Industry Compliance Guide
Cybersecurity Compliance Requirements by Industry
Every industry has its own set of cybersecurity rules — HIPAA for healthcare, PCI DSS for anyone taking a credit card, the FTC Safeguards Rule for tax preparers, CMMC for defense contractors, and on and on. This guide breaks down what applies to your business in plain English.
Cybersecurity rules are not one-size-fits-all. The regulations that apply to your business depend on your industry, the type of data you handle, and where your customers live. Get it wrong and you could be looking at fines, lost contracts, lawsuits, or a breach you can’t recover from.
This guide is a starting point. It tells you what to look out for, what controls regulators expect, and what good security looks like in your industry. Use it to scope your own compliance picture — and reach out when you want a hand putting it into practice.
What’s new (2025–2026): CMMC enforcement began Nov 10, 2025 (full implementation Nov 10, 2028) · 42 CFR Part 2 enforcement began Feb 16, 2026 · PA Act 2 of 2023 (insurance) first annual certifications due Apr 15, 2026 · CJIS Security Policy v6.0 phased through Oct 1, 2027 · NYDFS Part 500 Second Amendment finished phasing in Nov 1, 2025 · CCPA threshold rose to $26,625,000 (Jan 1, 2025) · EU AI Act high-risk obligations apply Aug 2, 2026 · CIRCIA final rule expected May 2026.
Find Your Industry
Healthcare & Medical →
Financial Services →
CPA / Accounting / Tax →
Legal / Law Firms →
Defense Contractors →
Insurance Agencies →
Retail / E-commerce →
Hospitality / Restaurants →
Manufacturing →
Education →
Government / Public Sector →
Real Estate / Title →
Energy / Utilities →
Nonprofit / Religious →
Construction / Trades →
Professional Services →
Healthcare & Medical Practices
Hospitals, physician and dental practices, behavioral health, labs, billing companies, medical software vendors
What’s at stake: HIPAA penalties scale per record and per violation. A single laptop loss can result in six- and seven-figure settlements. Beyond the fines, breach notification requirements are public — and patient trust is hard to win back.
Regulations That Apply
| Regulation | What It Covers |
|---|---|
| HIPAA Privacy Rule | How you can use and share Protected Health Information (PHI) — 45 CFR §164.500–534 |
| HIPAA Security Rule | Safeguards required to protect electronic PHI — 45 CFR §164.302–318 |
| HITECH Act | Breach notification, increased penalties, business associate liability |
| Breach Notification Rule | Required notice to patients, HHS, and sometimes the media |
| FDA Section 524B | Cybersecurity for “cyber devices” — premarket SBOM and postmarket vulnerability management (added by 2023 Omnibus, effective Oct 1, 2023) |
| HHS 405(d) HICP | Health Industry Cybersecurity Practices — recognized practices under HITECH amendment (Public Law 116-321); regulatory benefit if implemented 12+ months before an incident |
| HHS HPH CPGs | Healthcare & Public Health Cybersecurity Performance Goals — voluntary baseline (10 essential + 10 enhanced), released Jan 24, 2024 |
| 42 CFR Part 2 | Confidentiality of Substance Use Disorder records — final rule aligned with HIPAA; enforcement began Feb 16, 2026 |
| HIPAA Security Rule NPRM | Watch list — HHS proposed major updates Dec 2024 (Federal Register Jan 6, 2025); final rule pending |
| PA73 Pa. Stat. §2301 | PA Breach of Personal Information Notification Act (as amended) |
What You Need In Place
- Encryption of patient data in storage and in transit
- Multi-factor authentication on systems with PHI (industry standard, expected to become required under the 2026 Security Rule update)
- Periodic risk analysis (annual recommended) and risk management plan
- Workforce training on Privacy and Security Rules
- Backup and disaster recovery planning
- Signed Business Associate Agreements with vendors
- Audit logs and regular log review
- Written incident response plan
Please Note
CGetty Technologies is not currently offering compliance reviews to the healthcare industry at this time. The information above is provided for educational reference. We continue to provide general IT support and security services to healthcare practices — please contact us with any questions.
