The USA does not regulate cybersecurity under a single, general, nationwide regime. Instead, multiple overlapping regulatory regimes at both the federal and state level address cybersecurity in a sector- or jurisdiction-specific manner. The scope and substantive obligations imposed by each of these regulations address specific aspects of cybersecurity. These aspects can include:

• technical measures that can be implemented to mitigate the risk of unauthorised access to data;
• incident response procedures for when data breaches occur; and
• transparency and reporting requirements.

These regulations serve purposes such as protecting national security, safeguarding personal information (including specific regulations addressing sensitive financial data or health information), and promoting collaboration and innovation. For more information on sector-specific and national security-specific regulations, see 2. Critical Infrastructure Cybersecurity, 3. Financial Sector Operational Resilience Regulation, and 6.3 Cybersecurity in the Healthcare Sector.

At the federal level, the main laws and regulations governing cybersecurity include:

• the Gramm-Leach-Bliley Act (GLBA) of 1999, which imposes security and transparency requirements on financial institutions’ handling of non-public personal information of customers (see 3.1 Scope of Financial Sector Operational Resilience Regulation for more detail);
• the Health Insurance Portability and Accountability Act (HIPAA), which regulates the protection of sensitive healthcare-related information (see 6.3 Cybersecurity in the Healthcare Sector for more detail);
• the Cyber Incident Reporting for Critical Infrastructure Act of 2022 (CIRCIA), which regulates disclosure of cyber-incidents by critical infrastructure companies (see 2.1 Scope of Critical Infrastructure Cybersecurity Regulation for more detail);
• laws and regulations imposing cybersecurity obligations on federal government agencies and contractors, such as the Defense Federal Acquisition Regulation Supplement (DFARS) and the Federal Information Security Management Act; and
• the SEC’s Cybersecurity Risk Management, Strategy, Governance, and Incident Disclosure rules requiring some publicly traded companies to report certain cybersecurity incidents and make disclosures about their cybersecurity strategy, cybersecurity governance, and cybersecurity risk management in public filings.

A number of federal laws and regulations criminalise hacking and otherwise regulate the use of information technology by individuals and law enforcement entities alike. By way of example, the Computer Fraud and Abuse Act criminalises unauthorised access to computer systems, and the Stored Communications Act regulates ISPs’ ability to voluntarily provide stored electronic communications and data to the government and also regulates the manner in which the government may seek compelled access to stored electronic communications and data through legal process. In addition, the Wiretap Act and the Pen Register Act criminalise the unlawful interception of content and non-content data, respectively.

In addition to these cybersecurity-specific laws and regulations, some more general regulations have been enforced with regard to cybersecurity. By example, Section 5 of the Federal Trade Commission Act empowers the Federal Trade Commission (FTC) to regulate and enforce against unfair or deceptive trade practices in general. The FTC and federal courts have interpreted this regulation to permit the regulation and enforcement of cybersecurity where companies’ security practices (and public representations concerning those practices) may qualify as unfair or deceptive.

Finally, in addition to federal regulation, many states impose cybersecurity obligations through statute or regulation. Some states require by statute that companies take reasonable measures to protect sensitive personal information of state residents, with varying levels of specificity as to what measures are required or will be deemed reasonable if employed. Other states have more developed regulatory regimes, including the California Consumer Privacy Act. For more details on cybersecurity regulations promulgated by New York State’s Department of Financial Services (NYDFS), see 6.2 Cybersecurity and AI.

At the federal level, the main cybersecurity regulators include:

• the FTC, which – as noted in 1.2 Cybersecurity Laws – regulates cybersecurity as part of its broad authority to regulate and enforce against unfair or deceptive trade practices;
• the Department of Justice (DOJ), the Federal Bureau of Investigation (FBI), and the Department of Homeland Security (DHS), which investigate and prosecute federal criminal activity, including cyber-intrusions and cyber-enabled crime;
• the DHS, which regulates critical infrastructure and other aspects of national security;
• the Department of Health and Human Services (HHS), which enforces HIPAA regulations – including those related to data protection – over covered providers; and
• the SEC, which regulates publicly traded companies and imposes disclosure obligations following cybersecurity breaches.

