U.S. Encryption Laws and Regulations
Depending on the type of data, the protection of U.S. residents’ data is defined by various laws or contractual obligations. Federal laws are primarily aimed at specific sectors, such as financial or health care. State laws focus on protecting individual consumers’ personally identifiable information (PII). Industry-mandated protection frameworks, such as PCI, prescribe the exact measures required to protect credit card data.
Most U.S. state privacy laws only determine the consequences of a breach of PII. They don’t typically define how to protect it in the first place. In any case, a data breach can lead to hefty fines—and potential jail time. The California Consumer Privacy Act of 2018 went into effect in January 2020. It greatly expanded the rights of individuals. Likewise, the U.S. federal healthcare industry law, HIPAA, mandates fines based on \the number of patients that are involved in a breach. Such fines are categorized in one of two categories: “Reasonable Cause” carries lower fines (between $100-$50,000) and no jail time. But “Willful Neglect” leads to higher fines ($10,000-$50,000) with potential jail time and criminal charges.
Several entities maintain network security guidelines for TLS. The four most adopted are:
• The Health Insurance Portability and Accountability Act (HIPAA)
• NIST’s SP 800-52r1 guidelines
• Payment Card Industry (PCI) Data Security Standard (DSS)
• The Gramm–Leach–Bliley Act