Laws and Regulations
This chapter discusses a number of issues that pertain to laws, regulations, compliance, and privacy. It covers how a great number of laws and regulations exist that may be pertinent to computing, as well as how such things can vary heavily from one country to the next. It talks about issues regarding regulatory compliance and industry compliance, and how these might affect businesses and organizations operating in a wide variety of industries. Lastly, it discusses the issue of privacy overall, including privacy rights and how privacy issues may come into play when conducting business.
Keywords
laws; regulations; compliance; privacy
Information in This Chapter
Introduction
As an information security professional, it is very important to understand the role laws and regulations play as well as how compliance might impact us, both from a personal and a business perspective. In many cases, the requirements within which we must operate during the course of protecting our respective organizations, helping to design new systems and applications, deciding on retention periods for retention of data, recommending encryption or tokenization of sensitive data, and a huge number of other activities that are part and parcel of being a security professional will be driven by the need to comply with one or more of a number of rules, some having the weight of law and some which are industry standards with business but not legal impacts.
These requirements may also govern our processes or ability to collect information, pursue investigations, monitor networks, and any of a number of activities that we might wish to execute as part of our appointed roles. Companies that operate internationally may particularly feel the complexity of these issues, as the laws regarding data, employee information, use of encryption, and similar commonplace activities may actually change from one part of the enterprise to the next based on where they are located or the national laws based on the origin of data we are storing.
Laws and regulations
Speaking specifically in the context of information security the body of applicable laws and regulations with which we, as information security professionals, might potentially need to concern ourselves with is massive. In the world of physical incidents, such issues, although still potentially complex, are much more straightforward and more easily enforceable.
For example, let’s consider a brick and mortar storefront being vandalized. Our attacker comes up to the front of the store, spray paints obscene messages all over the front of the store, drops the can of paint, and then leaves. The cost of repairing the damage is over $1000 so the police investigate the crime. The police, having a record of the attacker’s fingerprints on the can, are able to track him down, in the process discovering that he is a serial vandal. Furthermore, in the course of the investigation, it is discovered that the attacker is in the country on a foreign student visa. Given the record of offenses, his visa is revoked and he is deported from the country.
Now let’s look at the same example from a slightly different angle. In this case, we have an online storefront (web page) which is defaced. Investigators which are part of the information security department at the victim company are able to trace back though their logs and discover that the attack that compromised their web server originated from a Chinese IP address (much like fingerprints). Unfortunately, the defacement came from a different IP address, one belonging to Microsoft’s Azure hosting service. Additionally, traffic from Amazon’s hosting service, Rackspace, and a number of others are all found in the logs as well, all originating from different countries. At this point, the company has patched the vulnerability that they think allowed the attacker in and repaired the web site. They have a number of potential leads that they could follow up on, but no authority to pursue them. At this point, the incident is reported to the FBI and generally will not be pursued as an active investigation because it doesn’t cross over the loss threshold they follow due to the high volume of cases.
Such issues are all too common in the information security industry. Law today follows geographic boundaries that the Internet ignores making enforcement complex at best and impossible in some cases because the countries involved have few if any laws governing Internet use.
US laws applicable to computing
When we speak of laws that apply specifically to computing, a certain amount of gray area comes into play. There are a few laws, such as the Computer Fraud and Abuse Act or the USA PATRIOT Act, that are often applied specifically to computing and computer-related issues. There are also a host more that apply, often relating to the data being handled, communications media, and other such factors. If we take a high level look at just the US laws, regulations, and standards that could conceivably be applied to the information security industry, we might start with the list in Table 6.1.
