9.5. Regulating Privacy and Security

An organization's security management policies don't exist in a vacuum. Regulatory and governmental agencies are key components of a security management policy. These agencies have made large improvements over the last several years to ensure the privacy of information; several laws have been passed to help ensure that information isn't disclosed to unauthorized parties. The following sections provide a brief overview of a few of these regulations. As a security professional, you must stay current with these laws because you're one of the primary agents to ensure compliance.

9.5.1. The Health Insurance Portability and Accountability Act

The Health Insurance Portability and Accountability Act (HIPAA) is a relatively new regulation that mandates national standards and procedures for the storage, use, and transmission of personal medical information. Passed into law in 1996, HIPAA has caused a great deal of change in healthcare record keeping.

HIPAA covers three areas—confidentiality, privacy, and security of patient records—and it's being implemented in phases to make the transition easier. Confidentiality and privacy of patient records had to be implemented by a set date, followed by security of patient records. Standards for transaction codes in medical record transmissions had to be completed by a given date as well. Deadlines through 2008 are currently being implemented.

The penalties for HIPAA violations are very stiff: They can be as high as $250,000 based on the circumstances. Medical practices are required to appoint a security officer. All related parties, such as billing agencies and medical records storage facilities, are required to comply with these regulations.

9.5.2. The Gramm-Leach-Bliley Act of 1999

The Gramm-Leach-Bliley Act, also know as the Financial Modernization Act, requires financial institutions to develop privacy notices and to notify customers that they are entitled to privacy. The act prohibits banks from releasing information to nonaffiliated third parties without permission. Many consumer groups have criticized the implementation of this act by financial institutions.

Employees need to be trained on information security issues, and security measures must be put into place and tested to verify information privacy. The act includes a number of other provisions that allow banks and financial institutions to align and form partnerships.

The act requires banks to explain to individual consumers information-sharing policies. Customers have the ability to "opt out" of sharing agreements.

The act prohibits institutions from sharing account information for marketing purposes. It also prohibits the gathering of information about customers using false or fraudulent methods.

The law went into effect in July 2001. Financial officers and the board of directors can be held criminally liable for violations.

9.5.3. The Computer Fraud and Abuse Act

The Computer Fraud and Abuse Act was introduced into law in 1986. The original law was introduced to address issues of fraud and abuse that weren't well covered under existing statutes. The law was updated in 1994, in 1996, and again in 2001.

This act gives federal authorities, primarily the FBI, the ability to prosecute hackers, spammers, and others as terrorists. The law is primarily intended to protect government and financial computer systems from intrusion. Technically, if a governmental system, such as an Internet server, were used in the commission of the crime, virtually any computer user who could be shown to have any knowledge or part in the crime could be prosecuted.

The law is comprehensive and allows for stiff penalties, fines, and imprisonment of up to 10 years for convictions under this statute.

9.5.4. The Family Educational Rights and Privacy Act

The Family Educational Rights and Privacy Act (FERPA) dictates that educational institutions may not release information to unauthorized parties without the express permission of the student or, in the case of a minor, the parents of the student. This act also requires that educational institutions must disclose any records kept on a student when demanded by that student. This law has had a huge impact on privacy requirements of student records. It jeopardizes the federal funding of schools by government agencies if any violations occur.

9.5.5. The Computer Security Act of 1987

The Computer Security Act requires federal agencies to identify and protect computer systems that contain sensitive information. This law requires agencies that keep sensitive information to conduct regular training and audits, and to implement procedures to protect privacy. All federal agencies must comply with this act.

9.5.6. The Cyberspace Electronic Security Act

The Cyberspace Electronic Security Act (CESA) gives law enforcement the right to gain access to encryption keys and cryptography methods. The initial version of this act allowed federal law enforcement agencies to secretly use monitoring, electronic capturing equipment, and other technologies to access and obtain information. These provisions were later stricken from the act, although federal law enforcement agencies were given a large amount of latitude to conduct investigations relating to electronic information. This act is generating a lot of discussion about what capabilities should be allowed to law enforcement in the detection of criminal activity.

9.5.7. The Cyber Security Enhancement Act

The Cyber Security Enhancement Act of 2002 allows federal agencies relatively easy access to ISPs and other data-transmission facilities to monitor communications of individuals suspected of committing computer crimes using the Internet. The act is also known as Section 225 of the Homeland Security Act of 2002.

9.5.8. The Patriot Act

The Uniting and Strengthening America by Providing Appropriate Tools Required to Intercept and Obstruct Terrorism (USA PATRIOT) Act of 2001 was passed partially because of the World Trade Center attack on September 11, 2001. This law gives the U.S. government extreme latitude in pursuing criminals who commit terrorist acts. The definition of a terrorist act is broad.

The law provides for relief to victims of terrorism as well as the ability to conduct virtually any type of surveillance of a suspected terrorist. This act is currently under revision, and it will probably be expanded.

9.5.9. Familiarizing Yourself with International Efforts

Many governments are now evaluating their current laws regarding cyberterrorism, cybercrime, and privacy. Among the agencies that are currently evaluating cyber laws are the European Union (EU) and the G8.

The EU, which is a common governance agency that includes many member nations, is soon expected to enact tough legislation regarding computer use. In the next few years, the EU is likely to be formidable in its ability to pursue and prosecute cyber criminals.

The EU is adopting the strategy of looking at all EU member nations as a large "Information Society," and it will be passing laws and regulations regarding computer security and privacy among all members. It's also working on laws to protect computer systems and prevent cybercrime. The most all-encompassing law under consideration is the Cybercrime Treaty, which would make all hacking illegal in Europe. It's generating concern about legitimate research among security researchers in Europe.

International agencies (such as Interpol and the G8) are evaluating guidelines and laws about cybercrime. Asian and Pacific nations appear to be dealing with cybercrime issues on an individual basis.