List of privacy/security laws in the US

I asked myself about laws/regulations when I began thinking about data breaches. Why are data breaches so widespread, for example? Is it because businesses/companies are not secure by default? Why is that? Is it because there are no laws/regulations governing how secure a website can be? I just do not understand. Is storing plaintext passwords legal or illegal? Is salting and peppering a legal requirement? I think it should be, but I don’t know if it is or not. IDK how that would be implemented either. I am in utter awe at how widespread data breaches are. Are there encryption requirements by law/regulation?

I am reminded of, for example, how browsers transitioned from HTTP to HTTPS. Are browser developers required by law/regulation to develop browsers with HTTPS encryption functionality? Hypothetical: what if the Firefox or Chrome developers just decided to remove HTTPS functionality from their browsers in the next upcoming update? Are they legally restrained from doing so by law (like through regulations, or lawsuits, etc.)? Or is it just that they won’t get rid of HTTPS because it’s a privacy/security demand from the user base?

I am genuinely curious. I would feel that it’s better to have privacy and security by law, just so that businesses or companies or whatever are private/secure (as much as they can be with how vague laws must be) by default. But if there were laws, who would subject to them? Is the law only directed towards businesses/corporations? or are they for industry- or sector-specific businesses? Are individuals therefore legally barred from making their own account-functional websites if they do not check off a massive amount of legal checklists?

Anyway, this was just me thinking out loud. This thread is supposed to be sort of like a list or meta-list of laws and regulations or resources for learning about them, etc.

• Data protection laws in the United States - Data Protection Laws of the World
• Health Insurance Portability and Accountability Act - Wikipedia
• Fair Credit Reporting Act - Wikipedia
• Privacy Act of 1974 - Wikipedia
• A Guide to U.S. Cybersecurity Laws and Compliance
• Cybersecurity and Privacy Laws Directory.

The middle ground is where the real questions are. Specifically who holds legal liability for leaked data? Who will sue if your data is leaked from a service or database?

There’s no laws because large companies in the US are allergic to the GDPR, and would see any sort of legal liability beyond what little they have now as bad and would rather spend more lobbying to keep laws weak than paying to be secure AND shoulder responsibility for leaks if they happen. Plus, data breach and hack insurance is a thing, so now TWO industries are lobbying for a continued Wild Wild West policy.

It’s also embarrassing how many people cheap out and/or have no idea what good security looks like. I look over the lists of publicly announced ransomware victims, and the US-based ones are almost always: law firms, small businesses, and school districts. Law firms have the money and ignore precautions at their own peril, so they’re know to pay ransoms. School districts have too much PII and cheap out disproportionately to their attack surface, so they pay or have insurance. Small businesses have no backups, so they might pay.

It’s kind of sad. In the US this should be something state governments should do to educate business owners. It also costs money to put locks on the doors, but who would object to that as a cost of doing business?