Table 6.1
A Selection of US Laws, Regulations, and Standards Pertinent to Information Security
| Bank Secrecy Act | BSA | Money Laundering |
| Communications Assistance for Law Enforcement Act of 1994 | CALEA | Telecommunications assistance for law enforcement |
| Controlling the Assault of Non-Solicited Pornography and Marketing | CAN SPAM | Rules for spam |
| Computer Fraud and Abuse Act of 1986 | CFAA | Computer fraud and abuse |
| Children’s Internet Protection Act of 2001 | CIPA | Protecting children from harmful content |
| Children’s Online Privacy Protection Act of 1998 | COPPA | Private data of children |
| Driver’s Privacy Protection Act of 1994 | DPPA | DMV records |
| Electronic Freedom of Information Act of 1996 | E FOIA | Government documents |
| Equal Credit Opportunity Act | ECOA | Credit information |
| Electronic Communications Privacy Act of 1986 | ECPA | Electronic communications (wiretaps) |
| Electronic Funds Transfer Act | EFTA | Transfer of funds |
| Fair and Accurate Credit Transactions Act | FACTA | Electronic banking |
| Consumer Credit Reporting Reform Act of 1996 | CCRRA | Credit records |
| Fair Credit Reporting Act of 1999 | FCRA | Credit records |
| Fair Debt Collection Practices Act | FDCPA | Debt collection |
| Federal Energy Regulatory Commission | FERC | Energy regulation |
| Family Education Rights and Privacy Act of 1974 | FERPA | Educational records |
| Financial Industry Regulatory Authority | FINRA | Securities |
| Federal Information Security Management Act | FISMA | Government information security |
| Federal Trade Commission Act | FTCA | Unfair trade practices |
| Gramm–Leach–Bliley Financial Services Modernization Act of 1999 | GLBA | Consumer financial information |
| Health Insurance Portability Act | HIPAA | Patient information |
| Health Information Technology for Economic and Clinical Health Act | HITECH | Health information technology |
| International Traffic in Arms Regulation | ITAR | Import and export of defense items |
| North American Electric Reliability Corporation | NERC | Reliability of electric utilities |
| Office of Foreign Assets Control | OFAC | Economic and trade sanctions |
| Payment Application Data Security Standards | PA DSS | Payment cards |
| Payment Card Industry Standard | PCI DSS | Payment cards |
| Privacy Protection Act of 1980 | PPA | Privacy of journalists |
| Right to Financial Privacy Act of 1978 | RFPA | Privacy of financial institutions |
| California Senate Bill 1386 | SB 1386 | Breach notifications |
| Sarbanes–Oxley Act | SOC | Accuracy of corporate financial information |
| Telephone Consumer Protection Act of 1991 | TCPA | Telephone solicitation |
| Uniting and Strengthening America by Providing Appropriate Tools Required to Intercept and Obstruct Terrorism Act of 2001 | USA PATRIOT ACT | Anti terrorism |
| Computer Matching and Privacy Protection Act | Automated matching of Privacy Act records | |
| Federal Identity Theft and Assumption Deterrence Act | Identity theft | |
| Do not Call Registry | Telemarketing | |
| Financial Integrity Act | FMFIA | Government accounting and administrative controls |
| Help America Vote Act of 2002 | HAVA | Requirements for US voting systems |
| Homeland Security Act of 2002 | Department of Homeland Security Data | |
| NASD Rule 3110 | Securities customer information | |
| SEC Rule 17a-4 | Data for Securities transactions | |
| Title 21 Code of Federal Regulations Part 11 | Electronic Signatures |
Keep in mind that this is by no means an exhaustive list, but it is certainly a daunting set of various items of a legislative or regulatory nature that we might find ourselves involved with. In many cases, an organization operating in any given industry will find itself bound by a good number of the laws on this list. Needless to say, the opportunity to violate one or more of these laws out of ignorance looms very large. For this very reason, we will often find information security, privacy, HR, and legal departments working in close proximity to each other.
Laws outside of the United States
While we have previously discussed laws as relate to computing and data in the United States, it is important to note that the laws governing these areas are, in some cases, vastly different outside of its borders. As large as the list of US laws in Table 6.1 was, for those of us operating internationally, we need to find the analog of it for every country in which we plan to conduct business. Additionally, there are a number of treaties, the specifics depending on the countries involved, that cover how such matters are handled between different countries, even when only data has crossed an actual border.
