Text Only Version

Relevant Laws to Information Security

HIPAA: Health Insurance Portability and Accountability Act

Passed: August 1996

Purpose: To improve the portability while maintaining the privacy and security of patient information.

Types of companies or entities affected: Medical providers, insurance companies, claims clearinghouses, employers that self-insure workers' health benefits.

Gist: The law's "administrative simplification" section enforces a privacy rule, security rule, transaction and code-set standards and identifier standards. These regulations specify what patient information must be kept private; how companies must secure the information; and the standards for electronic communication between medical providers and insurance companies. The deadline for implementing privacy controls was April 15, 2003; security is April 21, 2005; transaction and code set standards is Oct. 15, 2003, and an identifier standard is July 30, 2004.

Effects on IT: Unlike some other laws, HIPAA lists very specific technology standards and policies that must be implemented to comply, but is vendor neutral.

Gramm-Leach-Bliley Act - GLBA

Passed: November 1999
Purpose: To protect the information financial institutions collect about customers.
Types of companies affected: Mainly financial institutions, but also any company that collects name, Social Security number and bank account number from customers or employees.

Gist: On May 23 2003 the act's Safeguards Rule came into effect, forcing financial institutions to design, implement and maintain safeguards to protect customer information.

Effects on IT departments: All companies that collect financial information must take security measures, such as maintain firewalls, install and update virus protection, and schedule routine security audits, as well as develop and implement privacy policies.

Opinion: "Most IT departments are aware that they must protect information, but they aren't specifically aware that there are federal regulations enforcing this." Stan Gatewood, CISO of UGA- InfoSec.

Sarbanes-Oxley Act

Passed: August 2002
Purpose: To restore investor confidence in the financial reporting of public companies and hold a company's officers personally responsible for misrepresentation.
Types of companies affected: Any public company. Experts recommend private companies hoping to go public or be acquired by a public company also should abide by the rules.

Gist: Section 302 came into effect on Jan. 1, 2003, mandating quarterly reporting on how a company derived its quarterly financial report, including controls and procedures used. Section 404 will kick in June 14, 2004, forcing public companies to have reports of controls and procedures audited by a third party.

Effects on IT departments: Two-phased; initially, companies will scramble just to comply with the law, providing necessary documentation to auditors. Eventually, companies will want to automate the process, building audit trails and procedures into their systems.

USA Patriot Act

AKA: Uniting and Strengthening America by Providing Appropriate Tools Required to Intercept and Obstruct Terrorism Act of 2001
Passed: October 2001
Purpose: To boost the government's ability to track and prosecute terrorist activity through increased use of surveillance, information sharing and other means.
Types of companies affected: Financial institutions, ISPs and other companies that handle and store online communications.

Gist: The act obliges financial institutions to report any suspicious activity regarding large money transactions. Also, ISPs are encouraged to hand over information about activity by their users they consider suspicious, and can do so without liability. The law also expands that type of information that government agencies can collect from ISPs about their users, including records of session times and durations, temporarily assigned IP addresses and credit card or bank account information.

Effects on IT departments: Many aspects of the act encourage cooperative efforts from the private sector, instead of imposing regulations. Companies might wait until a government agency subpoenas information from them before considering compliance, although the time and cost to produce information on the fly could be prohibitive. Legal experts recommend companies ask the inquiring agency to reimburse the cost - some will, some won't.

Estimated spending to comply: Too soon to tell because many of the act's provisions are suggestions. If the government repeatedly asks a company to produce records to help the government, its officials might realize upgrading their IT systems to automate reporting is less expensive than hiring temporary staff to do it by hand.

CaliforniaSenate Bill 1386

Passed: September 2002
Purpose: To give California consumers immediate notice of security compromises in businesses' computer systems so they can take action before identity theft occurs.
Types of companies affected: Any company that stores a California resident's personal information on their computer system.

Gist: The law, which went into effect July 1, 2003, says companies must notify their customers when they know or believe unencrypted personal information was accessed by an unauthorized person. Notification must happen "in the most expedient time possible and without unreasonable delay," and can be written or, in some cases, sent by e-mail or posted on the company's Web site. Personal information is defined as an individual's name and Social Security number, California driver's license or state ID number, bank account, credit card or debit card number along personal identification number or password.

