With the EU now very close to having a uniform data security law across the land, it’s a good point to take another look at US data protection and privacy laws. We have lots of ‘em at the federal level.
Here’s a quick rundown:
Get the Free Essential Guide to US Data Protection Compliance and Regulations
- HIPAA (Health Insurance Portability and Accountability Act) for medical
- FERPA (Federal Education Rights and Privacy Act) for education
- SCA (Stored Communications Act) for email and cloud content
- FCRA (Fair Credit Reporting Act) for consumer credit histories
- COPPA (Children’s Online Privacy Protection Act) for children’s data
- SOX (Sarbanes-Oxley) for internal financial records of public companies
- FISMA (Federal Information Security Management Act) for protecting public data held by federal agencies
Remember Our US Banking Data Security and Privacy Law?
And don’t get me started on other federal laws and guidelines — say ITAR — that indirectly affect the protection of various forms of data.
Looking through the above list there seems to be a major hole. It’s coming to me … wait, what about all our bank records and other financial information?
There’s a law for that!
GLBA (Gramm-Leach-Bliley Act) doesn’t nearly get the attention it should, but it does tell banks and other financial institutions how to manage access to consumer financial PII.
Most of us have seen at least seen one aspect of GLBA in action. You know those notices we all get in the mail from the banks describing their privacy policies and who sees your bank PII?
I know we all throw that letter out, but the privacy notice is a direct result of GLBA.
GLBA also says that financial institutions have an “obligation … to protect the security and confidentiality of those customers’ nonpublic personal information.”
Banks, brokers, mortgage companies, lenders, and financial advisers all fall under GLBA’s data security requirement. More significantly GLBA requires various federal agencies — FTC, Federal Reserve, and SEC — to come up with specific data security regulations, known as safeguard rules.
And this is where the rubber hits the road.
Each agency has their own safeguards variation, but effectively financial firms have to do risk assessment and to put in place a program to protect consumer data –“ensure the security and confidentiality of customer records.” They’re also required to continually test and monitor their security programs.
Huge sigh of relief.
So on paper our financial data has some protections though these safeguard rules — see for example the brief text of the FTC’s version — but they’re not nearly as comprehensive as HIPAA’s, the gold standard of US data security regulations.
Enforcement Picks Up
But what about enforcement?
For the brokers and advisory firms that fall under the SEC, we now have some evidence that it’s picking up. Back in February, the SEC released a report on the cyber security preparedness of brokers. Considering these companies hold our stock, mutual funds, and retirement accounts, the SEC found they could be doing better, security-wise.
The SEC has signaled its getting more serious about its data rules.
The SEC just announced a second round of cybersecurity examinations. And that was followed up by a settlement reached against a Midwestern financial advisory for a data breach (traced to China) involving over 100,000 customer records.
The SEC said the firm violated its safeguards rule by not performing proper risk assessment and not having in place procedures to protect customer data. The company was censured and paid $75,000 in fines.
My thoughts: With HIPAA enforcement also ramping up, the US government is taking cyber-attacks far more seriously than it ever has before.
Of course we could use a good national data breach notification law in America.
But by enforcing existing laws, the US government can still have a major impact on the way companies go about protecting data.
Can’t say companies, especially in the financial and medical sectors, haven’t been warned!