Particularly in the security industry, this is an area that needs to be handled with great care. Where we might be able to gather log data containing a list of machine names and associated user names, cross-referenced by the owner’s employee number and e-mail address in one country, this might be very problematic, perhaps even illegal in another country. Particularly in areas where we might find ourselves operating internationally, it pays to find out where we might encounter such issues well in advance of actually running up against them.
A common issue that demonstrates these issues is the European Union’s (EU) Data Protection Directive (Directive 95/46/EC) which covers the requirements to protect individual’s personally identifiable information (PII). These are much more stringent than current US requirements but if an US company is storing data on EU citizens in the United States, they must still comply with EU laws.
Another item that makes international computer law particularly interesting to pursue is the lack of a consistent set of laws regarding extradition. For example, in 2001 and 2002, a hacker from Scotland named Gary McKinnon broke into a number of US government systems in an effort to discover information on governmental cover-ups of UFO activity. He compromised systems belonging to the Department of Defense, NASA, and several others in the process of his search for information. Ultimately, he was caught in the United Kingdom and arrested for computer crime. The United States has spent the next 12 years (still ongoing as this is being written) attempting to extradite him to stand trial. The British government has denied such requests, based on the large differences between how prisoners are handled in the United States and McKinnon’s fragile state of health [3]. Particularly in cases involving computer crime, extradition issues are not unusual.
Compliance
In recent years, compliance issues have greatly changed the way that the information security industry, and the businesses which it supports, have begun to operate. If we look back a decade, the majority of information security efforts were centered on a few policies and a general mandate to keep attackers out. Yes, regulations did exist at that time to help protect data and consumers, but such efforts were considerably less defined than they are now and not as strictly enforced.
In the present state of the security industry, we have a number of issues that force us more in the direction of compliance. There are an ongoing number of large breaches, such as the Target breach in December 2013, which draw additional scrutiny to compliance issues (Payment Card Industry (PCI) in this case). There are also regular updates to the regulations with which we must comply and new regulations being enacted. This creates a moving target for companies that need to be concerned with compliance.
Regulatory compliance
Regulatory compliance is a matter that is very specific to the industry in which a given company or organization is operating and how it is structured, although it is often more far-reaching than we might imagine. If we look at a bank for instance, we might assume that they need to be compliant with banking-related regulations and stop there. We might think items such as GLBA, FCRA, and audits from the Federal Deposit Insurance Corporation (FDIC) would be the limit of their concern. We would also add PCI DSS (Data Security Standard), as they likely issue cards with a Visa or MasterCard logo, HIPPA, as they have employee health insurance data, PII in the form of employee data, and any of a number of other areas.
In many cases, regulatory compliance comes packaged with cyclical audits and assessments to ensure that everything is being carried out according to specification. Preparing for such inspections can actually be a valuable part of a compliance program as participating in these sorts of efforts serves as both an education to participants and an opportunity to find and fix issues.
Industry compliance
In some small number of cases, we will face compliance with regulations which are not mandated by law, but which can nonetheless have severe impacts upon our ability to conduct business. The primary example of this which is in common use is compliance with the PCI DSS, often simply referred to as PCI compliance. In this particular case, a body composed of credit card issuers (Visa, American Express, and MasterCard, among others) has set up a body of security standards as a condition of processing credit card transactions using cards issued by their various members.
Although this body cannot legally enforce compliance with their standards, their mandate certainly does have teeth. Merchants processing credit card transactions based on cards from PCI members, based on the number of transactions processed, must submit to yearly assessments of their security practices. For very low numbers of transactions, this is a very simple self-assessment process consisting of a short questionnaire. As the number of transactions grows, the requirements become progressively more stiff, culminating in visits by specially certified external assessors, mandated penetration tests, requirements for internal and external vulnerability scanning, and a great deal more. For those found to not be in compliance, penalties range from hefty fines to removal of the ability to process credit card transactions. We might suppose that, for a business that depended heavily on credit card transactions, such as a retail store, losing the ability to process credit cards would be a business-ending proposition.
