Data center regulations for the US

Individuals around the world are increasingly aware of the importance of online security and privacy, but the definition of personally identifiable information (PII) varies from region to region. PII isn't restricted to name and phone number, but also encompasses financial records as well. Industries, regardless of the sector, require data centers to store customer data in order to comply with the privacy and security standards defined in the country or state's local governing law.

EU vs. US privacy laws

There isn't one common, central law in the US, like there is in the EU, yet. However, there are several federal privacy and consumer laws in different states. The California Consumer Privacy Act (CCPA), which is for California residents, is similar to the General Data Protection Regulation (GDPR), with some variations. We will cover that in detail in the CCPA section.

Data center regulations for USA

Laws that govern data collection

To make up for the absence of a single common law, the US has many sector-specific and medium-specific laws to regulate and channelize the way telecommunications, health, credit card, financial institution, and marketing data is stored and handled. Since its implementation, the Federal Trade Commission (FTC) Act of 1914 has been providing enforcement to protect consumers' data and privacy. The FTC's privacy enforcements include its positions against companies that fail to comply with its published privacy policy.

Other federal laws that govern the online collection of PII include:

  • The Health Insurance Portability and Accounting Act (HIPAA): Governs the collection of health information.
  • The Gramm-Leach-Bliley Act: Governs the collection of personal information by banks and financial institutions.
  • The Children's Online Privacy Protection Act: Governs the collection of information about minors.
  • The Fair Credit Reporting Act: Regulates the collection and use of credit information.

A checklist for setting up a data center in the US

To set up a data center and run your business without interruptions, make sure you comply with and follow:

  • The data privacy laws specific to the state in which you wish to set up your data center.
  • HIPAA, if you're dealing with health information.
  • The National Institute of Technology (NIST) and Uptime Institute's tier certifications.
  • Quality standards, like ISO.
  • Security standards, like SOC.
  • Environmental management standards, like ISO 140001.
  • Energy efficient data center designs.

State-wise data privacy laws in the US

There are many data privacy and data security laws among different states. After the CCPA passed in 2018, multiple states started to propose similar laws to protect their residents from data breaches and theft.

The CCPA

Signed on June 28, 2018, the CCPA went into effect on January 1, 2020, and is a major outcome of the GDPR's far reach and the myriad of data breaches recorded in 2017. The CCPA is aimed at protecting California residents' consumer rights, ensuring stronger privacy, and increased transparency. As cross-sector legislation, the CCPA is considered very comprehensive. With definitions similar to the GDPR, it imposes key duties on individuals or organizations that collect PII from or about a California resident.

Under the CCPA, a consumer is broadly defined as "a natural person who is a California resident." This law secures new privacy rights for California consumers, including:

  • The right to know about the personal information a business collects about them and how it is used and shared.
  • The right to delete personal information collected from them.
  • The right to opt-out of the sale of their personal information.
  • The right to non-discrimination for exercising their CCPA rights.

The organization that collects the data must disclose the type of information collected in a privacy policy displayed on its website. Though there are many similarities between the CCPA and the GDPR, there are some differences, including:

  • The CCPA primarily focuses on businesses that share or sell information. For example, the right to opt-out is available only in the case of selling or sharing personal information.
  • Under the CCPA, "personal information" does not cover publicly available information, i.e., information lawfully made available from federal, state, or local government records.
  • The CCPA doesn't include medical information, as it is governed by the Confidentiality of Medical Information Act.
  • Civil penalties can be issued if the Act is violated. The penalty is issued by the court. Since California has a much larger economy than the EU, the penalty also differs. Depending on the violation, the penalty may be up to $2,500 for each violation, and $7,500 for each intentional violation.

New York SHIELD Act

New York passed the Stop Hacks and Improve Electronic Data Security (SHIELD) Act in July 2019. This law is technically an amendment to an already-existing data breach notification law in New York, and it creates a greater scope for data security by applying to “any person or business which owns or licenses computerized data which includes private information” of a resident of New York. The major difference from the CCPA is that the CCPA is a data privacy law, while the SHIELD Act is a security regulation.

Other state-level data privacy laws

California and New York were the first states to introduce broad legislation for data privacy. However, other US states have also enacted laws that are typically extensions of the existing United States federal laws, with alterations and implementations specific to the state's needs.

Nevada’s Senate Bill (SB) 220

Nevada’s SB 220, an Act relating to internet privacy, prohibits website operators or those who run online services from selling consumer information to data brokers without the consumer's permission. Unlike the CCPA, Nevada’s SB 220 does not include rights of access, portability, deletion, or non-discrimination, and it does not apply to companies that collect PII offline. Also, under Nevada's SB 220, organizations have to respond within 60 days of request submissions, plus an additional 30 days; under the CCPA, organizations have 45 days to respond to requests, plus an additional 90 days.

Maine's Act to Protect the Privacy of Online Consumer Information

Also known as LD 946, this bill prohibits a provider of broadband internet access service from using, disclosing, selling, or permitting access to customer personal information unless the customer expressly consents to that use, disclosure, sale, or access.

Other data center standards

In addition to the above laws on privacy and data protection, there are also other standards for setting up and maintaining the infrastructure in a data center.

The Uptime Institute's tier standard

The Uptime Institute is a neutral organization that established four tiers of data center certifications for categories including design, construction, and operational sustainability.

  • Tier I: Basic capacity
  • Tier II: Redundant capacity components
  • Tier III: Concurrently maintainable
  • Tier IV: Fault tolerance
ANSI/TIA-942-A

The Telecommunications Industry Association's (TIA) ANSI/TIA-942-A is the telecommunications infrastructure standard for data centers. It is an American National Standard that specifies the minimum requirements for structured cabling work. Defined in TIA/EIA-568, it describes the design, installation, and performance requirements for cabling in data centers.

NIST Special Publication (SP) 800-53

The National Institute of Standards and Technology (NIST) is a non-regulatory government agency responsible for creating security standards to enhance efficiency in data centers. Based on IT security and cybersecurity, NIST security standards cover regulations for data center infrastructure, along with the technology and the applications used.

NIST SP 800-53 is an important publication that covers the "Security and Privacy Controls for Federal Information Systems and Organizations." This offers security and privacy control in the areas of application security, and mobile and cloud computing, and also covers real-time monitoring of systems.

Conclusion

There are different types of data centers, like traditional and hybrid, that each come with their own pros and cons. It's the choice of the individual organization to choose the type that fits their needs, and successfully incorporate all elements of privacy, safety, security, and other environmental standards. With so many controls, standards, audits, and reports, it's always recommended to adhere to and maintain compliance with all region-specific laws.

References

  • https://www.ftc.gov/enforcement/statutes/federal-trade-commission-act
  • https://www.ftc.gov/system/files/attachments/privacy-impact-assessments/redress_enforcement_database_red_privacy_impact_assessment_june_2019.pdf
  • https://www.gsa.gov/technology/government-it-initiatives/dcoi/dcoi-data-center-resources/policies-and-standards
  • https://oag.ca.gov/privacy/ccpa
  • http://www.mainelegislature.org/legis/bills/getPDF.asp?paper=SP0275&item=1&snum=129
  • https://nvd.nist.gov/800-53