Regulatory Contact Directory
This article is a reference resource for IT compliance and security. It is not professional advice. Consult professionals for guidance specific to your situation.
You have a data breach. You've contained it, you've notified your legal team, and now you need to know who to contact and what to report. Or you've received a notice of investigation from a federal agency and you need to understand what they oversee and what your obligations are. Or you're building a compliance program and need to understand which agencies might audit you.
The regulatory landscape is fragmented across federal agencies, state attorneys general, and industry-specific bodies. Each has different jurisdiction, different reporting timelines, and different expectations. Understanding the landscape prevents you from either over-reporting (wasting resources on notifications that aren't required) or under-reporting (triggering penalties for non-compliance).
Federal Regulatory Agencies and Their Scope
The Department of Health and Human Services (HHS) oversees HIPAA compliance for healthcare entities, health plans, and their business associates. If your organization is a healthcare provider, health plan, or processes health information on behalf of one, HHS has authority over you. The HHS Office for Civil Rights (OCR) handles HIPAA violations, breach investigations, and can impose civil penalties. You can reach HHS OCR at their regional offices or through their national HIPAA Hotline, and you can report HIPAA violations to them when you encounter them.
The Federal Trade Commission (FTC) oversees consumer privacy and data security for commercial organizations. The FTC's authority is broad—it covers most U.S. businesses unless they're explicitly carved out (banks, insurance companies, etc.). The FTC enforces the Health Breach Notification Rule for entities not subject to HIPAA, and it has taken action against organizations with inadequate data security. The FTC handles consumer complaints about privacy and data security.
The Department of Defense (DoD) oversees CMMC (Cybersecurity Maturity Model Certification) for defense contractors and their subcontractors. If you work in the defense industrial base, you need CMMC certification, and the DoD's Defense Counterintelligence and Security Agency (DCSA) oversees the program.
The Securities and Exchange Commission (SEC) oversees public companies and is increasingly focused on cybersecurity disclosures. If you're a public company, you need to disclose material cybersecurity incidents and have strong cyber risk governance.
The Federal Communications Commission (FCC) regulates telecommunications companies, broadband providers, and has jurisdiction over wireless carriers. If you're in that space, FCC rules apply to your network security and data handling.
State Attorneys General and Breach Notification
Each state has an attorney general with jurisdiction over consumer protection, including data breach notification. State breach notification laws vary but typically require that individuals be notified of breaches of their personal information without unreasonable delay. The timeline varies from state to state—some require notification "without unreasonable delay," others specify days. Most states require notification to their attorney general if the breach affects residents above a certain threshold.
Contacting state attorneys general for breach notification is often handled through a service that tracks which states are affected and sends notifications on your behalf. For a breach of California residents, you contact the California AG. For a breach affecting multiple states, you contact the AG in each affected state. The notification must include description of what was breached, what you're doing to secure it, and what individuals should do to protect themselves.
The National Association of Attorneys General (NAAG) maintains a directory of state attorney general offices with contact information. You can also find each state's data breach notification law and procedures on your state's AG website.
Industry-Specific Regulators
The Payment Card Industry Security Standards Council (PCI SSC) doesn't enforce PCI DSS in the way a government agency does, but payment processors and card networks require compliance. If you process card data, you must comply with PCI DSS. Your acquiring bank or payment processor can tell you whether you need a third-party audit or can conduct self-assessment.
Federal Banking Regulators oversee banks and financial institutions through the Office of the Comptroller of the Currency (OCC), the Federal Deposit Insurance Corporation (FDIC), and the Federal Reserve. If you're a financial institution or hold banking relationships, these agencies have authority over your security and data handling.
The SEC's Division of Corporation Finance and the Public Company Accounting Oversight Board (PCAOB) have jurisdiction over public companies' cyber risk disclosure and governance. If you're public, you must disclose material cyber incidents and maintain adequate security governance.
State Insurance Commissioners oversee insurance companies and increasingly impose cybersecurity requirements similar to HIPAA on health insurance carriers.
The National Institute of Standards and Technology (NIST) doesn't regulate but provides the framework used across federal agencies and increasingly in state law and critical infrastructure regulations. If you work in critical infrastructure or federal contracting, NIST Framework compliance is relevant.
Incident Reporting and Breach Notification Procedures
When you have a reportable incident, the timeline and requirements depend on what data was affected and which laws apply. A HIPAA breach must be reported to affected individuals without unreasonable delay and no later than 60 days from discovery. HHS must also be notified. The notification must describe the breach, the types of information involved, what the covered entity is doing to investigate, and what individuals should do.
A state data breach affecting residents triggers state breach notification requirements, which vary by state but typically require notification without unreasonable delay. Most states also require notification to the state attorney general if the breach affects more than a threshold number of residents (usually 500 to 1000).
A breach affecting payment card data triggers PCI DSS notification requirements and may require notification to card networks and acquiring banks. Card networks have different procedures for breach reporting.
A breach affecting a federal contractor triggers federal incident response procedures, potentially including notification to federal agencies depending on the contract and the data involved.
Guidance and Resources
The FTC provides guidance on data security practices through its "Start with Security" program and various guidance documents. The FTC's website has information on breach notification requirements and what constitutes reasonable security.
NIST provides cybersecurity guidance through the NIST Cybersecurity Framework and various standards and guidelines. NIST 800 series documents provide detailed guidance on topics like access control, encryption, and incident response. These documents are free and widely referenced across government and industry.
HHS OCR provides HIPAA guidance, sample policies, and breach notification resources on its website. If you're a covered entity, HHS OCR's resources are your primary reference for compliance requirements.
The Department of Defense publishes CMMC requirements and resources for defense contractors. The DCSA website has current CMMC guidance, assessor lists, and information on certification timelines.
The International Organization for Standardization (ISO) maintains ISO 27001, ISO 27002, and other information security standards. These are not free—standards must be purchased—but many organizations reference them for security architecture guidance.
Preparing for Regulatory Contact
When a regulatory agency contacts you—whether through investigation notice, audit notification, or breach inquiry—understand your obligations to respond and what protections you have. Most agencies have power to subpoena documents and compel testimony. However, having legal counsel review regulatory requests is appropriate, and you can negotiate document production timelines and protect certain privileged communications (attorney-client, attorney work product).
Keep documentation of your compliance efforts, control assessments, incident response processes, and remediation work. This documentation is your defense in a regulatory investigation. If you have a security incident and can demonstrate that your controls were reasonable, that you detected it appropriately, and that you responded promptly, that protects you against claims of negligence.
Maintain current contact information for relevant regulatory agencies. A quick reference file with the FTC's complaint reporting process, your state's data breach notification requirements, and the attorney general's office contact information could save you time and mistakes when you need it.
Understanding Your Regulatory Landscape
Your first step in building regulatory awareness is identifying which agencies have jurisdiction over your organization. If you're in healthcare, HIPAA and HHS apply. If you process cards, PCI DSS applies. If you're public, SEC oversight applies. If you're in critical infrastructure or work with federal agencies, NIST Framework or federal regulations apply. If you operate in multiple states, state attorneys general have jurisdiction over breach notification.
Once you understand which agencies apply to you, familiarize yourself with their websites, guidance documents, and breach notification procedures. Build a regulatory roadmap that documents which laws apply, what they require, and who enforces them. When you need to report, you'll know exactly whom to contact and what information they need.
Fully Compliance provides educational content about regulatory agencies and breach notification requirements. Specific guidance on your obligations should come from qualified legal counsel familiar with your jurisdiction and situation.