Information security laws are designed to protect personally identifiable information or sensitive personal information from compromise, and from unauthorized disclosure, acquisition, access, or other situations where unauthorized persons have access or potential access to personally identifiable information for unauthorized purposes.
No single federal law or regulation governs the security of all types of sensitive personal information. Determining which federal law, regulation, and guidance is applicable depends in part on the entity or sector that collected the information, and the type of information collected and regulated. Under federal law certain sectors are legally obligated to protect certain types of sensitive personal information. These obligations were created, in large part, when federal privacy legislation was enacted in the credit, financial services, health care, government, securities, and Internet sectors. Federal regulations were issued to require certain entities to implement information security programs and provide breach notice to affected persons.
For example, there are federal information security requirements applicable to all federal government agencies (FISMA) and a federal information security law applicable to a sole federal department (Veterans Affairs).
In the private sector, different laws apply to private sector entities engaged in different businesses. This is what is commonly referred to as a sectoral approach to the protection of personal information.
- Thomas J. Smedinghoff, “The New Law of Information Security: What Companies Need To Do Now,” 22 Computer & Internet Lawyer 9 (Nov. 2005).