Compliance & Regulations
- PCI DSS (Payment Card Industry Data Security Standard): This applies to companies of any size that accept credit card payments. If your company intends to accept card payment, and store, process and transmit cardholder data, you need to host your data securely with a PCI-compliant hosting provider.
- HIPAA (Health Insurance Portability and Accountability Act) applies to healthcare providers, insurance companies, and any other organization that handles protected health information in the United States.
- The Texas Data Privacy and Security Act: The TDPSA applies to any entity that conducts business in Texas, processes or sells personal data, and is not considered a small business by the US Small Business Administration. The law will go into effect on July 1, 2024.
- New York Department of Financial Services (NYDFS): The New York Department of Financial Services (NYDFS) is a regulatory body that oversees financial products and services in New York.
- SOX (Sarbanes-Oxley Act): This applies to all public companies in the U.S. It mandates that all publicly-traded companies must establish internal controls and procedures for financial reporting to reduce the possibility of corporate fraud.
- GDPR (General Data Protection Regulation): This is a regulation in EU law on data protection and privacy in the European Union and the European Economic Area. It also addresses the transfer of personal data outside the EU and EEA areas.
- ISO 27001 is a specification for an information security management system (ISMS). An ISMS is a framework of policies and procedures that includes all legal, physical and technical controls involved in an organization's information risk management processes.
- NIST (National Institute of Standards and Technology) Framework: This is a policy framework of computer security guidance for how private sector organizations in the United States can assess and improve their ability to prevent, detect, and respond to cyber attacks.
- CIS (Center for Internet Security) Controls: This is a recommended set of actions for cyber defense that provide specific and actionable ways to stop today's most pervasive and dangerous attacks.
- NCUA's New Cyber Incident Reporting Rule: The National Credit Union Administration (NCUA) has recently proposed a new rule that amends Part 748 of its regulations: Secondary page
- Cloud Security Alliance (CSA) Framework: This provides security principles to guide companies providing or using cloud services on assessing a cloud provider's security risk.
- COBIT (Control Objectives for Information and Related Technologies): This is a framework for the governance and management of enterprise IT. It is a supporting toolset that allows managers to bridge the gap between control requirements, technical issues, and business risks.
- HITECH (Health Information Technology for Economic and Clinical Health Act): This U.S. law encourages the adoption of health information technology, especially electronic health records (EHRs), by providing financial incentives. It also expands upon the privacy and security protections under HIPAA.
- GLBA (Gramm-Leach-Bliley Act): The Financial Services Modernization Act requires financial institutions in the U.S. to explain how they share and protect their customers' private information.
- FISMA (Federal Information Security Management Act): This U.S. legislation defines a comprehensive framework to protect government information, operations, and assets against natural or man-made threats.
- FedRAMP (Federal Risk and Authorization Management Program): A U.S. government-wide program that provides a standardized approach to security assessment, authorization, and continuous monitoring for cloud products and services.
- NIST 800-53: This is a publication that provides a catalog of security and privacy controls for all U.S. federal information systems except those related to national security.
- ISO 27002 is part of the ISO 27000 family of standards and provides best practice recommendations on information security management.
- ISO 27701 is a privacy extension to ISO 27001 and provides a framework for creating, implementing, maintaining and continually improving a Privacy Information Management System (PIMS).
- ISO 22301: This is a standard for business continuity management which can be used by organizations of any size or type to manage the risk and to protect against, reduce the likelihood of, and ensure that business operations continue during disruptive incidents.
- ITIL (Information Technology Infrastructure Library): This is a set of detailed practices for IT service management (ITSM) that focuses on aligning IT services with the needs of business.
- ISA/IEC 62443: This is a series of standards on Industrial Automation and Control Systems (IACS) security and includes various technical reports and related information.
- SOC 2 (Service Organization Control 2): This is a type of audit report that focuses on a business's non-financial reporting controls as they relate to security, availability, processing integrity, confidentiality, and privacy of a system.