Privacy
In many cases, dealing with what might be considered privacy-related information, often referred to as PII, is a daily part of conducting business. If we look at a large retailer, such as Amazon, any given customer may have given them their name, address, social security number (in the case of buying a phone and plan through them), phone number, e-mail address, mobile device information, IP address, MAC address, and any number of other similar points of data. In the case of financial institutions or schools, this will extend into date of birth, information on dependants, credit history, previous residences, sample of a signature, and so on.
While this information may not seem to be of great significance to some consumers, the unauthorized exposure of it can be very harmful. The resultant fraud and identity theft can result in all manner of issues for the breaching company, including lawsuits, reputational damage, fines from regulators, and a number of other expenses. For a large breach, the cost of mitigation can be high.
Privacy can be an item of large concern in both the business and personal worlds and can be a highly varied and relative concept from one person or business to another as well as between differing geographic locations. When we have a concept so tenuous that two people can only agree on it at the highest of levels and that what might be acceptable in one location may not be OK in another location a few steps away, we have serious potential to create or experience issues.
The concept of privacy
What exactly do we mean when we say privacy? The answer to this question will vary heavily depending on who answers it. The dictionary definition of privacy is “the state or condition of being free from being observed or disturbed by other people” [4]. While this may be a fine definition and does indeed cover the basics, it is somewhat lacking in the more subtle areas of what privacy means to us.
Many of the issues surrounding privacy relate to a general lack of definition and the highly situational nature of the issue. For example, if we take a picture of children playing in a park, is this an issue? If they are our children then no, but if they are someone else’s kids then it could be an issue. If our children are playing with their children, this may make it more acceptable. Such issues are difficult to sort out when given a very simple set of parameters and only become more difficult with added complexity. There are federal, state, local, and tribal laws that govern what can be recorded. These are important to understand when we have a camera as part of our security infrastructure. We also need to remember that our video records can become part of an investigation or be subpoenaed by others.
Privacy rights
The concept of an individual’s right to privacy is something that has been discussed for many years and, like any other privacy topic, is a bit of a gray area. In some countries, such as Spain, the Czech Republic, Iceland, Norway, and Slovenia, issues of privacy are considerably cleaner and clearly defined by law. On the other end of the scale, we see countries such as Bahrain, Iran, Nigeria, Syria, and Malaysia [5].
In the United States, one of the major privacy laws which appeared on the list earlier in this chapter is the Federal Privacy Act of 1974. This act “safeguards privacy through creating four procedural and substantive rights in personal data. First, it requires government agencies to show an individual any records kept on him or her. Second, it requires agencies to follow certain principles, called ‘fair information practices,’ when gathering and handling personal data. Third, it places restrictions on how agencies can share an individual’s data with other people and agencies. Fourth and finally, it lets individuals sue the government for violating its provisions” [6].
In addition to the federal laws that might apply to privacy, the United States has seen a number of state laws appear in the last decade. State laws in this have often been implemented in order to shore up perceived weaknesses in federal laws. For example, California’s Senate Bill 1386 (SB 1386) specifically calls out the requirements for handling unauthorized exposure of data relating to residents of that particular state.
SB 1386 stipulates “requires an agency, person, or business that conducts business in California and owns or licenses computerized ‘personal information’ to disclose any breach of security (to any resident whose unencrypted data is believed to have been disclosed)” [7]. In addition to California, a number of states have similar laws regarding how the data of residents is handled. In each state, the laws, although primarily similar, differ in implementation. This means that large businesses that have customers in all states, Amazon being a good example, then need to ensure compliance with each set of state laws.