Financial Services / Banking / Credit Unions
Community banks, credit unions, broker-dealers, registered investment advisors, lenders, fintech
What’s at stake: Examiners expect a written program, board reporting, and evidence of independent testing. Findings turn into matters requiring attention, consent orders, or restrictions on growth — and customers walk when trust is shaken.
Regulations That Apply
| Regulation | What It Covers |
|---|---|
| GLBA Safeguards Rule | Written information security program for customer non-public personal information |
| FFIEC IT Handbook | Federal examination guidance for IT and cybersecurity |
| PCI DSS v4.0.1 | Required if processing or storing cardholder data |
| SEC Reg S-P | Customer information safeguards — 2024 amendments add 30-day customer notification of unauthorized access to sensitive information (compliance staggered, RIAs ≥$1.5B AUM by Dec 2025) |
| SEC Reg S-ID | Identity Theft Red Flags rule |
| NCUA Part 748 | Credit union information security program — 72-hour cyber incident notification to NCUA (effective Sept 1, 2023) |
| NYDFS 23 NYCRR 500 | If licensed in New York — Second Amendment (Nov 2023) phased in through Nov 1, 2025 |
What You Need In Place
- Designated qualified individual / CISO function
- Written Information Security Program
- Annual risk assessment
- Multi-factor authentication on all customer data access
- Encryption of customer data
- Continuous monitoring or annual penetration testing
- Vendor / service provider oversight program
- Annual board reporting
How CGetty Helps
Risk assessments, GLBA Safeguards program development, vendor risk reviews, and security advisory tuned to small financial institutions. We work alongside your compliance team to keep your program examiner-ready.
Discuss your security programCPA / Accounting / Tax Preparation
Public accountants, tax preparers, bookkeepers, payroll firms
What’s at stake: The FTC Safeguards Rule applies directly to tax preparers and CPAs — most small firms don’t realize it. The 2021 amendments (MFA, encryption, WISP) became fully enforceable June 9, 2023, and the breach notification provisions (30-day FTC notification for events affecting 500+ consumers) took effect May 13, 2024. The IRS updated Pub 5708 (the WISP template) in Aug 2024, and PTIN renewal now includes a WISP attestation. Examiners are paying attention.
Regulations That Apply
| Regulation | What It Covers |
|---|---|
| FTC Safeguards Rule | 16 CFR Part 314 — WISP, MFA, encryption, monitoring; breach notification of events affecting 500+ consumers within 30 days |
| IRS Pub 4557 | Safeguarding Taxpayer Data — required practices for paid preparers |
| IRS Pub 5708 | Creating a WISP for tax practices (template) |
| GLBA | Tax preparers and CPAs are GLBA “financial institutions” |
| State Board Rules | State accountancy board confidentiality and licensure rules |
| Circular 230 | IRS rules for those practicing before the IRS |
What You Need In Place
- Written Information Security Plan (WISP)
- Designated qualified individual
- Multi-factor authentication on all client data systems
- Encryption of taxpayer data at rest and in transit
- Annual written and dated risk assessment
- Vendor oversight and contract review
- Employee training and access controls
- Incident response plan with FTC notification process
How CGetty Helps
WISP development, FTC Safeguards Rule advisory, and Qualified Individual support — practical and right-sized for solo CPAs, small tax practices, and bookkeeping firms. We turn the rule into something your firm can actually run.
Get a WISP reviewLegal / Law Firms
Solo practitioners, small firms, mid-market firms, legal services organizations
What’s at stake: ABA Model Rule 1.6 obligates you to make reasonable efforts to protect client information. State bar discipline, malpractice exposure, and lost client confidence are all on the table. Wire fraud at closing is a real and growing risk for every firm that touches money.
