In the U.S. data privacy and security regulation is legislated by sector (or type of data), resulting in a series of data protection laws that address privacy and security needs of specific categories of data. Some of the main federal laws that provide for data protection include the Health Insurance Portability and Accountability Act (medical records), the Family Educational Rights and Privacy Act (educational records), the Fair Credit Reporting Act (consumer reporting data), and the Federal Information Security Management Act (FISMA) (federal data).
State laws also provide for data protection and include legislation, for example, on data security breaches and protection measures for sensitive personal information such as social security numbers.
U.S. treatment of data protection is accomplished by sector and so definitions of what kinds of data are covered will vary from one law to the next. Generally, however, the following kinds of personally identifiable information receive protection under one or more U.S. laws:
- educational data
- financial records
- medical history
- criminal history
- employment history
- any data that can be used to determine someone’s identity including name, social security number, date and place of birth, and mother’s maiden name.