Federal regulators have the authority to promulgate regulations with the force of law following a public notice-and-comment process, as well as to enforce those regulations through civil investigations (including compulsory disclosure of documents and testimony) and litigation.

At the state level, cybersecurity may be regulated by state Attorneys General or subdivisions within their offices. Some states have established cybersecurity-specific agencies, such as the Utah Cyber Center, and others have conferred authority to sector-specific regulators, such as the NYDFS. For more detail on the NYDFS, see 6.2 Cybersecurity and AI.

In the USA, CIRCIA requires critical infrastructure entities to report covered cyber-incidents to the Cybersecurity and Infrastructure Security Agency (CISA) within 72 hours and ransomware payments within 24 hours. The applicable rules for covered entities under CIRCIA are still under development and it is currently estimated they will go into effect at the end of 2026. The regulation, released in draft form on 4 April 2024, purports to further define the categories of entities and incidents subject to the reporting regime.

The scope of application under CIRCIA is intentionally broad, encompassing entities across all 16 critical infrastructure sectors, as identified by the DHS. These sectors include industries vital to public safety, economic stability, and national security, such as the chemical, critical manufacturing, defence industrial base (DIB), energy, financial services, healthcare, and IT industries.

Sector-Specific Regulations

• Energy – the Federal Energy Regulatory Commission (FERC) enforces the North American Electric Reliability Corporation (NERC) Critical Infrastructure Protection (CIP) Standards, requiring electric utilities to secure cyber-assets, manage supply chain risks, and report incidents under Section 215 of the Federal Power Act (FPA).
• Transportation – the Transportation Security Administration (TSA) mandates cybersecurity for pipeline, rail and aviation operators through directives requiring incident reporting, risk mitigation, and security plans.
• Water and waste water systems – the Environmental Protection Agency (EPA) enforces cybersecurity requirements under America’s Water Infrastructure Act (AWIA), requiring utilities serving more than 3,300 people to assess risks and enhance cybersecurity protections.
• Nuclear – the National Nuclear Security Administration (NNSA) and Nuclear Regulatory Commission (NRC) enforce cybersecurity for nuclear facilities and contractors handling classified data, with strict protections under Title 10, Code of Federal Regulations (CFR) Part 73 and the Department of Energy Cybersecurity Program Plan (CSP).
• DIB – the Cybersecurity Maturity Model Certification (CMMC) and DFARS 252.204-7012 require defence contractors handling Controlled Unclassified Information to meet National Institute of Standards and Technology (NIST) SP 800-171 standards for cybersecurity and separate departmental requirements obligate certain entities to report identified categories of cyber-incidents.
• Healthcare – HIPAA mandates cybersecurity protections for electronic protected health information (“ePHI”) under the HIPAA Security Rule, with breach reporting obligations under the HIPAA Breach Notification Rule. See 6.3 Cybersecurity in the Healthcare Sector for more on HIPAA.
• Other entities handling personal health records – entities not regulated by HIPAA that handle personal health records (PHRs) are required to notify affected individuals under the FTC’s Health Breach Notification Rule (HBNR).

In the USA, critical infrastructure cybersecurity is governed by sector-specific regulations designed to address the unique risks faced by each industry. These requirements aim to enhance resilience against cyberthreats by mandating proactive risk management, incident reporting, and adherence to best practices.

There are a number of sector-specific cybersecurity requirements, as follows.

• Energy sector – the FERC’s CIP Standards require cybersecurity plans, access controls, and periodic risk assessments.
• Water and waste water systems sector – the EPA mandates water utilities to incorporate cybersecurity into risk assessments and develop emergency response plans under the AWIA.
• Nuclear sector – NRC licensees must implement extensive cybersecurity safeguards, including access controls, network monitoring, supply chain risk management, and incident response protocols to prevent cyberthreats from compromising reactor operations or sensitive nuclear materials.
• Transportation sectors – TSA’s cybersecurity directives require critical infrastructure owners to implement vulnerability assessments, mitigation measures, and cybersecurity plans. Other particular requirements apply to the rail and aviation sectors.
• Healthcare sector – see 6.3 Cybersecurity in the Healthcare Sector.
• Financial services sector – see 3. Financial Sector Operational Resilience Regulation (in particular, 3.1 Scope of Financial Sector Operational Resilience Regulation).
• DIB – the CMMC framework establishes tiered cybersecurity requirements for defence contractors handling controlled unclassified information (CUI), with higher levels requiring measures such as encryption, multifactor authentication, and third-party cybersecurity assessments.

