The California Consumer Privacy Act (CCPA) of 2018 grants California consumers new rights regarding their personal information, including the right to know, the right to delete, and the right to opt-out of the sale of their personal information. It applies to businesses that collect and control California residents' personal information and meet certain revenue or data processing thresholds, giving consumers more control over their data and placing obligations on businesses to protect it adequately. Violations can result in substantial fines and penalties, increasing the accountability of businesses handling consumer data. (CCPA, 2018). CCPA was amended and replaced by CPRA (California Privacy Rights Act) in 2020 which went into effect January 1, 2023, and is enforced starting July 1, 2023. CPRA expands data privacy rights for consumers and imposes more stringent obligations on businesses to safeguard personal information. (CPRA, 2020). CPRA amends the CCPA to provide consumers with additional rights, including the right to correct inaccurate personal information, further restricting the use and sharing of sensitive personal information and establishing the California Privacy Protection Agency (CPPA) to enforce and implement these regulations. Violations carry significant penalties, enhancing consumer data protection and requiring businesses to adopt comprehensive compliance programs. (CPRA, 2020). It emphasizes data minimization and purpose limitation principles, further restricting the collection and use of personal information, and increasing accountability for organizations. CPRA also includes provisions related to automated decision-making and profiling, offering consumers greater transparency and control over how their data is used in algorithmic processes (CPRA, 2020). These enhancements to CCPA provide even more stringent protections for consumer privacy rights in California.

The Federal Information Security Modernization Act (FISMA) of 2014 requires federal agencies to develop, document, and implement an information security program to protect their information and information systems. It establishes a framework for managing and overseeing information security risks, including conducting risk assessments, implementing security controls, and monitoring security performance. FISMA also mandates independent evaluations of agency security programs to ensure effectiveness. (FISMA, 2014). Updated guidelines and standards from NIST (National Institute of Standards and Technology) further refine security requirements and best practices, ensuring agencies adopt comprehensive measures to safeguard federal information assets. These updates include enhanced incident response protocols, supply chain risk management strategies, and advanced authentication mechanisms to address evolving cyber threats (NIST, ongoing). Compliance with FISMA involves rigorous reporting and oversight by OMB (Office of Management and Budget) and Congress, holding agencies accountable for maintaining robust security posture and mitigating risks effectively (OMB, ongoing). Overall, FISMA provides a structured framework for federal agencies to enhance their cybersecurity defenses and protect sensitive information assets from unauthorized access, use, disclosure, disruption, modification, or destruction (FISMA, 2014). Enhanced security requirements, oversight mechanisms, and continuous monitoring processes contribute to strengthening federal cybersecurity posture and resilience against evolving cyber threats (FISMA, 2014). NIST and OMB provide ongoing guidance and support to agencies in implementing FISMA requirements, fostering a collaborative approach to cybersecurity management across the federal government (NIST, OMB, ongoing). The continuous evolution of FISMA reflects the dynamic nature of cybersecurity landscape and the need for proactive measures to protect federal information assets and maintain public trust (FISMA, ongoing). The Act continues to adapt to emerging technologies and evolving threat landscapes through regular updates to standards and guidelines, ensuring agencies stay ahead of potential risks (NIST, ongoing).

The Health Insurance Portability and Accountability Act (HIPAA) of 1996 establishes national standards to protect individuals' medical records and other personal health information. The HIPAA Privacy Rule addresses the use and disclosure of protected health information (PHI) by covered entities and business associates, while the HIPAA Security Rule requires covered entities to implement administrative, physical, and technical safeguards to ensure the confidentiality, integrity, and availability of electronic PHI. The HIPAA Breach Notification Rule mandates covered entities and business associates to notify affected individuals, HHS, and the media in the event of a breach of unsecured PHI. (HIPAA, 1996). Ongoing guidance from HHS (Department of Health and Human Services) clarifies compliance requirements and addresses emerging privacy and security concerns related to healthcare data (HHS, ongoing). Enforcement activities by OCR (Office for Civil Rights) hold covered entities accountable for HIPAA violations, with penalties ranging from civil monetary penalties to criminal charges for willful violations (OCR, ongoing). Recent amendments and clarifications to HIPAA address issues such as data sharing for research purposes, electronic health information exchange, and telehealth services, ensuring the regulations remain relevant in the evolving healthcare landscape (HHS, ongoing). Overall, HIPAA provides a comprehensive framework for protecting the privacy and security of health information, promoting patient trust and enabling the secure exchange of healthcare data for improved patient care (HIPAA, 1996). It requires organizations to implement comprehensive security programs to protect PHI (Protected Health Information). Recent regulations update to address emerging technologies and evolving threats (HHS, ongoing). The HITECH Act expanded HIPAA to include business associates and increased penalties for non-compliance.