Privacy and Security Regulations

The security management policies of an organization do not exist in a vacuum. Regulatory and governmental agencies are key components of a security management program. These agencies have made large improvements over the last several years to ensure the privacy of information. Several laws have been passed to help ensure that information is not disclosed to unauthorized parties. This section provides a brief overview of a few of these regulations. As a security professional, you must stay current with these laws, as you are one of the primary agents to ensure compliance.

HIPAA

The Health Insurance Portability and Accountability Act (HIPAA) is a relatively new regulation that mandates national standards and procedures for the storage, use, and transmission of personal medical information. Passed into law in 1996, HIPAA has caused a great deal of change in health care record keeping.

HIPAA covers three areas, and it is being implemented in phases to make the transition easier.

Confidentiality and privacy of patient records must be implemented no later than April 2004. Security of patient records must be implemented no later than March 2004. Standards for transaction codes in medical record transmissions must be completed by 2003.

Security requirements and regulations are undergoing final revisions. The final wording of the compliance regulations is expected by the end of 2002.

The penalties for HIPAA violations are very stiff, and they can be as high as $250,000 based on the circumstances. Medical practices are required to appoint a security officer. All related parties, such as billing agencies and medical records storage facilities, are required to comply with these regulations.

Gramm-Leach Bliley Act of 1999

This act requires financial institutions to develop privacy notices and to notify customers that they are entitled to privacy. The act prohibits banks from releasing information to nonaffiliated third parties without permission. Many consumer groups have criticized the implementation of this act by financial institutions.

Employees need to be trained on information security issues, and those security measures must be put into place and tested to verify information privacy. The act includes a number of other provisions that allow banks and financial institutions to align and form partnerships.

The act requires banks to explain to individual consumers information- sharing policies. The act prohibits financial institutions from sharing information with nonaligned third parties without permission from the customer. Customers have the ability to "opt out" of sharing agreements.

The act prohibits institutions from sharing account information for marketing purposes. The act also prohibits the gathering of information about customers using false or fraudulent methods.

The law went into effect in July of 2001. Financial officers and the board of directors can be held criminally liable for violations of this act.

Computer Fraud and Abuse Act

The Computer Fraud and Abuse Act was introduced into law in 1986. The original law was introduced to address issues of fraud and abuse that were not well covered under existing statutes. The law was updated in 1994, 1996, and again in 2001.

This act gives federal authorities, primarily the FBI, the ability to prosecute hackers, spammers, and others as terrorists. The law is primarily intended to protect government and financial computer systems from intrusion. Technically, if a governmental system, such as an Internet server, were used in the commission of the crime, virtually any computer user could be prosecuted under this statute.

This law is very comprehensive and allows for stiff penalties and jail if a violation occurs. The act allows for stiff fines and imprisonment of up to 10 years for convictions under this statue.

FERPA

The Family Educational Right to Privacy Act (FERPA) dictates that educational institutions may not release information to unauthorized parties without the express permission of the student or, in the case of a minor, the parents of the student.

This act also requires that educational institutions must disclose any records kept on a student when demanded by that student. This law has a huge impact on privacy requirements of student records. This act jeopardizes the federal funding of schools by government agencies if any violations occur.

Computer Security Act of 1987

The Computer Security Act requires federal agencies to identify and protect computer systems that contain sensitive information. This law requires agencies that keep sensitive information to conduct regular training, audits, and procedures to protect privacy. All federal agencies must comply with this act.

Cyberspace Electronic Security Act (CESA)

This act allows law enforcement the right to gain access to encryption keys and cryptography methods. The initial version of this act allowed federal law enforcement agencies to secretly use monitoring, electronic capturing equipment, and other technologies to access and obtain information.

These provisions were later stricken from the act, although federal law enforcement agencies were given a large amount of latitude to conduct investigations relating to electronic information. This act is generating a lot of discussion about what capabilities should be allowed to law enforcement in the detection of criminal activity.

Cyber Security Enhancement Act

This act, if passed, would allow federal agencies relatively easy access to ISPs and other data transmission facilities to monitor communications of individuals suspected of committing computer crimes using the Internet. The act was initially proposed in July of 2002. This act is currently under debate. Many privacy groups are providing briefs about the potential violations of civil rights that this act, if enacted, would make possible.

Patriot Act

The Uniting and Strengthening America by Providing Appropriate Tools Required to Intercept and Obstruct Terrorism (USA PATRIOT ACT) Act of 2001 was passed partially because of the World Trade Center attack. This law gives the United States government extreme latitude in pursuing criminals in the act of committing terrorist acts.

The definition of a terrorist act is broad, and it allows a great deal of latitude regarding how terrorist acts are defined. The law provides for relief to victims of terrorism, as well as the ability to conduct virtually any type of surveillance of a suspected terrorist. This act is currently under revision, and it will probably be expanded.

International Efforts

Many governments are now evaluating their current laws regarding cyber- terrorism, cybercrime, and privacy. Some of the agencies that are currently evaluating cyber laws include the European Union and G8.

The European Union (EU) is evaluating its current laws regarding cyber- crime. It is expected to enact tough legislation regarding computer use. The European Union is a common governance agency that includes 15 member nations. Table 10.1 shows the current members of the EU. A number of nations are expected join the EU in the next few years. Membership currently includes most of Western Europe, and it is likely to be quite formidable in its ability to pursue and prosecute cyber criminals.

The EU is working on laws to protect computer systems and prevent cyber-crime. The most all-encompassing law under consideration is the Cybercrime treaty. This treaty would make all hacking illegal in Europe. It is generating concern about legitimate research among security researchers in Europe.

The EU is adopting the strategy of looking at all EU member nations as a large Information Society, and it will be passing laws and regulations regarding computer security and privacy.

International agencies (such as Interpol and the G8) are evaluating guidelines and laws about cybercrime. Asian and Pacific nations appear to be dealing with cybercrime issues on an individual basis.