- EU-US Privacy Shield: This framework for regulating transatlantic exchanges of personal data for commercial purposes between the European Union and the United States.
- Swiss-US Privacy Shield: Similar to the EU-US Privacy Shield, this framework regulates data exchange for commercial purposes between Switzerland and the United States.
- Australian Privacy Principles (APPs): These are the cornerstone of the privacy protection framework in the Australian Privacy Act.
- PDPB (Personal Data Protection Bill, India): This is a bill in India which proposes the establishment of a Personal Data Protection Authority.
- LGPD (Lei Geral de Proteção de Dados, Brazil): This is Brazil's General Data Protection Law, similar to GDPR in the EU.
- PDPA (Personal Data Protection Act, Singapore) governs the collection, use, and disclosure of personal data by all private organizations.
- Children's Online Privacy Protection Act (COPPA): COPPA is a federal law passed in the United States in 1998 that imposes specific requirements on operators of websites and online services to protect the privacy of children under 13. It is managed by the Federal Trade Commission (FTC).
- Kids Online Safety Act - S.1409: KOSA: Protecting Our Children in the Digital Age. Its primary objective is to ensure the safety of minors on social media platforms. The bill proposes several crucial provisions that aim to protect children from the potential harms of the digital world.
- CMMC - The Cybersecurity Maturity Model Certification (CMMC) is a critical framework for companies in the Defense Industrial Base (DIB) aiming to work with the U.S.
- ASEAN Model Contractual Clauses (ASEAN MCCs) and EU Standard Contractual Clauses (EU SCCs) : The Association of Southeast Asian Nations (ASEAN) has developed Model Contractual Clauses as a tool to facilitate cross-border data transfers within the region.
- United States, the Computer Fraud and Abuse Act (CFAA): The Computer Fraud and Abuse Act (CFAA) is the federal anti-hacking law in the United States. It was brought into the spotlight after the tragic death of programmer and Internet activist Aaron Swartz, leading to calls for its reform.
- CCPA - California Consumer Privacy Act: The California Consumer Privacy Act (CCPA) is a state statute intended to enhance privacy rights and consumer protection for California, United States residents.
- APPI (Act on the Protection of Personal Information, Japan): This law governs the processing of personal data in Japan.
- POPIA (Protection of Personal Information Act, South Africa): This act promotes the protection of personal information by public and private bodies.
- PIPEDA (Personal Information Protection and Electronic Documents Act, Canada): This federal law governs how private sector organizations collect, use, and disclose personal information in the course of commercial business.
- Family Educational Rights and Privacy Act (FERPA): FERPA is a federal law in the United States that provides parents the right to access their children’s education records, seek to have these records amended, and exercise some control over the disclosure of personally identifiable information from these records. The rights under FERPA transfer to the student when they turn 18 or enter a postsecondary institution at any age.
- CSA STAR (Cloud Security Alliance's Security, Trust & Assurance Registry): CSA STAR is a publicly accessible registry documenting various cloud computing offerings' security and privacy controls. It emphasizes key principles such as transparency, rigorous auditing, and harmonization of standards as outlined in the Cloud Controls Matrix (CCM).
State | Privacy Act | Source |
---|---|---|
California | California Consumer Privacy Act (CCPA) | Link |
Colorado | Colorado Privacy Act (CPA) | Link |
Connecticut | Protection of Social Security Numbers and Personal Information | Link |
Indiana | Protection of Social Security Numbers and Personal Information | Link |
Iowa | Personal Information Security Breach Protection | Link |
Montana | Consumer Protection Act | Link |
Illinois | Personal Information Protection Act (PIPA) | Link |
Utah | Protection of Personal Information Act | Link |
Tennessee | Tennessee Identity Theft Deterrence Act | Link |
Virginia | Virginia Consumer Data Protection Act (CDPA) | Link |
Texas | Texas Privacy Protection Act | Link |