Contrary to other parts of the world there is no single, unified data protection law or regulation to adhere to in the United States. Rather, a series of federal and state laws protect the personal data of its citizens. With around 44% of US consumers reportedly having been the victim of a data breach, it comes as little surprise that data privacy is becoming a high priority for US businesses and individuals alike. The recent introduction of tighter legislation such as the California Consumer Privacy Act indicates that the US is heading towards tighter protections when it comes to consumers’ data, however there is still a long way to go as data breaches such as Marriott international and Equifax still occur on a seemingly regular basis.
In the US, personal data is more commonly known as Personally identifiable information (PII,) the difference being that personal data is a broader spectrum to encompass other data such as IP addresses. By comparison, PII is defined as any data that could potentially be used to identify a particular person (e.g. name, address, social security number…) As credit card data can be used in this way it is considered PII and is therefore subject to any data privacy legislation relating to PII.
So what legislation is pertinent to this? This is where things get interesting.
At a federal level, there are several industry-specific data privacy laws which exist, for example the Health Insurance Portability and Accountability Act (HIPAA) which is concerned with data protection in the health sector. Along with this there are hundreds of individual data privacy laws which vary by state. California has more than 25 data privacy laws alone, including the most recent addition of the California Consumer Privacy Act (CCPA.) Not only this, as can be seen with our US data privacy heatmap, several other states are set to introduce additional data privacy laws in the near future.
Any organisation operating in the US may have numerous types of legislation to consider when looking at information security and data privacy practices. This also means that should an organisation suffer a data breach, it could be breaching multiple regulations, be subject to numerous investigations and potentially, several fines. What’s equally important is that the increase in data breaches hasn’t gone unnoticed by US consumers. Our own research has shown the majority of Americans feel uncomfortable reading their credit card details out over the phone, and one in five US consumers we spoke to said they would stop spending with a brand permanently should they suffer a data breach.
Given there are numerous pieces of legislation to consider relating to data protection, how can businesses ensure they are compliant with them all? there are ways that organisations can make the process easier by focussing on which data to secure and how rather than looking at the legislation itself. The latest Verizon report shows that over 86% of data breaches are financially motivated; hackers seek to obtain credit card data above all else. Businesses should be looking to secure this data as a priority. How? By utilizing existing standards such as the PCI DSS which is concerned with the storage, transmission and processing of credit card data. Now in its 16th year the PCI DSS can provide organizations with a solid framework on which to base their data protection policies and practices. Not only does this ensure valuable credit card data is protected, but it can also go a long way to assist in adhering to multiple pieces of legislation concerned with protecting PII throughout the US.