Module 3: U.S. Federal Cybersecurity and Privacy Authorities

Orienting to U.S. Federal Cybersecurity & Privacy Authority

In this module, you connect the global map (Module 1) and core standards (Module 2) to the U.S. federal system.

Key idea: There is no single U.S. GDPR-style law. Instead, federal privacy and cybersecurity rules are:

• General authority: Mainly the Federal Trade Commission (FTC) using Section 5 of the FTC Act against unfair or deceptive practices.
• Sectoral laws: Specific laws for financial, health, children, credit reporting, etc.
• Recent initiatives: Executive orders, federal agency rules, and proposed comprehensive privacy bills, especially the American Privacy Rights Act (APRA) proposal debated in Congress in 2024–2025.

You’ll learn to:

• Explain how FTC Section 5 shapes data security and privacy expectations.
• Identify which sectoral law applies to which type of entity.
• Summarize the goals and potential impact of APRA and similar bills.

Visualize this like a layered cake:

1. Bottom layer – General unfair/deceptive practices (FTC Act).
2. Middle layer – Sectoral laws (GLBA, HIPAA, COPPA, FCRA, etc.).
3. Top layer – New initiatives and proposed comprehensive laws (APRA).

Step 1 – FTC Act Section 5: The Backbone

The Federal Trade Commission Act (FTC Act) is from 1914, but it has become the central federal tool for data privacy and security.

Section 5 – Core Rule

Section 5 prohibits:

• Unfair acts or practices in or affecting commerce
• Deceptive acts or practices in or affecting commerce

Applied to cybersecurity and privacy, the FTC argues:

• Unfair: Security or privacy practices that cause (or are likely to cause) substantial consumer injury that consumers cannot reasonably avoid, and that are not outweighed by benefits.
• Deceptive: Misleading statements or omissions about privacy or security that are material to consumers.

Why this matters

Because the U.S. lacks a single federal privacy statute, the FTC uses Section 5 to:

• Enforce “reasonable security” expectations (linking to Module 2).
• Police misleading privacy policies, cookie banners, and data-sharing claims.

As of early 2026, the FTC has brought hundreds of cases using Section 5 to shape what counts as baseline security and privacy hygiene for companies across many sectors.

Step 2 – How Section 5 Works in Real Cases

Let’s walk through two simplified, realistic FTC scenarios.

Example 1 – Deceptive Security Promises

Scenario: A VPN provider advertises “military-grade security” and says it “never logs user activity.” In reality:

• It stores detailed connection logs.
• It uses outdated encryption and is breached.

FTC’s likely view:

• Deception: The privacy policy and marketing misrepresented security practices and logging.
• The company could face an FTC enforcement action, leading to:
• A consent order (a long-term settlement, typically 20 years of compliance obligations).
• Requirements to implement a comprehensive security program and undergo independent assessments.

Example 2 – Unfair Security Practices

Scenario: An online retailer:

• Stores credit card numbers unencrypted.
• Uses default passwords for admin accounts.
• Has no access controls or monitoring.
• Gets hacked; thousands of cards are stolen.

FTC’s likely view:

• Unfairness: The retailer’s practices are unreasonable given the sensitivity of credit card data.
• Consumers suffer financial harm they cannot reasonably avoid.

This connects directly to “reasonable security” from Module 2: the FTC uses its cases to define and update what counts as reasonable.

When you read an FTC complaint, look for:

• Specific security failures (e.g., no MFA, no encryption, no patching).
• How the FTC links those failures to consumer harm.
• Any misleading statements in the privacy policy or marketing.

Step 3 – Spotting Unfair vs. Deceptive Practices

Read the short scenarios and decide whether the FTC would more likely frame the problem as unfair, deceptive, or both.

1. Scenario A: A health app says: “We only share your data with your consent.” In reality, it shares detailed health metrics with advertisers without clear consent.

• Your classification: `unfair`, `deceptive`, or `both`?

1. Scenario B: A small e-commerce site never makes any claims about security. It stores passwords in plain text and gets breached.

• Your classification: `unfair`, `deceptive`, or `both`?

1. Scenario C: A social network promises “industry-leading security” and “end-to-end encryption” in messages, but only uses HTTPS in transit and stores messages unencrypted on its servers.

• Your classification: `unfair`, `deceptive`, or `both`?

Suggested answers (self-check):

• Scenario A: Deceptive (false consent claim) and possibly unfair (sensitive data misuse).
• Scenario B: Most clearly unfair (no deceptive statement, but unreasonable security).
• Scenario C: Deceptive (misleading encryption claim) and potentially unfair (weak security vs. expectations).