Regulations That Apply
| Regulation | What It Covers |
|---|---|
| ABA Model Rule 1.6 | Duty of confidentiality and reasonable efforts to prevent disclosure |
| ABA Opinion 477R | Reasonable efforts to secure communications and data |
| ABA Opinion 483 | Lawyer obligations after a data breach |
| State Bar Rules | State-specific confidentiality and ethics rules |
| IOLTA Trust Account | State bar trust account rules — wire fraud risk area |
| Client-Inherited Rules | HIPAA, GLBA, CMMC, etc., flow down through the work you do |
What You Need In Place
- Encryption of client files and email
- Multi-factor authentication everywhere
- Wire transfer call-back verification policy
- Strict access control on matter data
- Vendor diligence on cloud document management
- Litigation hold and preservation procedures
- Workforce training on confidentiality and breach response
- Incident response with client notification workflow
How CGetty Helps
Security assessments, wire fraud prevention programs, and ongoing managed IT for firms that need to lock down email, document management, and client communications without slowing the practice down.
Protect your firm’s dataDefense Contractors / Defense Industrial Base
DoD primes, subs, suppliers handling Federal Contract Information (FCI) or Controlled Unclassified Information (CUI), ITAR-regulated firms
What’s at stake: CMMC is in effect. The DoD’s final acquisition rule took effect November 10, 2025, beginning a phased rollout that reaches full implementation on November 10, 2028. Without the right level of certification, you lose the ability to bid on DoD work — and false claims liability under the existing self-attestation regime is real.
Regulations That Apply
| Regulation | What It Covers |
|---|---|
| CMMC 2.0 | Cybersecurity Maturity Model Certification — Levels 1, 2, and 3 (32 CFR Part 170; 48 CFR final rule effective Nov 10, 2025) |
| NIST SP 800-171 Rev 2 | 110 controls across 14 families for CUI protection |
| DFARS 252.204-7012 | Safeguarding CUI, 72-hour incident reporting via DIBNet, cloud services must meet FedRAMP Moderate equivalency |
| DFARS 252.204-7019/-7020 | NIST SP 800-171 self-assessment score in SPRS |
| DFARS 252.204-7021 | CMMC certification requirement clause |
| DFARS 252.204-7025 | Notice of CMMC level requirements |
| NIST SP 800-172 | Enhanced security requirements for CMMC Level 3 (APT-resistant controls) |
| ITAR (22 CFR 120-130) | International Traffic in Arms — restricts foreign access to defense data |
| EAR (15 CFR 730-774) | Export Administration Regulations — dual-use technology |
What You Need In Place
- System Security Plan covering all 110 controls
- Plan of Action & Milestones (POA&M)
- Documented enclave or segmentation for CUI
- FIPS-validated encryption
- FedRAMP Moderate (or equivalent) cloud services
- 72-hour incident reporting capability via DIBNet
- Multi-factor authentication on all CUI access
- Annual self-assessment with SPRS submission
How CGetty Helps
NIST SP 800-171 gap assessments, SSP and POA&M development, and remediation roadmaps for small and mid-sized DIB suppliers. We help you understand exactly where you stand against the 110 controls — and build the documentation to back up your SPRS score.
Start with a CMMC gap assessmentInsurance Agencies & Carriers
P&C and life agencies, brokers, MGAs, third-party administrators, carriers
What’s at stake: Pennsylvania has adopted the NAIC Insurance Data Security Model Law as Act 2 of 2023, effective December 11, 2023. A WISP, annual risk assessment, third-party oversight program, and 5-business-day cybersecurity event notification are all required. First annual certifications by PA-domiciled insurers were due April 15, 2026, and recur annually.
Regulations That Apply
| Regulation | What It Covers |
|---|---|
| NAIC Model Law #668 | Insurance Data Security Model Law — adopted in 20+ states |
| PAAct 2 of 2023 | Pennsylvania Insurance Data Security Act, 40 Pa. C.S. §4501 et seq. — effective Dec 11, 2023 |
| GLBA Safeguards Rule | Insurance entities are GLBA-regulated |
| HIPAA | Applies to health insurers as covered entities |
| State DOI Rules | State-specific licensing and data security requirements |
| NYDFS 23 NYCRR 500 | If licensed in New York — Second Amendment phased in through Nov 1, 2025 |
What You Need In Place
- Written Information Security Program
- Annual risk assessment
- Designated qualified individual
- Third-party service provider oversight
- Multi-factor authentication on systems with NPI
- Encryption of customer data
- 5-business-day cybersecurity event notification to the Commissioner
- Annual certification of compliance
How CGetty Helps
WISP development, risk assessments, and ongoing security advisory built around the NAIC Model Law and Pennsylvania’s Act 2 of 2023. We help small agencies meet state requirements without paying enterprise prices.
