 2017 Nevada became the third state to enact an online privacy policy law; however, the Nevada law is narrower than those of California and Delaware as it limits its jurisdictional application to entities that purposefully direct or conduct activities in Nevada, or consummate some transaction with the state or one of its residents. Nevada’s online privacy policy law is set to take effect on October 1 2017.

In general, if an organisation fails to collect or use personal data in a manner consistent with the representations in its privacy notice, the FTC may exercise its Section 5 enforcement authority to bring an action for unfair or deceptive practices.

Data security and breach notification

Security obligations Are there specific security obligations that must be complied with?

Sector-specific laws impose information safeguarding requirements on covered entities in certain industry sectors. For example, the Gramm-Leach-Bliley Act requires financial institutions in the United States to establish appropriate administrative, technical and physical safeguards to ensure the security and confidentiality of their customers' personally identifiable financial information. Similarly, Health Insurance Portability and Accountability Act covered entities and their service providers (known as business associates) must, pursuant to the Health Information Technology for Economic and Clinical Health Act, implement specific administrative, physical and technical safeguards to protect and ensure the confidentiality of protected health information.

Certain states have laws which impose general information security standards on organisations that maintain personal information. For example, California law requires organisations that own or license personal information about California residents to implement and maintain reasonable security procedures to protect the information from unauthorised access, use, disclosure, destruction or modification. Similarly, Massachusetts Standards for the Protection of Personal Information require organisations that hold personal information about Massachusetts residents to maintain a comprehensive, written information security programme to protect that personal information (note that the Massachusetts law applies to both consumer and employee data). At least eight other states have information security laws which require organisations to implement reasonable security measures with respect to certain types of information.

Nevada law requires that businesses encrypt customer personal information if the information is transmitted electronically outside the business’s secure system, other than via fax, and when moving a data storage device containing personal information outside the logical or physical controls of the business. Nevada’s encryption law also requires businesses collecting payment card information in Nevada to comply with the Payment Card Industry Data Security Standard. Minnesota law similarly codifies selected requirements of the Payment Card Industry Data Security Standard, including prohibitions on storing payment card data once a transaction is completed.

Several state laws impose specific information security requirements with respect to certain types of sensitive personal information. For example, Connecticut and New Jersey require data security safeguards and security practices for health insurance information. Over a dozen states (eg, California and New York) also impose safeguarding requirements with respect to social security numbers.

Breach notification Are data owners/processors required to notify individuals in the event of a breach?

Since California’s breach notification law in 2003, 48 US states, the District of Columbia, Guam, Puerto Rico and the US Virgin Islands have enacted data breach notification laws that require affected individuals to be notified in the event of an information security breach. There is no national data breach notification requirement. Organisations which have experienced a data breach must comply with the legal requirements of each state in which affected individuals reside. Minor variations in the state breach laws can create compliance challenges when residents of multiple jurisdictions are affected. For example, certain state breach laws include provisions that limit the notification requirement to include only those breaches that pose a risk of harm to affected individuals, or exempt entities that are subject to federal regulations regarding breach notification. However, other state breach laws require notification in the event of unauthorised access regardless of the likelihood of harm or the applicability of federal regulations. Accordingly, determining whether notification is legally required pursuant to state breach laws requires a fact-specific, state-by-state analysis.

In the event of a data breach, the entity that owns or licenses the data typically bears responsibility for notifying affected individuals. Where a service provider of a data owner experiences an information security breach, the state laws generally impose an obligation on the service provider to notify the data owner on discovering the breach, and the data owner is then required to notify affected individuals.

Additionally, sector-specific laws impose notification obligations on covered entities, including financial institutions and healthcare entities. Pursuant to the Interagency Guidance on Response Programmes for Unauthorised Access to Customer Information and Customer Notice (the interagency guidance) – issued in 2005 by federal banking regulators – a financial institution that becomes aware of an incident involving unauthorised access to or use of “sensitive customer information” must promptly notify its primary federal regulator (as well as appropriate law enforcement authorities if the incident involves federal criminal violations that require immediate attention). The entity also must notify affected customers if misuse of sensitive customer information “has occurred or is reasonably possible”. Regarding healthcare, the Health Information Technology for Economic and Clinical Health Act and the breach notification section of the Final Omnibus Rule require:

  • Health Insurance Portability and Accountability Act covered entities that experience an information security breach involving unsecured protected health information to notify affected individuals; and
  • business associates of Health Insurance Portability and Accountability Act covered entities to notify the covered entity following discovery of such a breach.

Are data owners/processors required to notify the regulator in the event of a breach?