In the USA, incident response and notification obligations for critical infrastructure owners and operators are primarily governed by sector-specific regulations. CIRCIA will apply in addition to, not in replacement of, these sector-specific obligations. Once the CIRCIA regulations are finalised, they will require:

• cyber-incident reporting – covered entities must report covered cyber-incidents to CISA within 72 hours of determining that a covered incident has occurred; and
• ransomware payment reporting – entities must notify CISA within 24 hours of making a ransomware payment.

These requirements aim to enable CISA to better co-ordinate incident response efforts and facilitate information sharing between government and private-sector stakeholders. Despite the comprehensive framework, several uncertainties remain, as follows.

• Covered entities – CISA’s forthcoming regulations will determine which organisations within each sector are subject to CIRCIA obligations. Small or ancillary entities may face ambiguity about whether they fall within the scope.
• Incident thresholds – CIRCIA has not finalised what constitutes a “covered cyber-incident”. Without CISA’s finalised guidance, entities lack clarity on reporting triggers.
• Overlapping regulations – entities operating in multiple sectors may face overlapping obligations under federal and sector-specific frameworks (eg, HIPAA versus CIRCIA).
• Liability protections – while CIRCIA provides limited liability protections for reporting entities, questions remain about their interaction with confidentiality obligations under other frameworks, such as HIPAA or NRC regulations.
• International implications – organisations operating internationally may need to reconcile compliance with US frameworks such as CIRCIA and foreign standards, including the EU’s Network and Information Security Directive 2 (“NIS2”).

As noted in 2.1 Scope of Critical Infrastructure Cybersecurity Regulation, in addition to the forthcoming CIRCIA requirements, there have already been sector-specific notification requirements in place for quite some time. Those include the following.

• Energy sector – the NERC, under FERC oversight, requires Bulk Electric System (BES) entities to report cybersecurity incidents that could impact reliability, including operational disruptions, unauthorized access, or attempted compromises, with notification timelines based on the severity of the incident. The most severe incidents (those that successfully compromise BES Cyber Systems and impact reliability) must be reported to the Electricity Information Sharing and Analysis Center (E-ISAC) and CISA within one hour of determination.
• Water and waste water systems sector – under the AWIA, water utilities must notify local emergency planning committees of any disruptions affecting service delivery, including those caused by cybersecurity incidents.
• Nuclear sector – the NRC requires immediate notification of cyber-incidents that compromise digital systems essential to nuclear safety, security, or emergency preparedness.
• Transportation systems sector – the TSA requires pipeline, rail and aviation operators to report identified categories of cybersecurity incidents within 24 hours and conduct post-incident reviews.
• Healthcare sector – see 6.3 Cybersecurity in the Healthcare Sector.
• Financial services sector – see 3. Financial Sector Operational Resilience Regulation (in particular, 3.1 Scope of Financial Sector Operational Resilience Regulation).
• DIB – contractors handling CUI must report cyber-incidents to the Department of Defense (DoD) within 72 hours of discovery.

State governments play a critical role in enhancing resilience and identifying threats to critical infrastructure within their jurisdictions. While the federal government provides overarching guidance and regulatory frameworks, states often act as the frontline co-ordinators for implementing resilience strategies, facilitating information sharing, and supporting critical infrastructure owners and operators.

Resilience Responsibilities

State responsibilities when it comes to enhancing the cyber-resilience of critical infrastructure are as follows.

