How to Use This Cybersecurity Resource

The National Privacy Authority cybersecurity reference covers the professional service landscape, regulatory frameworks, and compliance infrastructure that govern data protection and privacy practice in the United States. This page describes how the resource is structured, who it serves, and how to locate the most relevant material efficiently. The directory spans federal statutes, agency enforcement programs, state-level regulatory variation, and operational standards — organized to support professional research, not general education.

Intended users

This resource is structured for three primary professional audiences: compliance officers and privacy counsel navigating regulatory obligations, cybersecurity practitioners evaluating technical standards against legal requirements, and researchers or policy analysts documenting the U.S. privacy enforcement landscape.

Regulated entities subject to frameworks such as HIPAA (administered by HHS Office for Civil Rights), the FTC Act Section 5 (enforced by the Federal Trade Commission), or the California Consumer Privacy Act as amended by CPRA will find this directory useful for cross-referencing statutory requirements against operational service categories. Organizations operating under the GLBA financial privacy regime or those handling biometric identifiers under Illinois BIPA will find sector-specific entries mapped to named statutory sources.

Researchers documenting state-level variation — particularly the divergence between California's opt-out model and Virginia's CDPA controller-processor framework — can use the comparative sections to establish classification boundaries across at least 13 states that had enacted comprehensive consumer privacy statutes as of 2024.

This is not a resource designed for consumers seeking to exercise individual data rights, though the consumer data rights section does document the statutory mechanisms through which those rights operate.

How to navigate

The directory is organized along two primary axes: regulatory domain and operational function.

Regulatory domain entries follow the structure of named federal statutes and agency jurisdictions — HIPAA, GLBA, COPPA, FERPA, the FTC Act — before addressing state frameworks and cross-border transfer rules. Operational function entries address how organizations implement compliance: governance structures, incident response protocols, vendor management, and privacy program design.

Navigation sequence recommended for first-time professional users:

1. Start with Cybersecurity Directory Purpose and Scope to establish the boundaries of what the directory covers and what it excludes.
2. Move to the federal privacy framework section to identify which federal agency or statute governs the relevant data category.
3. Use state privacy laws comparison to locate applicable state obligations layered on top of federal baselines.
4. Cross-reference operational entries — such as data breach notification requirements or privacy impact assessments — against the regulatory domain entries to identify where statutory obligations translate into internal process requirements.
5. Use the cybersecurity listings index to locate specific service providers, tools, or qualified practitioners operating within a defined regulatory scope.

Entries within each section cite named public sources — NIST publications, HHS guidance documents, FTC consent orders, and state attorney general enforcement records — rather than secondary or proprietary interpretations.

What to look for first

The most operationally critical sections for compliance professionals are those addressing mandatory disclosure timelines, penalty structures, and jurisdictional triggers.

Data breach notification requirements documents the patchwork of 50 state statutes plus federal sector-specific rules, including the HHS Breach Notification Rule under HITECH (45 CFR §§ 164.400–414) and the FTC's Health Breach Notification Rule (16 CFR Part 318). These entries specify notification windows — which range from 30 days under certain state laws to 60 days under HIPAA for covered entities — and identify which data categories trigger each regime.

For organizations handling children's data, COPPA children's online privacy addresses the verifiable parental consent requirements enforced by the FTC, including the 2013 amended Rule (16 CFR Part 312) that expanded the definition of personal information to include geolocation, photos, and persistent identifiers.

Privacy professionals building or auditing internal programs should prioritize privacy program governance, privacy audit and compliance reviews, and consent management frameworks before moving to technical implementation entries such as de-identification and anonymization or IoT device privacy standards.

How information is organized

Each entry in the directory follows a consistent internal structure:

• Regulatory anchor: The named statute, CFR citation, or agency framework that establishes the obligation or standard.
• Scope and applicability: The entity types, data categories, or jurisdictional conditions that trigger the requirement.
• Classification boundaries: Where two frameworks overlap or conflict — for example, the interplay between HIPAA and the FTC Health Breach Notification Rule for non-covered entities — entries identify the distinction explicitly rather than treating frameworks as interchangeable.
• Enforcement record: Where FTC enforcement actions, HHS resolution agreements, or state AG settlements establish interpretive precedent, entries reference those named cases without legal characterization.
• Operational cross-references: Links to related service categories, vendor qualification standards, or technical implementation entries relevant to the same compliance obligation.

The structure distinguishes between prescriptive frameworks (HIPAA, COPPA, FERPA — which specify required controls) and principles-based frameworks (FTC reasonable security standards, NIST Privacy Framework) that establish outcome standards without mandating specific technical measures. This contrast is material: prescriptive frameworks typically carry defined penalty ceilings, while principles-based standards are enforced through case-by-case FTC Section 5 unfairness analysis.

Entries covering sensitive data handling standards, biometric data privacy laws, and health data privacy beyond HIPAA each document this prescriptive-versus-principles distinction within their respective data categories, providing a consistent analytical frame across the full directory.