Laws relating to data security and privacy

The following laws are targeted at protecting consumer information within in the United States. Despite all of the recent breaches of customer data, there is still not a Federal level law for data protection that impacts all businesses. However, the following laws impact tens of thousands of organizations in healthcare, financial services and other industries.

• Gramm-Leach-Bliley Act (GLBA) - GLBA was a law passed in 1999 which had a drastic change on the banking and finance industry. While the law is very broad, it does have some very important consumer protection requirements. Basically, GLBA requires your bank to notify you of its privacy policies, and gives you certain rights to limit the use of your personal information. For example, you can choose to "opt-out" of having your bank share your personal information with other organizations for marketing purposes. GLBA also requires banks, credit unions, mortgage companies and other financial institutions to provide reasonable protection of your personal information. This means that if you work in the financial services industry, your organization will have to implement an information security program that treats private customer information as confidential data that needs to be protected.
• Health Insurance Portability and Accountability Act of 1996 (HIPAA) -This mouthful was enacted by the Department of Health and Human Services in 1996 to make broad changes in the way healthcare information is collected, processed and transferred. While HIPAA has a broad range of requirements for any organization that handles your personal medical information, there are a few key consumer protection parts of the law that you should be aware of.
• Fair Credit Reporting Act - The Fair Credit Reporting Act controls how your credit history is kept by credit bureaus and used by lenders. This has recently been amended with important consumer protection measures by the FACTA Act. For example, the modifications of the FACTA provisions make it illegal to improperly dispose of sensitive customer information. This law makes it mandatory for all companies who deal with private customer information to be aware of the proper methods for data destruction.
• The Sarbanes-Oxley Act - If your employer is publicly traded on any U.S. stock exchange, they are subject to the provisions of Sarbanes-Oxley. Basically, Sarbanes-Oxley requires corporations to employ proper "controls" to protect information that would affect the financial reporting of the organization. Of course, this applies to a LOT of information. For you, a "control" is most-likely going to be a policy or procedure that you must follow. Sarbanes-Oxley compliance is already costing your organization millions of dollars. Compliance is very serious business since it requires senior executives to attest to the accuracy of the data. Serious violations can range from fines to possible stock delisting and/or jail time.
• EU Data Protection Directive - The European Union Data Protection of 1998 requires all organizations that collect, store, or transmit personal data on citizens of European Union nations enact programs to protect this information. Any person or organization that collects or handles personal information from a citizen of any of the 25 European Union nations and transfers the information across the country borders must comply with this regulation. The law requires organizations to establish privacy policies that adopt "fair information principles" which include allowing customers to verify the uses and accuracy of their personal data.

MySecurityIQ is sponsored in part by Information Shield, a leading provider of information security publications, including Information Protection Made Easy - A guide for employees and contracters.