• Development of statewide cybersecurity strategies – many states have established cybersecurity offices or task forces to develop and implement strategies aimed at strengthening the resilience of public and private critical infrastructure. These strategies often align with federal initiatives, such as the NIST Cybersecurity Framework, while addressing state-specific risks and priorities.
• Incident response co-ordination – states frequently serve as co-ordinators for incident response efforts through their state fusion centres and emergency operations centres. These entities work closely with CISA, local governments, and private-sector stakeholders to respond to and recover from cyber-incidents.
• Infrastructure resilience grants and programmes – states administer federal grant programmes, such as the State and Local Cybersecurity Grant Program, to fund projects that enhance the resilience of critical infrastructure. These grants support initiatives such as system upgrades, cybersecurity training, and vulnerability assessments.

Threat Identification Responsibilities

State responsibilities when it comes to identifying cybersecurity threats to critical infrastructure are as follows.

• Threat intelligence sharing – state governments act as intermediaries between federal agencies and local entities by disseminating threat intelligence. This includes leveraging the federal Multi-State Information Sharing and Analysis Center (MS-ISAC), which provides cybersecurity threat monitoring, analysis, and early warnings tailored to state and local governments.
• sector-specific threat monitoring – many states focus on monitoring threats to key sectors, such as water utilities, energy grids, and healthcare facilities, which are often regulated at the state level. State public utility commissions and health departments often collaborate with federal agencies to identify and mitigate threats.
• Mandatory reporting and oversight – states enforce data breach reporting requirements for businesses and other entities operating within their jurisdiction. Virtually all states have enacted data breach notification laws, requiring organisations to report breaches involving personally identifiable information (PII) to affected individuals and, in many cases, the state Attorney General or other regulatory bodies. For instance:
1. some states (eg, California) mandate detailed reporting on the nature of the breach and steps taken to address it; and
2. some state laws also impose specific deadlines for breach notifications, typically ranging between 30–90 days, depending on the jurisdiction.

The Board of Governors of the Federal Reserve System, the Federal Deposit Insurance Corporation (FDIC), and the Office of the Comptroller of the Currency (OCC) (together, the “prudential regulators”) consider cybersecurity to be a component of US financial institutions’ operational risk management framework, as described in the regulatory capital rules and elsewhere.

Title V of the GLBA was the first federal law to require that financial institutions safeguard non-public personal information (NPPI) of their customers. The statute requires each prudential regulator to establish standards for financial institutions to:

• insure the security and confidentiality of records containing NPPI;
• protect against “any anticipated threats or hazards” to such records; and
• protect against unauthorised access of such records (the “Safeguards Rule”).

The Interagency Guidelines Establishing Information Security Standards (the “Security Guidelines”) that derive from this statutory mandate require all financial institutions to have information security programmes that further the objectives of the Safeguards Rule. In 2020, the OCC and the FDIC published a Joint Statement on Heightened Cybersecurity Risk (the “Joint Statement”), which elaborated on the Security Guidelines.

Cybersecurity risks are also addressed in the Interagency Guidelines Establishing Standards for Safety and Soundness (the “Safety and Soundness Guidelines”), which set out broad safety and soundness standards against which financial institutions are evaluated. As with other components of risk management, the prudential regulators expect a financial institution to tailor its cybersecurity risk management system to be proportionate to the size and the complexity of the institution and its risk profile.

In 2020, the prudential regulators published interagency guidance on Sound Practices to Strengthen Operational Resilience (the “Sound Practices”), which brought together existing regulations, guidance, statements and common industry standards for operational resilience. Acknowledging cybersecurity risk as “one of the most important types of operational risk”, the Sound Practices include an appendix with sound practices for managing cyber-risk.

The Federal Financial Institutions Examination Council (FFIEC) – an interagency body that promotes uniformity in the supervision of financial institutions ‒ has also published examination manuals and guidance on cybersecurity risk management, including the FFIEC IT Examination Handbook.

Taken together, these rules, statements and guidelines, as well as the FFIEC examination manuals and supplements, provide the prudential regulators’ most current standards regarding managing cybersecurity risk.

