Small businesses are prime targets for cyberattacks—over 40% of breaches hit them due to limited resources. While there's no single federal cybersecurity law for all private businesses, a patchwork of federal, state, and sector-specific rules apply. Non-compliance can lead to fines, lawsuits, or lost trust. Here's what every US small business needs to know in late 2025.
1. FTC Act – The Broad Federal Enforcement
The Federal Trade Commission (FTC) enforces "reasonable" data security under Section 5 of the FTC Act. This applies to all businesses collecting consumer data.
- Key Requirements: Implement safeguards against breaches (e.g., encryption, access controls, updates). Respond to breaches promptly.
- Impact on Small Businesses: Even without handling health/financial data, poor security can trigger FTC investigations/fines.
- Best Practice: Follow FTC's Start with Security guide.
All 50 states require notifying affected residents (and sometimes regulators) after a breach involving personal information (e.g., names + SSN).
- Timelines: Vary (e.g., "as soon as possible"; some 30-60 days).
- Impact: Mandatory for any business with customer data from that state. Fines for delays.
- 2025 Note: States like Tennessee (TIPA, effective July 2025) add reasonable security mandates.
3. State Privacy Laws (e.g., CCPA/CPRA in California + 15+ Others)
Comprehensive laws in states like CA, CO, CT, VA, TX, NJ (new in 2025), TN give consumers rights (access, delete, opt-out).
- Applicability: Often thresholds (e.g., CCPA: $25M revenue or 100K+ CA residents' data)—many small businesses exempt, but check if you target/serve residents.
- Cybersecurity Tie: Require "reasonable" security; breaches can trigger private lawsuits.
4. Sector-Specific Federal Laws
- HIPAA (Health): If handling protected health info (e.g., medical practice or app)—risk assessments, safeguards, breach reporting.
- GLBA (Finance): Banks/lenders must protect customer financial data.
- PCI-DSS (Payments): Not law, but contractual—if accepting cards, comply or face fines from card brands.
- CMMC (Defense Contractors): Certification required for DoD contracts—no small business exemptions.
5. Upcoming: CIRCIA Incident Reporting
Final rules expected late 2025—critical infrastructure (e.g., energy, transport) must report major incidents to CISA within 72 hours. Small businesses often exempt unless in covered sectors.
Key Recommendations for Small Businesses
Follow free guides from CISA and FTC—focus on basics over complex compliance.
CISA resources and toolkits.
- Start Here: CISA Cyber Essentials (free toolkit) and FTC Cybersecurity for Small Businesses.
- Core Actions:
- Train employees on phishing.
- Enable MFA, updates, backups.
- Limit access, secure Wi-Fi.
- Plan for breaches (response/backups).
- Assess Your Risks: Use CISA's free tools; consider cyber insurance.
Most small businesses won't face all laws—focus on FTC reasonable security and state breach notifications. Consult a professional for your specifics. Stay proactive: Good cybersecurity builds trust and avoids costly issues!