Complying with Legal and Industry Requirements

Legal and Industry Requirements

ISPO - eating paperworkListed below are links to some of the legal and industry requirements with which your business may have to comply.

Reminder:  Always consult your legal counsel to confirm the compliance requirements for your business.


Arizona Breach Notification Law (ARS 44-7501)

ARS 44-7501 requires those that conduct business in Arizona to notify affected individuals if there's been a breach that allows unauthorized acquisition and access to unencrypted or unredacted computerized data that includes an individual's personal information.


Children's Online Privacy Protection Act (COPPA)

COPPA's goal is to protect children's privacy.  It requires website operators to include a privacy policy and seek verifiable consent from a parent or guardian.   It also includes the website operator's responsibilities to protect children's privacy and safety online, including restrictions on the marketing to those under 13.


Gramm–Leach–Bliley Act (GLBA)

GLBA is also known as the Financial Services Modernization Act of 1999.  It requires financial institutions to protect the privacy and security of individuals' information via the Financial Privacy, Safeguards, and Pretexting Protection Rules.


Health Insurance Portability and Accountability Act (HIPAA)

HIPAA requires businesses and organizations that handle protected health information to protect its privacy and security.  The Health Information Technology for Economic and Clinical Health Act (HITECH Act), enacted as part of the American Recovery and Reinvestment Act of 2009, "extends" HIPAA to address the privacy and security concerns associated with the electronic transmission of health information and with business associates of covered entities.  It also adds new breach notification requirements.


Payment Card Industry Data Security Standard (PCI DSS)

The PCI DSS is an information security standard for organizations that handle cardholder information for the major credit, debit, and other payment cards.  The standard was created by the Payment Card Industry Security Standards Council to increase controls around cardholder data to mitigate breaches and to reduce credit card fraud.


Red Flags Rules

The Red Flags Rule was created by the Federal Trade Commission (FTC) to help prevent identity theft.  It sets out how certain businesses and organizations must develop, implement, and administer their Identity Theft Prevention Programs to identify and detect the relevant warning signs, or “red flags,” of identity theft, take steps to prevent and mitigate the risk of identity theft, and respond appropriately to red flags of identity theft.


Sarbanes-Oxley Act of 2002 (SOX)

SOX was established to restore investor confidence after it was damaged by business scandals and applies to companies registered with the US Securities and Exchange Commission.  SOX requires companies to establish and maintain internal controls and to assess the effectiveness of their controls annually.

More Information

CSO's Security Laws, Regulations, and Guidelines Directory

FTC Privacy & Security for Business

SEC Guidance on Cyber Security