Data Security requirements may be the focus of a law or regulation or augment a broader legal requirement. In some circumstances, security obligations arise as a matter of law rather than as specifically codified or promulgated requirements. Identifying these requirements is necessary to address the associated legal and compliance risks.

Introduction

A number of U.S. state and federal statutes establish requirements concerning the confidentiality, integrity, and availability of certain information. Often, such standards involve the safeguarding of certain information, such personal information, health information, financial information, controlled unclassified information, or the like.

Data security statutes may be adopted separately or as provisions of much larger legislation encompassing other areas of privacy and security (e.g. data disposal, breach notification). Further, statutes may be limited to specific business sectors or industries, including the financial services and healthcare industries. Generally, the data security statutes are further implemented by regulations that specify the regulatory requirements in greater detail.

Requirements

Entities covered by data security statutes are typically required to implement and maintain reasonable security measures. They are also generally required to include in contracts concerning disclosures of personal information to third parties, requirements that the third party conform to the same security standard.

Enforcement & Liability

Regulatory and law enforcement agencies authorized to enforce data security laws are typically the attorney general of the jurisdiction and the officials of the relevant regulatory agency. Enforcement actions may be adjudicated in administrative hearings or the appropriate judicial court. Some statutes expressly provide for a private right of action for individuals that are harmed by violations. Other statutes that are silent on a private right of action may be interpreted by a court to implicitly allow them. Temporary and permanent injunctions and other remedies may also be available to plaintiffs and prosecutors/ 

Penalties

Covered entities that are found liable of violations of data security laws are typically subject to civil fines. The statutes typically provide for a minimum and maximum fine for each count. It may also provide an aggregate maximum fine amount for all counts.