In the case of a security incident, such as a breach impacting a geographically dispersed set of customers, notification to impacted customers would need to be conducted in accordance with the applicable law in each state. Some notifications might need to be sent sooner than others, some might be mandated to include specific remediation steps, and some might require officials in the state to be notified as well, and so on. We can quickly see where, given privacy laws at the state, federal, and international levels, a global company may very easily fall out of compliance with the law in one or more locations.
2013, the year of global surveillance issues
The year 2013, if remembered for nothing else in history, is sure to be remembered for the massive exposure of state-sponsored surveillance of individual citizens in the name of waging the international fight against terrorism. The launching event for this series of linked issues was the theft and subsequent exposure of classified materials from the US National Security Agency (NSA) by a contract employee named Edward Snowden. Among the many items exposed in these documents (with more continuing to be released as this is written) were the various programs that existed to surveil the electronic communications of US citizens, including e-mail, social media, compromise of firmware and hardware in electronics devices, compromise of entire Internet Service Providers (ISPs), and seemingly numberless other such examples [8]. In the wake of the first such exposures, similar programs were uncovered in other countries, including France, Germany, New Zealand, Canada, and a number of others [9].
The ultimate question to be asked here is how do organizations manage their internal security to prevent unauthorized disclosure of information. WikiLeaks has posted information about banks, classified information, politicians, and others. This information has come from groups that broke in like “anonymous” and insiders that provided it to them. As a security professional, we must both prevent information from unauthorized release and be able to catalog and categorize what information was taken if there is a leak.
Privacy and business
Privacy can be a very touchy concept when conducting a business, particularly regarding the handling of sensitive data. As we discussed earlier in this chapter when covering laws regarding the handling and protection of data, the concept of sensitive data can be a bit tenuous, at best. If we are working an industry that involves selling goods or services, we may handle your name, address, social security number, payment card data, date of birth, e-mail address, phone numbers, IP addresses, MAC addresses, operating system and application information, mobile device information, biometric data, and numerous other items. The majority of the information that we just listed (if not all, depending on location) could be considered sensitive data and needs to be handled appropriately. Even in the case where the individual data item is not regulated, exposing it may result in reputational or brand damage and may negatively impact the organization, thus needing to be handled carefully. On the other hand, if we are a social media company we may not tread any of the information as sensitive but rather have the users sign an agreement that everything they share is open to free use.
The sensitivity of an individual business to privacy issues will often vary from one organization to the next. Some organizations will border on being careless and have little to no resources devoted to ensuring that privacy issues are handled with care. Others will take the opposite extreme stance and will carry privacy protection to the extent that it is allowed to take priority over conducting business. Where is the proper place to be in the spectrum, we might ask? As with many issues, likely somewhere in the middle. Although it is important to ensure privacy issues are handled with care, it is also important to ensure that the business can carry out its primary purpose.
Summary
In this chapter we have discussed a number of issues that pertain to laws, regulations, compliance, and privacy. We discussed how a great number of laws and regulations exist that may be pertinent to computing, as well as how such things can vary heavily from one country to the next. We talked about issues regarding regulatory compliance and industry compliance, and how these might affect businesses and organizations operating in a wide variety of industries. Lastly, we discussed the issue of privacy overall, including privacy rights and how privacy issues may come into play when conducting business.
Questions
1. Select a law from the list of US laws applicable to computing in this chapter and summarize its main intent and potential impacts.
2. How can a compliance audit be a positive occurrence?
3. Research a country with strong privacy laws and contrast these with the laws in the United States in implementing a business offering.
4. Who is Edward Snowden and what did he disclose? Do you think what he did was right? Is what he did legal?
5. What issues might make conducting an international information security program complex? Give three examples.
6. What are some factors that make privacy issues difficult to handle?
7. Why are industry self-imposed regulations, such as PCI DSS important?
8. Why are laws such as SB 1386 significant when considering privacy? Should there be a federal law covering privacy?
9. Why might extradition be a delicate issue when prosecuting computer crimes?
10. Research and find three breach notification letters issued from actual breaches. How do they differ?