Get your agency assessedRetail / E-commerce
Brick-and-mortar retailers, online sellers, subscription businesses, payment-accepting merchants
What’s at stake: Card brand fines, processor terminations, and breach class actions. PCI DSS v4.0.1 raised the bar for merchants of all sizes, and consumer privacy laws are spreading state by state.
Regulations That Apply
| Regulation | What It Covers |
|---|---|
| PCI DSS v4.0.1 | Payment Card Industry Data Security Standard — required for all card acceptors |
| State Breach Laws | All 50 states — vary by trigger and timing |
| CCPA / CPRA | If meeting California thresholds (see Universal Overlays below) |
| Other State Privacy Laws | VA, CO, CT, UT, TX, OR, MT, NE and others — thresholds vary |
| FTC Act §5 | Unfair and deceptive practices — covers privacy promises |
| ADA Title III | Digital accessibility (WCAG) — active litigation area |
| PA73 Pa. Stat. §2301 | PA Breach Notification Act — applies if PA residents are affected |
What You Need In Place
- PCI scope minimization (P2PE, tokenization)
- Network segmentation around the card environment
- Quarterly vulnerability scans
- Annual penetration testing (PCI Req 11.4)
- Self-Assessment Questionnaire completion
- Multi-factor authentication on admin access
- File integrity monitoring
- Privacy notice and consumer rights workflows
How CGetty Helps
PCI DSS gap assessments, SAQ support, and remediation advisory for small and mid-sized merchants. We help you reduce your PCI scope, lock down the card environment, and stay merchant-eligible.
Get a PCI gap reviewHospitality / Restaurants / Hotels
Restaurants, hotels, bars, event venues, franchise operators
What’s at stake: POS systems are a top target for credit card thieves. A breach can cost a restaurant or hotel its merchant account — and the public reputation hit travels fast in a TripAdvisor world.
Regulations That Apply
| Regulation | What It Covers |
|---|---|
| PCI DSS | Card processing — POS systems are highly targeted |
| State Breach Laws | All 50 states — affected by guest residency |
| ADA Title III | Digital accessibility for booking and ordering |
| Wi-Fi / Guest Network | FCC and CALEA considerations for guest Wi-Fi |
| Loyalty Programs | Can trigger state privacy law thresholds |
What You Need In Place
- Segmented guest Wi-Fi (separate from POS network)
- Point-to-point encryption-enabled card readers
- POS endpoint hardening and patching
- Vendor monitoring (POS, booking, loyalty)
- Physical security of back-of-house terminals
- Camera system network isolation
How CGetty Helps
Network reviews, POS security assessments, and Wi-Fi segmentation projects for independent restaurants, hotels, and small franchise groups. Practical fixes that protect your customers without disrupting service.
Review your POS environmentManufacturing (Commercial / Non-Defense)
General manufacturing, industrial, food & beverage, contract manufacturing
What’s at stake: Manufacturers run on uptime and trade secrets. A ransomware event can stop production for days or weeks. Customers — especially the big ones — increasingly require cybersecurity attestations from suppliers.
Regulations & Frameworks That Apply
| Regulation | What It Covers |
|---|---|
| NIST CSF 2.0 | Voluntary framework (final Feb 26, 2024) — adds Govern function, often required by customers and insurers |
| ISO/IEC 27001:2022 | Information security management — common customer ask |
| NIST SP 800-82 Rev 3 | Industrial Control Systems / OT security |
| IEC 62443 | Industrial automation and control systems security |
| Defend Trade Secrets Act | Federal protection for formulas, processes, and trade secrets |
| FDA 21 CFR Part 11 | Electronic records (pharma / medical device contract manufacturing) |
| SEC Cyber Disclosure | If publicly traded — Item 1.05 of Form 8-K |
What You Need In Place
- IT / OT network segmentation
- Asset inventory of OT and ICS devices
- Patch management with planned downtime
- Privileged access management for engineers
- Backup of HMIs, PLCs, SCADA configurations
- Supply chain and vendor risk management
- Employee training including the shop floor
- Incident response with operational continuity planning
How CGetty Helps
NIST CSF and ISO 27001 readiness, IT/OT segmentation projects, and ransomware preparedness assessments for small and mid-sized manufacturers. We approach the OT side carefully — production stays running.
