A Practice Note explaining how to plan, perform, and report on data security risk assessments as required by federal and state laws, including the Gramm-Leach-Bliley Act (GLBA), the Health Insurance Portability and Accountability Act (HIPAA), and state data security laws that protect personal information, federal and state regulators' expectations for reasonable data security practices, industry standards, and best practices. It also addresses common forms of cyber risk assessments and their role in any organization's overall information security program.