Chapter 3Cybersecurity Requirements for Specific Industries


  1. Financial Institutions: Gramm-Leach-Bliley Act Safeguards Rule
  2. Financial Institutions and Creditors: Red Flag Rule
  3. Companies that use Payment and Debit Cards: Payment Card Industry Data Security Standard (PCI DSS)
  4. Health Providers: Health Insurance Portability and Accountability Act (HIPAA) Security Rule
  5. Electric Utilities: Federal Energy Regulatory Commission Critical Infrastructure Protection Reliability Standards
  6. Nuclear Regulatory Commission Cybersecurity Regulations


Chapters 1 and 2 covered the general data security obligations that all U.S. companies face under Section 5 of the FTC Act, state data security laws, and common law torts that could lead to class actions lawsuits and other litigation. These requirements apply equally to companies regardless of their industry.

In addition to these general data security requirements, companies that handle particularly sensitive information or operate in industries that carry particularly high national security risks face more stringent requirements. This chapter will cover six such prominent legal requirements for sensitive information: (1) the Gramm-Leach-Bliley Act Safeguards Rule for financial institutions, (2) the Red Flags Rule for information for certain creditors and financial institutions, (3) the Payment Card Industry Data Security Standard (PCI DSS) for credit and debit card information, (4) the Health Information Portability and Accountability ...

Get Cybersecurity Law now with O’Reilly online learning.

O’Reilly members experience live online training, plus books, videos, and digital content from 200+ publishers.