The Bank Service Company Act grants the prudential regulators statutory authority to supervise certain third parties that provide services to financial institutions. In the case of IT, these third-party service providers include core application processors, electronic funds transfer switches, internet banking providers, item processors, managed security service providers, and data storage service providers.

In October 2012, concurrently with the release of the Supervision of Technology Service Providers Booklet (the “TSP Booklet”) of the FFIEC’s IT Examination Handbook (described in 3.1 Scope of Financial Sector Operational Resilience Regulation), the prudential regulators also released the Administrative Guidelines on the Implementation of Interagency Programs for the Supervision of Technology Service Providers. The guidelines describe how technology service providers (TSPs) are assessed for risk using the Uniform Rating System for Information Technology (URSIT). The URSIT score is used to determine the priority, frequency and extensiveness of the examinations of TSPs. TSPs are considered either significant service providers (SSPs), serving a large number of banks and posing higher risk, or regional service providers (RSPs), serving fewer banks and posing less risk.

The Multi-Regional Data Processing Servicer (MDPS) programme is a programme that specifically designates for special monitoring and interagency supervision TSPs that are considered “mission-critical” (vital to the successful continuance of a core business activity) for a large number of financial institutions that are regulated by more than one prudential regulator or provide services through a number of technology service centres located in diverse geographic regions.

the prudential regulators also conduct shared application software reviews (SASRs) to review major software packages used by a significant number of financial institutions or for higher-risk applications in larger financial institutions (such as software packages for use in wire transfer, capital markets, or securities transfer).

Contractual Requirements

Although the prudential regulators have authority to supervise TSPs, financial institutions remain primarily responsible for ensuring that TSPs’ activities are conducted in a safe and sound manner and in compliance with applicable laws and regulations, and face liability for breaches or violations by a TSP. As such, financial institutions are expected to have robust third-party risk management processes, including contract development and ongoing monitoring. As described in the TSP Booklet, contracts between financial institutions and TSPs should include the following:

• the right to audit and conduct business continuity planning (BCP) testing;
• measurable service-level agreements (SLAs) for services being provided;
• default and termination provisions;
• the need for data security and confidentiality to, at a minimum, adhere to US regulatory standards (for foreign-based service providers);
• clear definitions of data ownership and handling expectations;
• the ability to request information describing a TSP’s response to relevant regulations, supervisory guidance, or other notices from federal banking agencies;
• incident response and notification responsibilities; and
• the extension of contractual terms to subcontractors.

Financial institutions are required to maintain risk management systems that are proportional to the size and complexity of their organisation (known as “tailoring”). Given that risk management is institution-specific, regulators have not established any processes and controls for cybersecurity risk that are required, but the regulatory guidance and FFIEC manuals described in 3.1 Scope of Financial Sector Operational Resilience Regulation provide standards and best practices to comply with regulators’ objectives. The Joint Statement, described in 3.1 Scope of Financial Sector Operational Resilience Regulation, summarises the elements of effective cybersecurity controls as:

• “response and resilience capabilities” – review, update and test incident response and business continuity plans;
• “authentication” – protect against unauthorised access; and
• “system configuration” – securely configure systems and services.

Incident and Reporting Obligations

The prudential regulators issued a rule, effective as of April 2022, requiring financial institutions to notify their primary regulator of any computer security incidents that rise to the level of “notification incidents”. The final rule defines a “notification incident” as a computer security incident that the financial institution believes could “materially disrupt, degrade, or impair”:

• “the ability of the banking organi[s]ation to carry out banking operations, activities, or processes, or deliver banking products and services to a material portion of its customer base, in the ordinary course of business;
• any business line of a banking organi[s]ation, including associated operations, services, functions and support, [where this] would result in a material loss of revenue, profit, or franchise value; or
• operations of a banking organi[s]ation, including associated services, functions and support, as applicable – the failure or discontinuance of which would pose a threat to the financial stability of the United States”.

Financial institutions must notify their primary regulator as soon as possible and no later than 36 hours after the financial institution determines that a notification incident has occurred. Each prudential regulator has designated their own points of contact for notification, available on each prudential regulator’s website.

