Security and privacy laws, regulations, and compliance: The complete guide

Read Time:2 Minute, 9 Second

This directory includes laws, regulations and industry guidelines with significant security and privacy impact and requirements. Each entry includes a link to the full text of the law or regulation as well as information about what and who is covered.

CSO updates this directory, originally published on January 28, 2021, frequently as new laws and regulations are put in place.

Click on a link to skip to information and resources on that law:

Broadly applicable laws and regulations

Sarbanes-Oxley Act (SOX)
Payment Card Industry Data Security Standard (PCI DSS)
Payment Service Directive, revised (PSD2)
Gramm-Leach-Bliley Act (GLBA)
Customs-Trade Partnership Against Terrorism (C-TPAT)
Free and Secure Trade Program (FAST)
Children’s Online Privacy Protection Act (COPPA)
Fair and Accurate Credit Transaction Act (FACTA), including Red Flags Rule
Federal Rules of Civil Procedure (FRCP)

Industry-specific guidelines and requirements

Federal Information Security Management Act (FISMA)
North American Electric Reliability Corp. (NERC) standards
Title 21 of the Code of Federal Regulations (21 CFR Part 11) Electronic Records
Health Insurance Portability and Accountability Act (HIPAA)
The Health Information Technology for Economic and Clinical Health Act (HITECH)
Patient Safety and Quality Improvement Act (PSQIA, Patient Safety Rule)
H.R. 2868: The Chemical Facility Anti-Terrorism Standards Regulation

US state laws

California Consumer Privacy Act (CCPA)
California Privacy Rights Act (CPRA)
Colorado Privacy Act
Connecticut Data Privacy Act (CTDPA)
Maine Act to Protect the Privacy of Online Consumer Information
Maryland Personal Information Protection Act – Security Breach Notification Requirements – Modifications (House Bill 1154)
Massachusetts 201 CMR 17 (aka Mass Data Protection Law)
Massachusetts Bill H.4806 — An Act relative to consumer protection from security breaches
Nevada Personal Information Data Privacy Encryption Law NRS 603A
New Jersey — An ACT concerning disclosure of breaches of security and amending P.L.2005, c.226 (S. 51)
New York State Department of Financial Services, Cybersecurity Requirements for Financial Services Companies (23 NYCRR 500)
New York Stop Hacks and Improve Electronic Data Security (SHIELD) Act
Oregon Consumer Information Protection Act (OCIPA) SB 684
Texas – An Act relating to the privacy of personal identifying information and the creation of the Texas Privacy Protection Advisory Council
Utah Consumer Privacy Act
Virginia — Consumer Data Protection Act (CDPA)
Washington – An Act Relating to breach of security systems protecting personal information (SHB 1071)

International laws

Personal Information Protection and Electronic Documents Act (PIPED Act, or PIPEDA) — Canada
Personal Information Protection Law (PIPL) — China
Law on the Protection of Personal Data Held by Private Parties — Mexico
General Data Protection Regulation (GDPR)

Broadly applicable laws and regulations

To read this article in full, please click here

More Stories

Midnight Blizzard Targets European Diplomats with Wine Tasting Phishing Lure

Russian state actor Midnight Blizzard is using fake wine tasting events as a lure to spread malware for espionage purposes,...

Age Verification Using Facial Scans

Discord is testing the feature: “We’re currently running tests in select regions to age-gate access to certain spaces or user...

NTLM Hash Exploit Targets Poland and Romania Days After Patch

An NTLM hash disclosure spoofing vulnerability that leaks hashes with minimal user interaction has been observed being exploited in the...

Senators Urge Cyber-Threat Sharing Law Extension Before Deadline

Bipartisan support grows in Congress to extend Cybersecurity Information Sharing Act for 10 years Read More

Identity Attacks Now Comprise a Third of Intrusions

IBM warns of infostealer surge as attackers automate credential theft and adopt AI to generate highly convincing phishing emails en...

Microsoft Thwarts $4bn in Fraud Attempts

Microsoft has blocked fraud worth $4bn as threat actors ramp up AI use Read More