|
|
 |
|
Data Security Regulations - U.S. Federal Legislation |
|
Computer Fraud and Abuse Act (CFAA)
The Computer Fraud and Abuse Act (CFAA), 18 U.S.C.§ 1030, was originally enacted in 1984 solely as a computer crime statute, but in its present form, it imposes both civil and criminal liability for a wide variety of acts that compromise the security of public and private sector computer systems. The CFAA imposes liability on anyone who: intentionally accesses a protected computer without authorization or in excess of authority, and by doing so, steals anything of value; knowingly transmits a program, code or instruction, and as a result, intentionally causes damage, without authorization, to a protected computer; intentionally accesses a protected computer without authorization, and as a result, causes damage; knowingly traffics illegally in passwords or other access credentials that allow unauthorized access to a computer, if that traffic effects interstate or foreign commerce or the computer is used by or for the U.S. government; or threatening to damage a protected computer with intent to extort anything of value. The CFAA has been amended repeatedly since its initial passage in 1984. The provisions prohibiting the transmission of destructive code was inserted into the CFAA in a 1994 amendment that was intended, in part, to respond to the then emerging threat of viruses.
|
|
Data Accountability and Trust Act (DATA)
As ordered reported by the U.S. House Committee on Energy and Commerce on May 24, 2006, the Data Accountability and Trust Act, H.R. 3997, would require private companies with access to consumers' personal information to take certain precautions to safeguard that information. Under the bill, private companies would be required to notify consumers and the U.S. Federal Trade Commission (FTC) whenever there is a breach in the security of a consumer's personal information. The bill also would require companies that maintain databases containing individuals' personal information to supply individuals with their personal electronic records upon request and to provide a means to correct mistakes in those records. The bill was introduced Oct. 25, 2005, and debated in June 2006. This bill never became law.
|
|
The Digital Millennium Copyright Act (DMCA)
The Digital Millennium Copyright Act (DMCA), 17 U.S.C. §1201- 05, was approved by the U.S. Copyright Office in 1998 and provides that no person shall circumvent a technological measure that effectively controls access to a work protected under copyright law. The DMCA assists licensors of digitized copyrighted works in restricting access to those who obtain access to it lawfully and are therefore entitled to decrypt the work. The DMCA gives copyright owners legal recourse against anyone who removes technology that limits the use of copyrighted works to the uses authorized by the owner. It is important to note that the DMCA imposes liability for the removal of technological devices, regardless of whether or how those responsible then treat the formerly protected copyrighted works. The DMCA imposes both criminal and civil liability.
|
|
Fair and Accurate Credit Transactions Act (FACTA)
Enacted in December 2003, the purpose of the Fair and Accurate Credit Transactions Act is to help reduce identity theft and consumer fraud by enforcing the proper destruction of consumer information. Businesses are required to properly dispose of consumer information compiled for business purposes, by taking reasonable measures to protect against unauthorized access to or use of the information.
|
|
Fair Credit Reporting Act (FCRA)
The Fair Credit Reporting Act, 15 U.S.C. § 1681, was created in 2004 to require that consumer reporting agencies adopt procedures for meeting the needs of commerce for consumer credit, personnel, insurance, and other information in a manner which is fair and equitable to the consumer, with regard to the confidentiality, accuracy, relevancy, and proper utilization of such information. Portions of the Act deal specifically with identity theft prevention, including fraud alerts and active duty alerts; blocking of information resulting from identity theft; and records disposal.
|
|
Federal Information Processing Standards (FIPS)
Under the Information Technology Management Reform Act, (FIPS), Public Law 104-106, the U.S. Secretary of Commerce approves standards and guidelines that are developed by the National Institute of Standards and Technology (NIST) for federal computer systems. These standards and guidelines are issued by NIST as Federal Information Processing Standards (FIPS) for use government-wide. For applications or devices that include cryptography, U.S. federal government agencies are required to use a cryptographic product that has been Federal Information Processing Standard (FIPS) 140 validated or Common Criteria (CC) validated, and most CC protection profiles rely on FIPS validation for cryptographic security. The FIPS 140 requirement is applicable to all U.S. government departments and agencies which use cryptographic-based security systems to protect unclassified information, including any organization selling products to U.S. and Canadian government agencies.
|
|
Federal Information Security Management Act (FISMA)
The Federal Information Security Management Act of 2002 (FISMA), 44 U.S. C.3541, was enacted in 2002 and requires each U.S. government agency to develop, document and implement an agency-wide program to provide information security for the information and information systems that support the operations and assets of the agency, including those provided or managed by another agency, contractor, or other source. Parts of the program include: periodic assessments of risk, testing and evaluation of the effectiveness of information security policies, and procedures for detecting, reporting and responding to security incidents. Federal agencies, state, local, and tribal governments, as well as private sector organizations composing the critical infrastructure of the U.S. are accountable to FISMA.
