Legal and Industry Requirements
Listed below are links to some of the legal and industry requirements with which your business may have to comply.
Reminder: Always consult your legal counsel to confirm the compliance requirements for your business.
ARS 44-7501 requires those that conduct business in Arizona to notify affected individuals if there's been a breach that allows unauthorized acquisition and access to unencrypted or unredacted computerized data that includes an individual's personal information.
GLBA is also known as the Financial Services Modernization Act of 1999. It requires financial institutions to protect the privacy and security of individuals' information via the Financial Privacy, Safeguards, and Pretexting Protection Rules.
HIPAA requires businesses and organizations that handle protected health information to protect its privacy and security. The Health Information Technology for Economic and Clinical Health Act (HITECH Act), enacted as part of the American Recovery and Reinvestment Act of 2009, "extends" HIPAA to address the privacy and security concerns associated with the electronic transmission of health information and with business associates of covered entities. It also adds new breach notification requirements.
The PCI DSS is an information security standard for organizations that handle cardholder information for the major credit, debit, and other payment cards. The standard was created by the Payment Card Industry Security Standards Council to increase controls around cardholder data to mitigate breaches and to reduce credit card fraud.
The Red Flags Rule was created by the Federal Trade Commission (FTC) to help prevent identity theft. It sets out how certain businesses and organizations must develop, implement, and administer their Identity Theft Prevention Programs to identify and detect the relevant warning signs, or “red flags,” of identity theft, take steps to prevent and mitigate the risk of identity theft, and respond appropriately to red flags of identity theft.
SOX was established to restore investor confidence after it was damaged by business scandals and applies to companies registered with the US Securities and Exchange Commission. SOX requires companies to establish and maintain internal controls and to assess the effectiveness of their controls annually.
CSO's Security Laws, Regulations, and Guidelines Directory
FTC Privacy & Security for Business
SEC Guidance on Cyber Security