When analyzing future cases, always ask:

• What was said or promised? (Deception analysis)
• What was actually done, and what risks/harm resulted? (Unfairness analysis)

Step 4 – Sectoral Laws: Why the U.S. Is a Patchwork

Instead of one comprehensive law, the U.S. uses sector-specific statutes that cover certain industries, data types, or activities.

Think of them as “mini-GDPRs” for specific domains, each with its own:

• Covered entities (who must comply)
• Covered data (what kind of information)
• Security and privacy requirements
• Enforcers (FTC, HHS, CFPB, banking regulators, etc.)

We’ll focus on four major ones:

1. GLBA – Financial privacy and security
2. HIPAA – Health information
3. COPPA – Children’s online privacy
4. FCRA – Credit reporting and related uses

These laws often coexist with FTC Section 5. For example, a bank might be covered by GLBA and also face FTC enforcement for unfair or deceptive practices (or enforcement by banking regulators).

Step 5 – Sectoral Regimes in Practice (GLBA, HIPAA, COPPA, FCRA)

Here are the core sectoral laws and how they apply in real life.

1. GLBA – Gramm–Leach–Bliley Act (Financial Services)

• Who? Banks, credit unions, mortgage lenders, many fintechs, and some non-bank financial institutions.
• What? Nonpublic personal information (NPI) about consumers’ financial relationships.
• Key rules:
• Privacy Rule – Notice and limits on sharing NPI.
• Safeguards Rule – Requires administrative, technical, and physical safeguards to protect customer information.
• Recent update: The FTC’s updated Safeguards Rule compliance dates ran through 2023–2024, tightening requirements (e.g., risk assessments, encryption, MFA) for many non-bank financial institutions.

Example: A loan servicer must:

• Maintain a written information security program (WISP).
• Perform risk assessments and monitor service providers.

---

2. HIPAA – Health Insurance Portability and Accountability Act

• Who? Covered entities (health plans, most healthcare providers, clearinghouses) and business associates (vendors handling PHI for them).
• What? Protected health information (PHI) – identifiable health data.
• Key rules:
• Privacy Rule – When PHI can be used/disclosed.
• Security Rule – Safeguards for electronic PHI (ePHI).
• Breach Notification Rule – Notice to individuals, HHS, sometimes media.
• Enforcer: U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR).

Example: A cloud provider storing medical records for a hospital:

• Must sign a Business Associate Agreement (BAA).
• Must implement access controls, audit logs, encryption, etc.

Note: Many consumer health apps (e.g., fitness trackers) are not covered by HIPAA; they may instead fall under FTC and state laws.

---

3. COPPA – Children’s Online Privacy Protection Act

• Who? Operators of websites/apps directed to children under 13, or general-audience sites that know they collect data from under-13 users.
• What? Personal information of children under 13.
• Key rules:
• Obtain verifiable parental consent before collecting personal data from children.
• Provide clear privacy notices.
• Maintain reasonable security for children’s data.
• Enforcer: FTC (and state attorneys general).

Example: A kid-focused gaming app must:

• Ask for parental consent before collecting name, email, or location.
• Use age-gating and avoid unnecessary tracking.

---

4. FCRA – Fair Credit Reporting Act

• Who? Consumer reporting agencies (CRAs), data furnishers, and users of consumer reports (e.g., lenders, landlords, employers).
• What? Consumer reports used for credit, employment, insurance, etc.
• Key rules:
• Accuracy, fairness, and privacy of credit information.
• Limits on who can access reports (must have a permissible purpose).
• Rights for consumers to dispute errors.
• Enforcers: FTC, Consumer Financial Protection Bureau (CFPB), state AGs.

Example: A background-check company must:

• Use reasonable procedures to ensure accuracy.
• Safeguard reports against unauthorized access.

Step 6 – Match the Scenario to the Sectoral Law

For each scenario, decide which federal sectoral law is most clearly implicated. (Some could involve multiple laws, but pick the best fit.)

1. Scenario 1: A telehealth platform connects patients with doctors and stores video session notes and prescriptions.

• Best match: `GLBA`, `HIPAA`, `COPPA`, or `FCRA`?

1. Scenario 2: A website with cartoon games for kids under 10 collects usernames, emails, and geolocation.

• Best match: `GLBA`, `HIPAA`, `COPPA`, or `FCRA`?

1. Scenario 3: A credit bureau maintains credit files and sells credit reports to banks and landlords.

• Best match: `GLBA`, `HIPAA`, `COPPA`, or `FCRA`?

