Security laws, regulations and guidelines directory

1 2 3 4 Page 2
Page 2 of 4

* Verifiable parental consent, for internal use, public disclosure and third-party disclosure of information.

* Verification that a parent requesting access to child's information is actually the parent.

* Ability for parents to revoke consent and delete information.

* The ability for industry groups and others to create self-regulatory programs to govern compliance with COPPA.

Source: Federal Trade Commission

Fair and Accurate Credit Transaction Act (FACTA), including Red Flags Rule

What it covers: Passed in December 2003, FACTA is an amendment to the Fair Credit Reporting Act that is intended to help consumers avoid identity theft. Accuracy, privacy, limits on information sharing, and new consumer rights to disclosure are included in the legislation. The Act also says businesses in possession of consumer information or information derived from consumer reports must properly dispose of the information.

The Red Flags Rule establishes new provisions within FACTA requiring financial institutions, creditors, etc. to develop and implement an identity theft prevention program. The Red Flags Rule has been delayed several times and is currently scheduled for enforcement by the FTC starting December 31, 2010.

Who is affected: Credit bureaus, credit reporting agencies, financial institutions, any business that uses a consumer report and creditors. As defined by FACTA, a creditor is anyone who provides products or services and bill for payment.

Link to the law:

Red Flags Rule:

Key requirements/provisions: FACTA includes the following key provisions:

* Free reports. Consumers can obtain a free credit report once every 12 months from each of the three nationwide consumer credit reporting companies.

* Fraud alerts and active duty alerts. Individuals can place alerts on their credit histories if identity theft is suspected or if deploying overseas in the military, thereby making fraudulent applications for credit more difficult.

* Truncation: Credit cards, debit cards, Social Security numbers. Credit and debit card receipts may not include more than the last five digits of the card number or the expiration date. Consumers who request a copy of their file can also request that the first five digits of their Social Security number not be included.

* Information available to victims. A business that provides credit or products and services to someone who fraudulently uses your identity must give you copies of the documents, such as credit applications.

* Collection agencies: If a victim of identity theft is contacted by a collection agency about a debt that resulted from the theft, the collector must inform the creditor of that. When creditors are notified that the debt is the work of an identity thief, they cannot sell the debt or place it for collection.

* Red Flags Rule: Several provisions within FACTA require financial institutions, creditors, etc. to develop and implement an identity theft prevention program, aimed at early detection and mitigation of fraud. The program must include provisions to identity relevant "red flags," detect these early warning signs, respond appropriately and periodically update the program. Additional provisions include guidelines and requirements to assess the validity of a change of address request and procedures to reconcile different consumer addresses. The deadline for complying with the Red Flags Rule has been extended several times and is currently December 2010. Questions remain as to which companies need to comply with this part of FACTA.

* Proper disposal of consumer reports. Consumer reporting agencies and any business that uses a consumer report must adopt procedures for proper document disposal to avoid "dumpster diving" by identity thieves. This includes lenders, insurers, employers, landlords, government agencies, mortgage brokers, automobile dealers, attorneys and private investigators, debt collectors, individuals who obtain a credit report on prospective nannies, contractors or tenants.

* Disputing inaccurate information. Consumers can dispute data included in reports directly with the company that furnished it.

Source: Business Records Management, Privacy Rights Clearinghouse, Federal Trade Commission

Federal Rules of Civil Procedure (FRCP)

What it covers: In place since 1938, the FRCP discovery rules govern court procedures for civil lawsuits. The first major revisions, made in 2006, make clear that electronically stored information is discoverable, and they detail what, how and when electronic data must be produced. As a result, companies must know what data they are storing and where it is; they need policies in place to manage electronic data; they need to follow these policies; and they need to be able to prove compliance with these policies, in order to avoid unfavorable rulings resulting from failing to produce data that is relevant to a case.

More about ediscovery and electronic records

* How to compare and use legal hold software

* Digital forensics software tools: The usual suspects

* Intellectual property theft: How to stay out of the penalty box

* The 7 deadly sins of records retention

Security professionals may be involved in proving to a court's satisfaction that stored data has not been tampered with.

