The legal landscape around information security is rapidly evolving internationally. Privacy regulations vary from state to state, province to province, and country to country. If you are like most modern digital businesses your clients are located all over the world and your data is stored and processed in several different jurisdictions.
This reality of modern day business significantly complicates the legal considerations. If your company is located in California, your clients are in Europe and your data is hosted in Canada you likely have legal considerations on a state, federal, and international level.
It is critical that you ensure your policies and procedures are built around a solid understanding of the legal implications associated with the types of data you store and the locations the data travels through.