Enforcement of the laws and regulations described in 3.1 Scope of Financial Sector Operational Resilience Regulation begins with the supervisory and examination authority of the prudential regulators. For financial institutions, cybersecurity risks are assessed during the course of a full-scope, on-site examination as part of the financial institution’s routine supervisory cycle or during a specialty examination, such as an IT examination. The prudential regulators have the authority to supervise TSPs, as described in 3.2 ICT Service Provider Contractual Requirements, and TSPs are examined based on their risk level as calculated using an URSIT rating. The examinations of TSPs focus on issues such as management of technology, integrity of data, and confidentiality of information. Financial institutions are entitled to copies of the Report of Examination (ROE) of a TSP with which they have a contract.

Cybersecurity control deficiencies are generally not subject to public enforcement actions by prudential regulators unless the financial institution is subject to a major cybersecurity breach. Instead, the prudential regulators may issue a “matter requiring attention” (MRA), a “matter requiring immediate attention” (MRIA), or – in the case of the FDIC ‒ a “matter requiring board attention” (MRBA), which are confidential supervisory findings that require the financial institution to take corrective action. The board of directors is expected to respond to MRAs, MRIAs, and MRBAs through written responses and progress reports, and the prudential regulators will continue to monitor corrective action until resolved. If the corrective action is not satisfactory to the prudential regulators, MRAs and MRIAs could lead to further formal or informal investigation or enforcement action. Formal enforcement actions may take the form of cease-and-desist orders, civil monetary penalty orders, or other actions.

The primary US restrictions on data transfers are not specific to the financial sector but apply more broadly to a range of identified transaction categories. The restrictions were established via Executive Order 14117 (2024) and implemented via DOJ regulation at Title 28, CFR 202.101 et seq and restrict the transfer of certain categories of bulk sensitive data and government information to identified countries of concern. The executive order also identifies certain control measures for defined categories of sensitive transactions that are not outright forbidden.

While other jurisdictions have implemented cyber-resiliency stress testing as part of their supervisory and review process, the USA does not have an equivalent required scenario stress test. Instead, financial institutions are encouraged to use standardised tools that incorporate industry standards and best practices to determine their cybersecurity risk. These tools include FFIEC Cybersecurity Assessment Tool (sunsetting in August 2025), the NIST Cybersecurity Framework, the Center for Internet Security Critical Security Controls, and the Financial Services Sector Coordinating Council Cybersecurity Profile.

Legislation around cyber-resilience continues to develop in the USA, as follows.

• The Federal Reserve, in co-ordination with the OCC and the FDIC, has issued guidance in the form of a paper on operational resilience that includes an appendix of practices for cyber-risk management.
• Some regulations impose transparency obligations related to cyber-resiliency. By way of example, the SEC requires publicly traded companies to disclose measures taken to manage certain cyber-related risks. NYDFS regulations (described in greater detail in 6.2 Cybersecurity and AI) impose similar disclosure requirements and technical obligations regarding backup systems to promote resiliency.
• Draft legislation that would create a task force directed to report on conclusions and recommendations related to protecting critical infrastructure from foreign state-sponsored threats has passed one house of Congress.

Draft legislation would create a task force to consider steps that critical infrastructure companies can take to strengthen resilience against foreign state-sponsored attacks (see 4.1 Cyber-Resilience Legislation).

Unlike Europe, the USA does not have any security certification requirements for information and communications (ICT) products or services. CISA co-chairs the ICT Supply Chain Risk Management Task Force, a PPP that is charged with identifying challenges and solutions for managing risks in the global ICT supply chain. That task force has issued several handbooks and resource guides to help the private sector manage supply chain risk in ICT. Separately, the Federal Communications Commission (FCC) has created a voluntary cybersecurity labelling programme for wireless consumer internet of things (IoT) products – namely, the US Cyber Trust Mark. The Cyber Trust Mark is a label designed to demonstrate to consumers that devices with the label have met robust cybersecurity standards and is expected to launch in 2025.