Over half of the states require organisations to notify the state attorney general or other state agency in the event of a legally cognisable security breach. Some states require notification to state regulators when an entity chooses to rely on the state law’s notification harm threshold as a basis for not notifying affected residents. Additionally, sector-specific laws require regulator notification by covered entities as discussed above. For example, the interagency guidance requires financial institutions to notify their primary federal regulator and law enforcement authorities (where appropriate) in the event of a breach. Similarly, Health Insurance Portability and Accountability Act covered entities must provide notice of data breaches to the Department of Health and Human Services.              

Electronic marketing and internet use

Electronic marketing Are there rules specifically governing unsolicited electronic marketing (spam)?

At a federal level, the Controlling the Assault of Non-Solicited Pornography and Marketing Act of 2003 regulates the transmission of commercial email, which is defined as an email for which “the primary purpose… is the commercial advertisement or promotion of a commercial product or service (including content of an Internet website operated for a commercial purpose)”. The primary purpose test is a fact-specific analysis. The Controlling the Assault of Non-Solicited Pornography and Marketing Act imposes numerous requirements on commercial emails, including that:

  • headers must not be materially false or misleading;
  • the email must include a functioning opt-out mechanism, and opt-out requests must be honoured within 10 business days of receipt; and
  • the email must include the sender’s valid physical postal address and a clear and conspicuous identification as an advertisement. 

With respect to text message marketing, subject to limited exceptions, the federal Telephone Consumer Protection Act and implementing regulations restrict the transmission of certain automated text messages without the prior express written consent of the recipient.  

Cookies Are there rules governing the use of cookies?

No law specifically governs the use of cookies. However, US websites targeted towards EU citizens must comply with relevant EU legislation requiring websites to obtain users’ consent to the use of cookies. In addition, at state level, the California Online Privacy Protection Act and Delaware Online and Privacy Protection Act require website operators to disclose to consumers in their privacy policies how the website responds to ‘do not track’ signals and whether third parties may collect information about consumers’ online activities when a consumer uses the site. Nevada’s recently enacted online privacy policy legislation similarly requires a website operator to disclose whether third parties may collect information about users’ online activities from the website, but does not require a website operator to disclose how the website responds to ‘do not track’ signals.

Data transfer and third parties

Cross-border data transfer What rules govern the transfer of data outside your jurisdiction?

There are no specific cross-border data transfer restrictions. 

Are there restrictions on the geographic transfer of data?

This question is not applicable in this jurisdiction. 

Third parties Do any specific requirements apply to data owners where personal data is transferred to a third party for processing?

At a federal level, various regulations apply to the third-party processing of personal data. For example, the Federal Trade Commission’s (FTC’s) Affiliate Marketing Rule prohibits, at a high level, the sharing of certain consumer report information with third-party affiliated entities for the purpose of providing solicitations for marketing. The rule generally requires a covered entity collecting personal data to provide consumers with:

  • sufficient notice that their information will be collected and shared with affiliates for marketing purposes; and
  • a reasonable opportunity to opt out of affiliate sharing for marketing purposes.

The FTC also has issued privacy and security regulations for financial institutions subject to the Gramm-Leach-Bliley Act with respect to sharing personal data with third parties. The FTC’s Privacy Rule requires financial institutions to provide notice to consumers and customers about the institution’s privacy policies, including how the financial institution shares non-public personal information with non-affiliated third parties and what types of non-public personal information may be shared with such third parties. Additionally, the FTC’s Safeguards Rule requires financial institutions under FTC jurisdiction to not only develop their own safeguards to keep customer information secure, but to take steps to ensure that any third-party affiliates and service providers do likewise.

In the healthcare sector, the Health Insurance Portability and Accountability Act Privacy Rule allows covered entities to disclose protected health information to third-party business associates, but only where the covered entity and business associate have entered into a business associate agreement with certain information sharing provisions, including requiring the business associate to:

  • use the information only for the purposes for which the covered entity engaged the business associate;
  • safeguard the information from misuse; and
  • assist the covered entity with complying with the covered entity’s other obligations under the Privacy Rule.

Privacy Shield-certified organisations must enter into written contracts (ie, onward transfer agreements) with third parties to whom they transfer personal data received from the European Union. Onward transfer agreements must contain specific provisions for the protection of personal data.

At state level, where a third party processor (ie, a service provider) experiences a legally cognisable information security breach, the state breach notification laws generally oblige the service provider to notify the data owner on discovering the breach; the data owner is then required to notify affected individuals of the breach. Certain state laws also impose privacy and security obligations on entities that share personal data with third parties for processing. For example, the Massachusetts data security regulations (201 Code of Massachusetts Regulations 17.00) require businesses subject to the rules to require by contract that third-party service providers implement and maintain appropriate security measures for personal information.   