Talk through your environmentEducation (K-12 & Higher Education)
Public and private K-12, charter schools, colleges, universities, ed-tech vendors
What’s at stake: Schools are a top ransomware target. Student data breaches trigger FERPA, COPPA, and state notification laws — plus public scrutiny from parents, school boards, and the press.
Regulations That Apply
| Regulation | What It Covers |
|---|---|
| FERPA (20 USC §1232g) | Education records and student personally identifiable information |
| COPPA | Online services collecting data on children under 13 |
| PPRA | Protection of Pupil Rights Amendment |
| CIPA | Children’s Internet Protection Act — required for E-rate funding |
| GLBA Safeguards | Higher ed financial aid offices (Department of Education enforcement) |
| HIPAA | If on-campus health clinic operates as a covered entity |
| State Student Privacy | State-specific student data privacy laws |
What You Need In Place
- Role-based access to student information systems
- Vendor agreements with FERPA-compliant terms
- Multi-factor authentication for staff and faculty
- Content filtering for E-rate eligibility
- Encryption of student data
- Incident response with parent notification workflow
- Campus health system separation if HIPAA applies
- GLBA Safeguards program for higher ed financial aid
How CGetty Helps
Cybersecurity assessments and student data protection planning sized for charter schools, small colleges, and education service providers. We help you secure SIS, email, and vendor relationships without overwhelming a thin IT team.
Discuss your school’s needsGovernment / Public Sector
Federal, state, local, tribal, and territorial entities and their contractors
What’s at stake: Public sector breaches make headlines. Beyond the legal exposure, residents lose trust, services get disrupted, and federal funding can be at risk.
Regulations That Apply
| Regulation | What It Covers |
|---|---|
| FISMA | Federal Information Security Modernization Act — NIST CSF 2.0 (Feb 2024) commonly referenced for state/local agencies |
| NIST SP 800-53 Rev 5 | Security controls for federal information systems |
| FedRAMP | Cloud authorization for federal agencies |
| StateRAMP | State-level cloud authorization (modeled on FedRAMP) |
| CJIS Security Policy v6.0 | Criminal Justice Information Services — law enforcement data; v6.0 released Dec 27, 2024 with phased compliance through Oct 1, 2027 (MFA, supply chain, MDM) |
| IRS Pub 1075 | If handling federal tax information (FTI) |
| State Records Laws | Public records, retention, and FOIA-equivalent rules |
What You Need In Place
- System Security Plan against NIST 800-53 baseline
- Continuous monitoring program
- FedRAMP-authorized cloud where applicable
- FIPS-validated encryption
- CJIS background checks for personnel
- Multi-factor authentication
- POA&M for any control gaps
- Annual independent assessment
How CGetty Helps
Gap assessments and remediation roadmaps for small municipal entities, government contractors, and public-sector-adjacent businesses. We help translate federal frameworks into something a small public-sector team can actually run.
Start a readiness assessmentReal Estate / Title / Mortgage
Real estate brokerages, title agencies, mortgage brokers, property management
What’s at stake: Wire fraud is the number one cyber threat to real estate transactions. Stolen closing wires can run into the hundreds of thousands of dollars — and your firm may be liable for the loss.
