CHAPTER MENU

1. FTC Data Security
2. State Data Breach Notification Laws
3. State Data Security Laws
4. State Data Disposal Laws

The United States does not have a national law that prescribes specific data security standards for all industries. The only federal data security laws apply to companies that handle specific types of data, such as financial information or health records (discussed in Chapter 3). This comes as a surprise to many, and is frustrating to businesses that want to assure customers and regulators that they comply with all legal requirements, particularly for securing customers' personal information. Likewise, consumer advocates and privacy groups criticize the federal government for failing to enact data security requirements. In recent years, members of Congress and the White House have introduced legislation to set minimum data security standards, but, as of publication of this book, Congress has not enacted any such legislation.

Despite the lack of a statute that sets minimum data security requirements, the Federal Trade Commission aggressively polices data security. In recent years, the FTC has brought dozens of enforcement actions against companies that it believes have failed to take reasonable steps to secure the personal data of their customers. The FTC brings these actions under Section 5 of the FTC Act, a century-old law that was designed to protect consumers and competitors from unfair business practices. ...