Penalties and compensation

Penalties What are the potential penalties for non-compliance with data protection provisions?

Because the United States does not have a dedicated data protection law, penalties for non-compliance are pursuant to the various federal and state data protection laws. Violations of federal and state privacy and data protection laws in the United States generally lead to civil, not criminal, penalties, except for violations of surveillance laws. Civil penalties may include monetary penalties, affirmative obligations (eg, mandatory compliance audits and the required implementation of a comprehensive information security programme) and injunctions prohibiting future violations of the relevant laws. 

Compensation Are individuals entitled to compensation for loss suffered as a result of a data breach or non-compliance with data protection provisions by the data owner?

Several states’ breach notification laws provide for private rights of action allowing affected individuals to seek an injunction or recover actual damages and, in some cases, litigation costs and attorneys’ fees. The plaintiffs’ bar has become increasingly active in bringing class action lawsuits following data breaches. While settlement amounts may be significant, in most cases where plaintiffs allege they suffered an increased risk of identity theft or expended time and money to mitigate future harm, and do not allege any misuse, such lawsuits do not survive the standing requirement given a failure to demonstrate injury in fact.

Cybersecurity

Cybersecurity legislation, regulation and enforcement Has legislation been introduced in your jurisdiction that specifically covers cybercrime and/or cybersecurity?

The federal Cybersecurity Information Sharing Act of 2015 authorises companies to engage in certain cybersecurity monitoring and defence practices to protect against cybersecurity threats. The act provides for specified liability protections for businesses in connection with monitoring information systems for cyber threats, taking measures to defend against cyberattacks and sharing cyber intelligence with other entities, including businesses and the US government.    

In addition, the Computer Fraud and Abuse Act is a federal statute that criminalises certain activity resulting from accessing a computer without authorisation, or exceeding authorised access and thereby obtaining information. At a high level, the act prohibits accessing a protected computer for the purpose of obtaining national security information, compromising confidentiality, committing fraud, damaging or threatening to damage a computer or information therein as a means of extortion, trafficking in passwords or trespassing in a government computer. The act provides for criminal sanctions and a private right of action.

Many US states are addressing cybersecurity issues through various cybersecurity legislative initiatives, having introduced over 200 bills or resolutions in 2017. The key areas of legislative activity include requiring the enhancement of government agency security practices, providing more funding for improved security measures, increasing penalties for cybercrimes and addressing threats to critical infrastructure.

What are the other significant regulatory considerations regarding cybersecurity in your jurisdiction (including any international standards that have been adopted)?

In 2014 the National Institute of Standards and Technology (NIST) – a division of the US Department of Commerce – issued its cybersecurity framework designed to provide guidance to private sector entities on recognising and defending against cybersecurity risks as part of the organisation’s risk management processes. The NIST framework was issued pursuant to an executive order which called for the development of a voluntary, risk-based set of industry standards and best practices in the area of cybersecurity. While the NIST framework does not impose regulatory requirements on private sector entities, it enables organisations to apply risk management principles and best practices to improve their cybersecurity resilience in light of their organisational structure, degree of cybersecurity risk and level of cybersecurity sophistication. On January 10 2017 the NIST issued a draft revision to the framework, expected to be finalised in Autumn 2017. The draft revision generally enhances and clarifies existing guidance in the framework, including updating the frequently asked questions to support understanding and use of the framework.

Which cyber activities are criminalised in your jurisdiction?

As indicated above, the Computer Fraud and Abuse Act criminalises the use of computers which results in unauthorised access to certain information. Additionally, various federal and state laws provide for criminal sanctions for certain surveillance activity. At a federal level, interception of communications is governed by the Electronic Communications Privacy Act, which comprises the Wiretap Act, the Stored Communications Act and the Pen Register Act. However, most states also have eavesdropping laws which regulate the interception of communications. In general, these laws criminalise the use of a device to intercept, hear, record, amplify or transmit any part of a private communication without the consent of one or all of the parties to the communication. Federal and state surveillance laws generally prohibit internet surveillance, subject to certain exceptions (eg, surveillance by network providers is permitted).

Which authorities are responsible for enforcing cybersecurity rules?

Numerous regulatory bodies in the United States (eg, the Federal Trade Commission (FTC), the Federal Communications Commission, the Securities and Exchange Commission (SEC), the Consumer Financial Protection Bureau and the Department of Health and Human Services) have the authority to bring cybersecurity-related actions. The FTC is the primary federal regulator that enforces data security requirements. Although the FTC has no authority to fine companies for Section 5 violations, FTC enforcement actions often result in consent decrees which prohibit the company from future violations of the FTC Act and that may trigger fines if violated.