Regulations That Apply
| Regulation | What It Covers |
|---|---|
| GLBA Safeguards Rule | Mortgage and title — handle non-public personal information; FTC notification of events affecting 500+ consumers within 30 days (effective May 13, 2024) |
| ALTA Best Practices 4.0 | American Land Title Association pillars (Pillar 3 = information security and WISP) |
| NAR Cybersecurity Guidance | Wire fraud and cybersecurity guidance for REALTORS® |
| CFPB Regulations | Consumer Financial Protection — mortgage data |
| State Licensing | State real estate and title commission rules |
| RESPA / TILA | Real Estate Settlement Procedures and Truth in Lending |
What You Need In Place
- Wire transfer call-back verification policy
- Email security (SPF, DKIM, DMARC)
- Multi-factor authentication on email and document portals
- Encryption of buyer and seller financial data
- Vendor due diligence on title software and escrow
- Phishing-resistant authentication for closings
- Incident response with wire fraud workflow
How CGetty Helps
Wire fraud risk assessments, email security hardening, and ALTA Pillar 3 readiness for title agencies and brokerages. Quick-impact engagements that close the highest-risk gaps first.
Lock down your closingsEnergy / Utilities
Electric utilities, water and wastewater, oil & gas, pipelines, renewables
What’s at stake: Energy and water are critical infrastructure. Regulators expect documented programs, and a cyber incident can have safety, environmental, and public-health consequences far beyond the IT impact.
Regulations That Apply
| Regulation | What It Covers |
|---|---|
| NERC CIP | Critical Infrastructure Protection — bulk electric system |
| TSA SD 02 Series | Pipeline cybersecurity directives (post-Colonial Pipeline) |
| AWWA Cybersecurity | American Water Works guidance for water utilities |
| EPA Cybersecurity | Water sector cybersecurity — voluntary technical assistance (mandatory sanitary-survey memo withdrawn Oct 2023 after litigation) |
| DOE C2M2 | Cybersecurity Capability Maturity Model |
| CIRCIA | Critical infrastructure incident reporting — final rule expected May 2026 (delayed from Oct 2025) |
What You Need In Place
- Strict IT / OT segmentation
- Cyber asset inventory for the bulk electric system
- Personnel risk assessment and background checks
- Physical security perimeter for OT
- Configuration change management for OT
- Carefully scoped vulnerability assessments of OT
- Incident reporting capability (E-ISAC / CISA)
- Supply chain risk management
How CGetty Helps
IT-side assessments and advisory for small utilities and energy-sector businesses. We work carefully alongside your OT teams and vendors — operations stay safe and compliant.
Discuss your environmentNonprofit / Religious Organizations
501(c)(3)s, churches, charities, foundations, advocacy groups
What’s at stake: Donor data is regulated personal information. Grant funders and major donors increasingly ask about cybersecurity controls — and a breach can put both 501(c)(3) status and donor trust at risk.
Regulations That Apply
| Regulation | What It Covers |
|---|---|
| State Charitable Registration | Charitable solicitation laws across 40+ states |
| PCI DSS | If accepting credit card donations |
| State Breach Laws | Donor data is regulated PII |
| IRS Form 990 | Public disclosure obligations |
| HIPAA | Health-related charities or services |
| Grant / Funder Requirements | Federal grants → NIST 800-53; foundation grants vary |
What You Need In Place
- Donor database access controls
- Encryption of donor PII and payment information
- Multi-factor authentication on donor systems
- Vendor management for CRM and payment processors
- Separation of duties for financial transactions
- Volunteer access control and training
- Phishing awareness — high risk for grant fraud
How CGetty Helps
Right-sized cybersecurity assessments and donor data protection guidance for charities, religious organizations, and small nonprofits. We work within nonprofit budgets and help you tell the story to your board and funders.
Protect your donor dataConstruction / Trades
General contractors, specialty trades, subcontractors, design-build firms
What’s at stake: Construction firms get hit hard by invoice and payment fraud. A spoofed email can redirect a six-figure progress payment. And subcontracts to defense, energy, or healthcare clients can carry strict cybersecurity flow-down requirements.