|
|
Gramm-Leach-Bliley Act (GLBA)
The Gramm-Leach-Bliley Financial Services Modernization Act, Pub. L. No. 106-102, 113 Stat. 1338, was passed Nov. 12, 1999, as a law comprised of several components including the Financial Privacy Rule, which requires financial institutions to provide each consumer with a privacy notice at the time the consumer relationship is established and annually thereafter. The privacy notice must explain the information collected about the consumer, where that information is shared, how that information is used and how that information is protected. Secondly, the Safeguards Rule requires financial institutions to develop a written information security plan that describes how the company is prepared to protect clients' nonpublic personal information. Like other laws, this rule is intended to do what most businesses should already be doing, protecting their clients. GLBA covers a variety of industries, including banking, securities trading, insurance companies, lenders, tax preparers, credit counselors and financial advisors, real estate services and debt collector services. GLBA violations can include financial institutions being subject to a civil penalty of not more than $100,000 for each violation; the officers and directors of the financial institution shall be subject to, and personally liable for, a civil penalty of not more than $10,000 for each violation.
|
|
Health Insurance Portability and Accountability Act of 1996 (HIPAA)
The Health Insurance Portability & Accountability Act of 1996 (HIPAA) requires an improved efficiency in healthcare information delivery by standardizing electronic data interchange, and protection of confidentiality and security of health data. Almost all healthcare organizations, public health authorities, clearinghouses, self-ensured businesses, health providers, life insurers, service organizations and universities are bound by HIPAA. They are mandated to securely protect all patient health information (PHI) involved in electronic health transactions. Penalties include fines of up to $25,000 for multiple violations of the same standard in a calendar year, or 250,000 and/or imprisonment up to 10 years for knowing misuse of individually identifiable health information. The set of national standards took effect in 2003 and require health plans, doctors, hospitals, and other health care providers to ensure they are protecting the privacy and security of patients' medical information and using a standard format when submitting electronic transactions.
|
|
Identity Theft Prevention Act of 2007
The Identity Theft Prevention Act of 2007, H.R. 220, was introduced on Jan. 4, 2007. If approved, the Act would amend title II of the Social Security Act and the Internal Revenue Code of 1986 to protect the integrity and confidentiality of Social Security account numbers issued under such title, prohibit the establishment in the U.S. Government of any uniform national identifying number, and prohibit federal agencies from imposing standards for identification of individuals on other agencies or persons. The legislation is pending.
|
|
Notification of Risk to Personal Data Act (NRPDA)
The Notification of Risk to Personal Data Act (NRPDA) was introduced in January 2007 to the U.S. Senate. The legislation would require businesses and U.S. government agencies to notify consumers under certain circumstances of data breaches. Businesses would be allowed to make a "risk assessment" of a data breach and only notify consumers if there is "significant" risk of harm. Businesses also would be required to notify the Secret Service of a breach. If the Secret Service disagrees with the risk assessment, then the business would be required to mount a data breach disclosure campaign. This is the fourth version of the Act to be proposed before Congress. Three previous versions did not pass.
|
|
Payment Card Industry Data Security Standard (PCI DSS)
The Payment Card Industry Data Security Standard (PCI DSS) was promulgated by global credit card companies MasterCard and Visa, and has been adopted by other major payment card service providers. The standard applies to all businesses that process or store credit/debit card information and went into effect on June 30, 2005. The PCI standard is a contractual obligation that consists of a set of 12 rules for the secure handling of credit card information. This can include credit card numbers and account holder's personally identifiable information. The PCI Standard aims to reduce the volume of payment card fraud by preventing direct theft or misuse of cardholder account data, and also to reduce the broader problem of identity theft. The standard includes specific technical requirements, such as data encryption, user access controls, activity monitoring and event logging systems.
|
|
Stored Communications Act (SCA)
The Stored Communications Act (SCA), 18 U.S.C. §§ 2701-12, protects stored communications from being accessed and disclosed without authorization. The Act imposes civil and criminal for the intentional, unauthorized access to an electronic communication service facility to obtain, alter, or prevent authorized access to, a stored wire or electronic communication. Access to communications authorized by: wire or electronic communications service providers; users of communication services, with respect to communications intended for them; or provisions that permit lawful access by government entities are exempted. With regard to disclosure of communications, the Stored Communications Act prohibits providers of electronic communication or remote computing services from knowingly divulging the contents of a communication in electronic storage by such a service.
|
|
U.S. Patriot Act
The U.S. Patriot Act, HR 3162, passed on Oct. 24, 2001, as a legislative move to deter and punish terrorist acts in the U.S. and around the world, and enhance law enforcement investigatory tools. From Redemtech’s perspective, the pertinent portions of the Act regard the U.S. government’s authority to intercept wire, oral and electronic communications relating to computer fraud and terrorism; the seizure of voicemail messages pursuant to warrants; subpoenas for records of electronic communications; and interception of computer trespasser communications.
|
|
|
| Looking for more information? |
|
|
|
 |
|
E-waste and Environmental Regulations Database |
|
|
|
|
Mounting pressures regarding the environmentally and socially responsible management of e-waste are triggering more stringent laws around the globe. Redemtech’s E-waste and Environmental Regulations Database delivers information about regulations, directives, national decrees, statutes, ordinances and pending e-waste and environmental legislation. |
|
|
|
|
Data Security Regulations |
|
|
|
|
Legislation governing the protection of consumer privacy and identify theft continue to propagate on a global, federal, state and local level. Redemtech’s Data Security and Privacy Regulatory Database documents applicable regulations, established laws, constitutional amendments and pending legislation for many nations around the globe. |
|
|