Other federal regulators may enforce data security requirements pursuant to sector-specific laws such as the Gramm-Leach-Bliley Act and the Health Insurance Portability and Accountability Act and relevant security-implementing regulations. At state level, state attorneys general and state insurance commissions may bring enforcement actions (including via consolidated, multi-state actions) against companies for violations of state consumer protection, information security and breach notification laws.  

Cybersecurity best practice and reporting Can companies obtain insurance for cybersecurity breaches and is it common to do so?

Companies increasingly need cyber insurance that helps to cover their liability for information theft or loss. Cyber insurance policies generally cover costs associated with data breaches, including the cost of legal fees and expenses, notifying affected individuals of a data breach, providing credit monitoring and identity theft protection services to affected individuals, recovering compromised data and repairing damage to affected computer systems in the event of a cyber intrusion. Like all insurance products, the scope of cyber coverage varies and organisations must carefully analyse their cyber insurance portfolio to help ensure maximum coverage.  

Are companies required to keep records of cybercrime threats, attacks and breaches?

Many regulatory regimes keep records associated with cybersecurity events. The Health Insurance Portability and Accountability Act, for example, imposes broad retention obligations, including the specific requirement that entities maintain documentation sufficient to demonstrate their compliance with the regulation’s breach notification requirements. This documentation may include, as appropriate, copies of notifications sent to individuals, authorities and the media, as well as risk assessments demonstrating that notification was not required for a given breach.

In addition, certain state breach notification laws provide that, in order to invoke a harm threshold as a basis for not notifying affected individuals or relevant regulators, organisations must document the determination of the risk of harm and retain that documentation for a specified period of time (eg, five years). 

From a litigation perspective, many data breaches instigate an internal legal hold requirement whereby relevant documents must be retained while litigation is reasonably anticipated.

Are companies required to report cybercrime threats, attacks and breaches to the relevant authorities?

As indicated above, to the extent that a cybersecurity incident constitutes a legally cognisable information security breach under relevant state or federal breach notification laws, companies may be required to notify relevant regulators.

Are companies required to report cybercrime threats, attacks and breaches publicly?

To the extent that a cybersecurity incident constitutes a legally cognisable information security breach under applicable breach notification laws, companies must notify affected individuals and relevant regulators pursuant to such laws. 

Pursuant to the state breach notification laws, if an organisation is unable to provide individual notice to persons affected by a legally cognisable information security breach (eg, because it cannot identify the affected individuals or lacks sufficient contact information for affected individuals), the organisation may provide substitute notice. Substitute notice typically consists of public disclosures regarding the breach, including website postings and notice to media outlets, depending on the requirements of the relevant state breach laws. Health Insurance Portability and Accountability Act covered entities are also permitted to provide substitute notice in certain circumstances, and must notify the media for breaches affecting over 500 individuals.  

Further, in 2011 the SEC issued guidance regarding cybersecurity disclosure obligations. The guidance indicates that companies should disclose to investors any material cybersecurity risks and cyber incidents, including data breaches. 

Criminal sanctions and penalties What are the potential criminal sanctions for cybercrime?

Violations of federal and state privacy laws typically result in civil penalties, not criminal sanctions. The main exceptions are laws directed at surveillance activities and computer crimes. Violations of federal wiretap and electronic surveillance laws, the Computer Fraud and Abuse Act and state surveillance laws can result in criminal penalties as well as civil liability. Further, the US Department of Justice is authorised to prosecute certain Health Insurance Portability and Accountability Act violations, and criminal penalties may result from knowing violations of the act’s restrictions on obtaining and disclosing certain protected healthcare information. The Department of Justice is not similarly authorised to criminally prosecute violations of other sector-specific privacy and data protection regulations, such as those imposed by the Gramm-Leach-Bliley Act.

What penalties may be imposed for failure to comply with cybersecurity regulations?

Most state data breach notification laws provide for civil remedies. The laws may provide that the state attorney general has the power to bring an action in law or equity to address violations of the breach notification requirements. However, several states provide for private rights of action, allowing affected individuals to seek an injunction or recover actual damages and, in some cases, litigation costs and attorneys’ fees.

At the federal and state levels, civil penalties for violations of privacy and data security laws vary by law or regulation. Penalties also may arise from breach of contract claims resulting from noncompliance with contractual provisions regarding cybersecurity-related obligations.