Skip to main content
govconCyber

The Legal Baseline for Data Security

Federal RequirementsReferencepublishedEffective:

The federal and state laws that already require any business to secure data and report breaches — the real minimum that exists before a single FAR clause applies.

Last reviewedJune 4, 2026Version v1

Overview

Cybersecurity law did not start with the Federal Acquisition Regulation. Before a company ever bids on a government contract, it already operates inside a web of federal and state law that requires it to protect the data it holds and to disclose breaches when they happen. These duties attach to any business that collects personal or sensitive information — your customers, your employees, your vendors — regardless of whether you ever work with the government.

This is the real baseline. A well-run contractor should already meet it before pursuing federal work, because the FAR and DFARS cybersecurity clauses are an additional layer on top of these laws, not the entry point to them. Winning a contract does not reset the clock on the obligations below; it adds new ones.

Why this page exists: It is a common misconception that federal contractor cybersecurity "starts" with FAR 52.204-21. In reality, that clause assumes you are already a law-abiding business. The laws on this page are what you should already be meeting.

The FTC Act: Federal "Reasonable Security"

Section 5 of the Federal Trade Commission Act (15 U.S.C. § 45) prohibits "unfair or deceptive acts or practices." For two decades the FTC has used it as the de facto federal data-security enforcer: a company that fails to maintain *reasonable* security for consumer data, or that misrepresents how it protects data, can face an FTC enforcement action. No contract — and no specific data-security statute — is required for this to apply.

Sector Data-Security Rules

Depending on what your business does, a sector-specific federal rule may already impose detailed security obligations:

  • GLBA Safeguards Rule (16 CFR Part 314) — requires "financial institutions," broadly defined to include many non-banking businesses, to maintain a written information-security program. The FTC amended it in 2021 and again in 2023; since May 2024 covered entities must report breaches affecting 500 or more consumers to the FTC within 30 days.
  • HIPAA Security Rule (45 CFR Part 164) — requires healthcare "covered entities" and their "business associates" to safeguard electronic protected health information (ePHI).
  • FERPA, FCRA, COPPA and others — impose data-handling duties in education, consumer-reporting, and children's-data contexts.

State Breach-Notification Laws

All 50 states, plus the District of Columbia and the U.S. territories, require businesses to notify individuals when their personal information is breached. California enacted the first such law in 2002; Alabama was the last state to adopt one, in 2018. The specifics — what counts as personal information, how fast you must notify, and whether you must also tell the state attorney general — vary by state, so a breach often triggers obligations in many states at once.

State Data-Security and Privacy Laws

Beyond breach notice, a growing number of states impose affirmative security and privacy duties on businesses:

  • "Reasonable security" mandates such as Massachusetts' 201 CMR 17.00, the New York SHIELD Act, and California law require safeguards proportionate to the data held.
  • Comprehensive consumer-privacy laws — California (CCPA/CPRA), Virginia, Colorado, Connecticut, Utah, and a lengthening list of others — grant consumers rights over their data and require reasonable security to protect it.

Cyber-Crime Statutes

A separate body of federal criminal law sits in the background. It protects your systems from attackers and sets limits your own people must respect:

  • Computer Fraud and Abuse Act (18 U.S.C. § 1030) — the primary federal anti-hacking statute, criminalizing unauthorized access to computers.
  • Electronic Communications Privacy Act / Wiretap Act / Stored Communications Act (18 U.S.C. §§ 2510, 2701) — restrict intercepting communications and accessing stored data.
  • Identity theft, wire-fraud, and economic-espionage statutes — reach data theft and misuse.

Why It Matters Before You Contract

If your business already handles customer or employee data, you are almost certainly subject to several of the laws above today. The good news: the controls they expect — access control, encryption, logging, incident response, vendor management — overlap heavily with FAR 52.204-21's 15 safeguards and with NIST SP 800-171. A company with mature general-business security is most of the way to contractor compliance. A company that treats FAR 52.204-21 as the place to *start* has usually skipped the foundation underneath it.

How It Connects to Contractor Requirements

Sources

  • FTC Act § 5 (15 U.S.C. § 45); FTC Safeguards Rule, 16 CFR Part 314 (ftc.gov / ecfr.gov)
  • HIPAA Security Rule, 45 CFR Part 164 (hhs.gov)
  • State breach-notification and privacy statutes (NCSL; state attorneys general)
  • CFAA, 18 U.S.C. § 1030; ECPA, 18 U.S.C. §§ 2510, 2701 (uscode.house.gov)
Was this page helpful?