Data security & breach response

The federal anti-hacking statute. Criminalizes unauthorized access to computer systems and creates a civil cause of action companies use against former employees and competitors who misuse credentials or exceed authorized access.

Requires critical infrastructure entities to report substantial cyber incidents to CISA within 72 hours and ransomware payments within 24 hours. CISA is developing final implementing rules. Applies to entities in the 16 critical infrastructure sectors — including IT, communications, financial services, and energy. Tech companies operating critical infrastructure or providing services to those that do should monitor CISA's rulemaking.

DoD-specific cybersecurity certification requirement for defense contractors and subcontractors. Effective November 2025. Three levels — Level 1 (basic), Level 2 (advanced, requires third-party assessment for most), Level 3 (expert). Any company in the defense industrial base — including software vendors, IT service providers, and cloud providers touching DoD systems — must understand which CMMC level applies. Non-compliance means losing DoD contracts.

Governs how the government and private parties can access electronic communications and stored data, covering real-time interception, stored records, and metadata collection. It is the primary federal statute protecting the privacy of digital communications. Applies to any entity that intercepts, accesses, or stores electronic communications.

A government-wide program establishing security assessment standards for cloud services used by federal agencies. Not a law but effectively mandatory if you want to sell cloud services to the federal government. Authorization is expensive and time-consuming but creates a significant competitive moat — relatively few cloud providers have full authorization. Managed by GSA. Authorization levels: Low, Moderate, High corresponding to sensitivity of data processed.

Requires financial institutions to explain their information-sharing practices and protect sensitive customer data. The Safeguards Rule mandates specific administrative, technical, and physical data security measures.

Strengthened HIPAA enforcement and extended HIPAA obligations directly to business associates. Introduced tiered civil penalties and required HHS to conduct periodic audits of covered entities and business associates. Relevant to any tech company that is or may become a HIPAA business associate.

Any tech company building health apps, handling patient records, operating as a business associate of a covered entity, or processing protected health information must understand HIPAA. The Privacy Rule, Security Rule, and Breach Notification Rule each impose distinct obligations. HIPAA's definition of "covered entity" and "business associate" is broader than most tech founders assume — a SaaS platform that processes health data on behalf of a hospital is a business associate and must have a signed BAA. HHS Office for Civil Rights actively enforces, particularly against tech companies following data breaches.

A voluntary framework — not a law — but practically functions as a de facto compliance standard. Referenced in state breach notification laws (Tennessee), required or strongly encouraged for federal contractors, and used by courts and regulators to assess reasonableness of cybersecurity programs. CSF 2.0 released February 2024 adds a new "Govern" function to the original five (Identify, Protect, Detect, Respond, Recover). Any tech company should understand this framework before claiming to have "reasonable" security.

Governs cybersecurity obligations for critical infrastructure sectors in Australia, including communications, data storage, financial services, and technology. It requires risk management programs, incident reporting, and allows government intervention during cyber emergencies. Applies to owners and operators of critical infrastructure assets in Australia.

The EU's landmark data protection regulation and the global benchmark for privacy law. It establishes comprehensive rules for collecting, processing, and transferring personal data, with fines up to 4% of global annual revenue. Applies to any organization processing personal data of individuals in the EU, regardless of where the organization is located.

Detailed security regulations under Israel's Privacy Protection Law, specifying technical and organizational security measures required for databases at four classification levels. Requirements scale with the sensitivity of the data held. Applies to all database owners and managers in Israel.

Criminalizes unauthorized access to computer systems, hacking, and cyber attacks in Singapore. Updated in 2023 to cover denial-of-service attacks and dealing in stolen credentials. Applies to offenses committed within Singapore or targeting systems located there.

Establishes a regulatory framework for the oversight and protection of critical information infrastructure in Singapore. CII owners must comply with codes of practice, report cybersecurity incidents, and undergo regular audits. Applies to owners and operators of designated critical information infrastructure.

Imposes data protection, security, and user consent obligations on operators of information and communications networks in South Korea. One of Asia's earliest comprehensive internet regulatory frameworks.

The UK's primary cyber crime statute, criminalizing unauthorized access to computer systems, unauthorized modification of computer material, and the creation or distribution of hacking tools. It was one of the first laws of its kind when enacted in 1990. Applies to offenses committed within or targeting systems in the United Kingdom.

The retained EU GDPR as incorporated into UK law after Brexit, substantively similar to the EU version but enforced by the UK Information Commissioner's Office (ICO). Companies serving both EU and UK markets must comply with both versions independently. Applies to all organizations processing personal data of individuals in the United Kingdom.