Chapters 1 and 2 covered the general data security obligations that all U.S. companies face under Section 5 of the FTC Act, state data security laws, and common‐law torts that could lead to class action lawsuits and other litigation. These requirements apply equally to companies regardless of their industry.

In addition to these general data security requirements, companies that handle particularly sensitive information or operate in industries that carry particularly high national security risks face more stringent requirements. This chapter covers nine such prominent legal requirements for sensitive information: (1) the Gramm‐Leach‐Bliley Act Safeguards Rule for financial institutions, (2) the New York Department of Financial Services cybersecurity regulations, (3) the Red Flags Rule for information for certain creditors and financial institutions, (4) the Payment Card Industry Data Security Standard (PCI DSS) for credit and debit card information, (5) California's Internet of Things cybersecurity law, (6) the Health Insurance Portability and Accountability Act (HIPAA) Security Rule for certain health‐related information, (7) Federal Energy Regulatory Commission guidelines for electric grid cybersecurity, (8) Nuclear Regulatory Commission cybersecurity requirements for nuclear reactor licensees, and (9) South Carolina's insurance industry cybersecurity regulations.

Keep in mind that the general cybersecurity requirements ...