Federal Data Protection Regulation

At the federal level, the GLBA directs covered financial institutions to provide notices about their information-sharing practices and to implement appropriate safeguards to ensure the security of customer information and protect against unauthorised access to such information. The Safeguards Rule, which is one of the GLBA’s implementing regulations, includes prescriptive security requirements, including implementing a written information security programme. This written information security programme must include risk assessments, access controls, data inventories, encryption, multifactor authentication, logging of access to customer information, regular monitoring and testing, training, and assessments of third-party service providers. The Safeguards Rule also requires covered financial institutions to designate an individual with responsibility for the programme, who must report in writing to the board at least annually. The Safeguards Rule also requires financial institutions to notify the FTC of security breaches involving unauthorised acquisition of at least 500 consumers’ unencrypted information, no later than 30 days after discovering such event.

HIPAA is the primary law that regulates data privacy and security for healthcare providers (see 6.3 Cybersecurity and the Healthcare Sector for more detail).

Additionally, the SEC’s Regulation S-P (“Reg S-P”) requires broker-dealers, investment companies, and registered investment advisers to provide notices about privacy practices, institute written policies and procedures that safeguard customer information, securely dispose of consumer report information, and adequately oversee third-party service providers. Reg S-P was recently amended to require covered entities to implement an incident response plan and provide data breach notifications to affected individuals whose sensitive customer information was, or is reasonably likely to have been, accessed or used without authorisation.

State-Level Data Protection Regulation

Many states have passed comprehensive data privacy laws that also include cybersecurity requirements. Typically, these state laws require covered entities to implement reasonable security measures to protect consumer personal data. The California Consumer Privacy Act includes a private right of action for consumers whose unencrypted personal information is subject to a breach of security due to the failure of the business to implement reasonable security measures. Additionally, in November 2024, the California Privacy Protection Agency (CPPA) released a proposed rule that would require covered businesses to conduct annual independent cybersecurity audits, present the results of the audit to senior executives at the business, and submit a certification of the audit to the CPPA.

AI regulation is still nascent, but some government entities are starting to address the cybersecurity implications of AI. Although Congress has not passed any comprehensive AI bill to date, there have been Presidential executive orders on AI and cybersecurity. During the Biden administration, President Biden issued an executive order directing federal entities to implement guidance related to safety and security in the deployment of AI. In November 2024, the DHS released a voluntary framework for how to safely and securely deploy AI in critical infrastructure. However, on his first day in office in 2025, President Trump revoked former President Biden’s executive order that had established initiatives related to the safe deployment of AI. President Trump has since issued two new executive orders on AI, which do not focus on cybersecurity, safety or accountability measures.

At the state level, the NYDFS’s 23 New York Codes, Rules and Regulations (NYCRR) 500 (“Part 500”) includes prescriptive requirements for covered financial services companies to implement cybersecurity safeguards, such as implementing multifactor authentication. In October 2024, the NYDFS issued guidance on how companies can address the emerging security threats from AI. It includes recommendations such as updating employee training to expand awareness of AI-powered social engineering and designing access controls to better withstand deepfakes and other AI-enhanced attacks.

HIPAA is the primary law that regulates data privacy and security for healthcare entities. HIPAA’s Security Rule includes prescriptive requirements for covered entities to implement specific safeguards to ensure the confidentiality, integrity and availability of ePHI, including through risk assessments, encryption, “minimum necessary” access controls, a contingency plan to restore any loss of data, and business associate contracts. In December 2024, the HHS published a Notice of Proposed Rulemaking and announced proposed changes to the Security Rule that would heighten the requirements for covered entities ‒ for example, newly requiring annual penetration testing, as well as a written technology asset inventory mapping the data flows of ePHI within the covered entity’s systems. Shortly after his election, President Trump issued an executive order directing federal agencies to not propose or issue any rule until a department or agency head appointed by President Trump approved such rule. Accordingly, the future of these proposed amendments remains unclear.

Additionally, the HIPAA Breach Notification Rule requires covered entities to provide notification of certain breaches of protected health information to affected individuals, the HHS, and the media.

Through the Health Breach Notification Rule, the FTC separately requires vendors of personal health records and their third-party service providers to report certain breaches to affected individuals and the FTC.