1. Scenario 4: A non-bank lender (like a payday lender) collects SSNs and income data to issue loans.

• Best match: `GLBA`, `HIPAA`, `COPPA`, or `FCRA`?

Suggested answers (self-check):

1. Scenario 1 → HIPAA (telehealth with PHI, assuming covered entities/business associates).
2. Scenario 2 → COPPA (online service directed to children under 13).
3. Scenario 3 → FCRA (consumer credit reporting).
4. Scenario 4 → GLBA (non-bank financial institution handling NPI).

Step 7 – Recent Federal Cybersecurity & Privacy Initiatives

Beyond the FTC and sectoral laws, the U.S. has seen a wave of federal cybersecurity and privacy initiatives in the early–mid 2020s. These do not always create broad consumer privacy rights, but they raise security baselines and signal federal priorities.

Some key developments (relative to early 2026):

1. Cybersecurity Executive Orders and Strategies

• The 2021 Executive Order on Improving the Nation’s Cybersecurity pushed:
• Zero Trust architectures for federal systems.
• Better software supply chain security (e.g., SBOMs – Software Bills of Materials).
• The National Cybersecurity Strategy (2023) emphasized:
• Shifting more responsibility for security onto software and infrastructure providers.
• Using regulation and procurement to drive better security.

1. Critical Infrastructure Rules

• Sector-specific agencies (e.g., CISA, TSA, FERC) have issued or updated rules for sectors like pipelines, electric utilities, and transportation, focusing on:
• Incident reporting.
• Minimum cybersecurity practices.

1. Federal Data Privacy & AI Guidance

• Federal agencies (FTC, CFPB, HHS, etc.) have issued guidance on topics like:
• AI and automated decision-making (bias, transparency, data quality).
• Health apps and trackers that fall outside HIPAA but still raise privacy concerns.

These initiatives do not replace FTC Section 5 or sectoral laws; instead, they layer on top, especially for critical infrastructure and federal contractors, and they influence what courts and agencies see as “reasonable” security.

Step 8 – Toward Comprehensive Federal Privacy: APRA and Other Proposals

Since the late 2010s, Congress has repeatedly debated comprehensive federal privacy legislation. Several bills have appeared, but as of early 2026, none has been enacted.

The most prominent recent effort was the American Privacy Rights Act (APRA), debated in 2024–2025.

Core Goals of APRA (as proposed)

While drafts changed over time, APRA-type proposals generally aimed to:

• Create baseline privacy rights nationwide (access, correction, deletion, portability).
• Establish data minimization and purpose limitation duties.
• Require privacy by design and reasonable security.
• Give individuals some form of private right of action (ability to sue).
• Preempt some state privacy laws while preserving certain state protections.

Why APRA Matters Even If Not Enacted

Even though APRA had not become law by early 2026, it is important because it:

• Shows Congress’s direction of travel on privacy.
• Influences how companies design privacy programs (they often prepare as if a comprehensive law could pass).
• Shapes debates about federal vs. state roles (e.g., California’s CCPA/CPRA, Colorado, Virginia, and other state laws).

For this course, treat APRA as a case study:

• How would a comprehensive federal law interact with FTC Section 5 and sectoral laws?
• What rights would it give individuals beyond what they currently have at the federal level?

Step 9 – Quick Check: FTC vs. Sectoral Laws vs. APRA

Test your understanding of how the main federal authorities fit together.

Step 10 – Flashcard Review

Use these flashcards to reinforce key terms and authorities from this module.

Step 11 – Apply It: Designing a Compliance Snapshot

Imagine you are advising a mid-sized U.S. fintech startup that:

• Offers a mobile app to help users manage bank accounts and credit cards.
• Aggregates data from multiple banks via APIs.
• Uses AI models to suggest budgeting tips.

Task: In your notes, sketch a one-page compliance snapshot by answering:

1. Which federal laws/authorities are most relevant?

• Consider: FTC Section 5, GLBA, FCRA, COPPA, HIPAA, APRA.

1. What security expectations apply?

• Think about: GLBA Safeguards Rule, FTC’s concept of reasonable security, any relevant guidance.

1. What privacy promises should they avoid making?

• Examples: Overbroad “we never share your data” claims, vague security claims like “bank-level security” without backing.

1. How would a comprehensive law like APRA (if enacted) change your advice?

• Consider: New individual rights, data minimization, purpose limitation, and preemption of some state laws.

When you’re done, compare your notes back to the module:

• Did you correctly identify GLBA and FTC Section 5 as central?
• Did you avoid relying on HIPAA or FCRA unless clearly relevant?
• Did you think about how future federal laws could require more robust privacy programs?