Effects on IT departments: Mandatory reporting of security breaches means departments must know about them, determine which customers' information might have been compromised and automate notifying all potentially affected individuals.

Opinion: "While privacy has never been a huge [business] driver, lack of privacy is." Stan Gatewood, CISO of UGA- InfoSec.

Estimated spending to comply: Depends on whether the bills brewing in Congress to make this a federal law pass. For now, it means every company doing business in California must implement security and notification systems.

The National Strategy to Secure Cyberspace Report

Issued: February 2003
Purpose: To suggest best practices to the private sector for protecting critical infrastructures and businesses from cyberattacks.
Types of companies affected: All private businesses, but especially those that run critical infrastructures such as telecom networks, stock markets, electricity and transportation.

Gist: This report issued by the White House encourages industries and government agencies to reduce the risk of cyberterrorism wherever practical. It says the government reserves the right to respond "in an appropriate manner" if the U.S. is attacked in cyberspace.

Effects on IT departments: The report can be used to back up IT managers' requests that companies assign larger budgets and higher priority to security programs and policies.

Opinion: "The report makes it clear that there will not be a technology silver bullet that's going to solve the [security] problem." - Larry Clinton, operations officer, Internet Security Alliance.

Estimated spending to comply: Because none of the report is mandatory, spending will be at the discretion of each company.

 

Georgia

California

  • California State Bill SB1386
  • This bill, commencing July 1, 2003, requires a state agency, a person or business that conducts business in California that owns or licenses computerized data that includes personal information, as defined, to disclose in specified ways, any breach of the security of the data, as defined, to any resident of California whose unencrypted personal information was or is reasonably believed to have been acquired by an unauthorized person.

Other States

Other States

Bills before Congress

NORPDA-Notification of Risk to Personal Data Act
This bill would require Federal agencies, and persons engaged in interstate commerce, in possession of electronic data containing personal information, to disclose any unauthorized acquisition of such information.
http://thomas.loc.gov/cgi-bin/query/D?c108:1:./temp/~c108PCoK8S::

Laws

CDA-Communications Decency Act of 1996
The Communications Decency Act of 1996 was a highly controversial statute prohibiting anyone using interstate or communications from transmitting obscene or indecent materials when they know that the recipient is under 18 years of age - regardless of who initiated the communications.
http://usinfo.state.gov/usa/infousa/laws/majorlaw/s652titl.htm
CFA-The Computer Fraud and Abuse Act of 1986
The Computer Fraud and Abuse Act of 1986 focuses primarily on protecting "government-interest" computers, including: federal, state, county and municipal systems; financial and medical institutions; and computers used by contractors supplying such institutions. Specifically, the law prohibits the use of "a program, information, code or command" with intent to damage, cause damage to, or deny access to a computer system or network. In addition, the Act specifically prohibits even unintentional damage if the perpetrator demonstrates reckless disregard of the risks of causing such damage.
http://www.usdoj.gov/criminal/cybercrime/1030_new.html
Copyright Law of the United States of America
http://www.loc.gov/copyright/title17/
DMCA-The Digital Millennium Copyright Act of 1998
http://www.loc.gov/copyright/legislation/dmca.pdf
ECPA-The Electronic Communications Privacy Act of 1986
The Electronic Communications Privacy Act of 1986, generally known as the ECPA, assigns fines and prison sentences for anyone convicted of unauthorized interception and disclosure of electronic communications such as phone calls through landlines or mobile systems and e-mail. In addition, the ECPA specifically prohibits making use of an unlawfully overheard electronic communication if the interceptor knows that the message was unlawfully obtained. On the other hand, providers of electronic messaging systems, including employers, are permitted to intercept messages on their own systems in the course of their normal operations; naturally, they are authorized to transmit messages to other communications providers as part of the normal course of transmission to the ultimate recipient. The ECPA also prohibits access to stored messages, not just those in transit.
http://policyworks.gov/policydocs/5.pdf
FERPA-The Family Educational Rights and Privacy Act
http://www.ed.gov/offices/OM/fpco/ferpa/
UGA FERPA Policy Statement
GLBA-Gramm-Leach-Bliley Act:  Financial Privacy and Pretexting of 1999
http://www.ftc.gov/privacy/glbact/
HIPAA-Health Insurance Portability and Accountability Act of 1996
http://www.hhs.gov/ocr/hipaa/
SANS:  HIPAA Consensus Research Project
NIST: Special Publication 800-66: An Introductory Resource Guide for Implementing the Health Insurance Portability and Accountability Act (HIPAA) Security Rule Draft
UGA-OIS:
Patriot Act of 2001
http://www.immigration.gov/graphics/lawsregs/patriot.pdf
Electronic Privacy Information Center The USA PATRIOT Act
Wiretap Act USC title 18, pt. 1, ch. 119, sect. 2511
http://caselaw.lp.findlaw.com/casecode/uscodes/18/parts/i/chapters/119/sections/section_2511.html
SANS2002 Technical Conference Session 1-9: Federal Legal Issues & Monitoring Network Use
Richard P. Salgado, Computer Crime and Intellectual Property Section, United States Department of Justice