Regulations That Apply
| Regulation | What It Covers |
|---|---|
| OSHA Recordkeeping | Digital safety records — Form 300/301 retention |
| State Licensing | State contractor licensing boards |
| Davis-Bacon / Prevailing Wage | Federal contracts — payroll certification data |
| Wire Fraud (BEC) | Major industry exposure — invoice and payment fraud |
| Customer Contractual | Subcontracting to regulated industries pulls in their rules |
| State Breach Laws | Employee and customer PII |
What You Need In Place
- Email security (SPF, DKIM, DMARC)
- Wire transfer verification policies
- Payroll system access controls
- Job-site device management
- Backup of project documentation and BIM files
- Subcontractor data handling agreements
- Phishing awareness training
How CGetty Helps
Email authentication setup, MFA rollouts, wire-fraud prevention policies, and managed IT for construction firms. High-impact, fast-win engagements that protect your payroll and your projects.
Stop invoice fraudProfessional Services
Consulting firms, marketing and creative agencies, architects, engineers, recruiters, business services
What’s at stake: Your reputation runs on the trust your clients place in you with their data. Bigger clients increasingly require security questionnaires, attestations, and proof of controls before they’ll sign.
Regulations That Apply
| Regulation | What It Covers |
|---|---|
| FTC Act §5 | Unfair and deceptive practices — covers privacy and security promises |
| State Breach Laws | Universal — applies anywhere PII is held |
| CCPA / Other State Privacy | If thresholds are met |
| Customer Flow-Down | Inherits client compliance through contract |
| Industry-Specific Rules | Architects, engineers, recruiters each have their own |
| Insurance E&O | Professional liability often requires baseline cyber controls |
What You Need In Place
- Multi-factor authentication on email and file storage
- Endpoint detection and response
- Encryption of client deliverables
- Backup and recovery
- Vendor due diligence on SaaS tools
- Privacy notice and consumer rights workflows
- Workforce phishing awareness training
How CGetty Helps
Security questionnaire support, baseline cybersecurity programs, and managed IT for consultancies, agencies, and professional services firms that need to look credible to enterprise clients.
Build your security baselineRules That Cross Every Industry
No matter what business you’re in, these rules can apply based on your data, your customers, or your location.
| Regulation | When It Applies |
|---|---|
| PA73 Pa. Stat. §2301 | Pennsylvania Breach of Personal Information Notification Act (originally Act 94 of 2005, amended by Act 151 of 2022 and Act 33 of 2024) — applies to any business holding personal information of Pennsylvania residents |
| CCPA / CPRA | $26.625M+ gross annual revenue (CPI-adjusted Jan 1, 2025); or buys, sells, or shares personal info of 100,000+ California consumers/households; or 50%+ revenue from selling/sharing personal info |
| Other State Privacy Laws | VA, CO, CT, UT, TX, OR, MT, IA, DE, NJ, NH, MD, MN, NE, RI, IN, TN, KY — thresholds vary; review individually |
| EU GDPR | Offering goods or services to EU residents, or monitoring them |
| EU AI Act | In force Aug 1, 2024 — prohibited practices effective Feb 2, 2025; GPAI obligations Aug 2, 2025; high-risk full obligations Aug 2, 2026 (extraterritorial reach if outputs used in EU) |
| State AI Laws | Colorado AI Act (delayed to June 30, 2026; enforcement enjoined pending AG rulemaking); NYC Local Law 144 (employment AEDTs, in effect since 2023); CA, IL and others have sector-specific AI rules |
| FTC Act §5 | Always — applies to any commercial entity |
| SEC Cyber Disclosure | Public companies — Item 1.05 of Form 8-K within 4 business days of determining a cybersecurity incident is material |
| CIRCIA | Critical infrastructure entities — incident reporting to CISA; final rule expected May 2026 (delayed from Oct 2025) |
Not Sure Where Your Business Stands?
That’s the most common question we get. Most small and mid-sized businesses are partially compliant, fully compliant in spots, and completely unaware of other rules that apply to them. The first step is figuring out where you actually are.
Version 1.2 · Last reviewed and verified: May 6, 2026
Disclaimer: This guide is provided for general informational purposes only. It is not legal advice, and reading it does not create an attorney-client or consulting relationship. Cybersecurity and compliance requirements change frequently and depend on the specific facts of your business. Specific dates, citations, and thresholds reflected here are accurate to the best of our knowledge as of the date noted above and may have been updated since publication. For decisions about how a regulation applies to you, consult qualified legal counsel and a cybersecurity advisor.