U.S. Code

Title 18, Pt. I, Ch. 121: Stored Wire And Electronic Communications And Transactional Records Access
http://www4.law.cornell.edu/uscode/18/pIch121.html
Title 18, Pt. I, Ch. 121, Sec. 2703: Required disclosure of customer communications or records
http://www4.law.cornell.edu/uscode/18/2703.html

International

European Union

Directives

2002/58/EC: Directive on Privacy and Electronic Communications
http://register.consilium.eu.int/pdf/en/02/st03/03636en2.pdf

United Kingdom

Computer Misuse Act 1990
http://www.legislation.hmso.gov.uk/acts/acts1990/Ukpga_19900018_en_1.htm
Data Protection Act 1998
http://www.legislation.hmso.gov.uk/acts/acts1998/19980029.htm
Regulation of Investigatory Powers Act 2000
http://www.legislation.hmso.gov.uk/acts/acts2000/20000023.htm

Other

Laws governing interstate electronic communications has been used in prosecutions of computer crimes. It deals with wire fraud, and requires the following elements:  (a) a scheme to defraud by means of false pretenses; (b) knowing and willful participation with intent to defraud; and (c) the use of interstate wire communications in furtherance of the scheme.

Commentary

EDUCAUSE:  IT Security for Higher Education: A Legal Perspective
The EDUCAUSE Security Task Force has commissioned a law firm to develop a white paper on IT security legal issues.
http://www.educause.edu/ir/library/pdf/CSD2746.pdf
EDUCAUSE Review: Civil Privacy and National Security Legislation: A Three-Dimensional View
http://www.educause.edu/pub/er/erm03/erm036_articles.asp?id=2
SecurityFocus:   U.S. Information Security Law, Part One:  Protecting Private Sector Systems, and Information Security Professionals and Trade Secrets
http://www.securityfocus.com/infocus/1669
SecurityFocus:  U.S. Information Security Law, Part Two:  Protecting Private Sector Systems and Securing the Working Environment
http://www.securityfocus.com/infocus/1681
SecurityFocus:  U.S. Information Security Law, Part Three:  Information Security and the Public Sector-An Introduction to the Criminal Law of Information Security
http://www.securityfocus.com/infocus/1693
SecurityFocus:  U.S. Information Security Law, Part Four:  Information Security and the Public Sector-An Introduction to the National Security Law of Information Security
http://www.securityfocus.com/infocus/1710

Other Resources:

Computer Crime and Intellectual Property Section: Federal Code Related to Cybercrime
http://www.cybercrime.gov/fedcode.htm
EuroCERT: Computer law and legislation in European countries
http://www.ja.net/CERT/SIRCE/legislature.html
National Association of Attorneys General: Computer Crime Point-of-Contact List
http://www.naag.org/issues/20010724-cc_list.php
National Conference of State Legislatures: Computer Crime
http://www.ncsl.org/programs/lis/cip/computercrimes.htm
National Conference of State Legislatures: Federal Computer Crime Statutes
http://www.ncsl.org/programs/lis/cip/compcrime-fed.htm
Official Code of Georgia Annotated
http://www.legis.state.ga.us/cgi-bin/gl_codes_detail.pl?code=1-1-1
United States Code
http://www4.law.cornell.edu/uscode/