Who is affected: Any company that is--or could be--involved in a civil lawsuit within the federal courts. In addition, because states have adopted FRCP-like rules, companies involved in litigation within a state court system are also affected.

Link to the rules:

Key requirements/provisions: There are 13 sections to the FCRP. The major changes pertain to Chapter 5, Rules 26-37, as these require a detailed understanding of electronic data retention policies and procedures, what data exists and where, as well as the ability to search for and produce this data within the timeframes stipulated. Here is a summary of these rules:

Rule 26 (a): Makes clear that electronically stored information is discoverable and that companies must be able to produce relevant data.

Rule 26 (b)(2): Clarifies limits on discoverable data; for instance, companies are not required to produce data that would prove to be excessively expensive or burdensome, such as from sources that aren't reasonably accessible, like backup tapes used for disaster recovery and obsolete media.

Rule 26 (f): Stipulates that the parties involved need to discuss issues relating to the disclosure or discovery of electronic data before discovery begins.

Rule 33 (d): Establishes that a reasonable opportunity is provided to examine and audit the data provided.

Rule 34 (b): Establishes that electronic data is as important as paper documents, and that it must be produced in a reasonably usable format.

Rule 37 (f): Provides "safe harbor" when electronic data is lost or unrecoverable, as long as it can be proved that good-faith business operations were routinely followed.

Source: Cornell University Law School, Business Records Management

Section two: Industry-specific regulations and guidelines

Federal Information Security Management Act (FISMA)

What it covers: Enacted in 2002, FISMA requires federal agencies to implement a program to provide security for their information and information systems, including those provided or managed by another agency or contractor. It is Title III of the E-Government Act of 2002.

Who is affected: Federal agencies.

Link to the law:

Key requirements/provisions: FISMA recommends that an effective security program include the following elements:

* Periodic risk assessments.

* Policies and procedures based on these assessments that cost-effectively reduce information security risk and ensure security is addressed throughout the life cycle of each information system.

* Subordinate plans for information security for networks, facilities, etc.

* Security awareness training for personnel.

* Periodic testing and evaluation of the effectiveness of information security policies, procedures, practices and controls, at least on an annual basis.

* A process to address deficiencies in information security policies.

* Procedures for detecting, reporting and responding to security incidents.

* Procedures and plans to ensure continuity of operations for information systems that support the organization's operations and assets.

Source: National Institute of Standards and Technology

North American Electric Reliability Corp. (NERC) standards

What it covers: The current set of 83 NERC standards were developed to establish and enforce reliability standards for the bulk-power system of North America, as well as protect the industry's critical infrastructure from physical and cyber threats. These overall standards became mandatory and enforceable in the U.S. on June 18, 2007. Critical Infrastructure Protection (CIP) elements of the reliability standard have been subsequently updated, most recently in 2009. CIP standards include identification and protection of both physical assets and digital ("cyber") systems.

Who is affected: North American electric utilities.

Link to the NERC reliability standards:

Key requirements/provisions: NERC standards fall into the following 13 categories:

* Resource and Demand Balancing

* Communications

* Critical Infrastructure Protection

* Emergency Preparedness and Operations

* Facilities Design, Connections and Maintenance

* Interchange Scheduling and Coordination

* Modeling, Data and Analysis

* Nuclear

* Personnel Performance, Training and Qualifications

* Protection and Control

* Transmission Operations

* Transmission Planning

* Voltage and Reactive

Source: NERC

Title 21 of the Code of Federal Regulations (21 CFR Part 11) Electronic Records

What it covers: Part 11, as it is commonly called, was issued in 1997 and is monitored by the U.S. Food and Drug Administration. It imposes guidelines on electronic records and electronic signatures in an effort to uphold their reliability and trustworthiness.

Who is affected: All FDA-regulated industries that use computers for regulated activities, both in the U.S. and outside the country.

Link to the law:

With 2010 amendments:

Key requirements/provisions: Part 11 has 19 requirements, the most important of which include:

* Use of validated existing and new computerized systems.

* Secure retention of electronic records and instant retrieval.

* User-independent, computer-generated, time-stamped audit trails.

* System and data security, data integrity and confidentiality through limited authorized access to systems and records.

* Use of secure electronic signatures for closed and open systems.

* Use of digital signatures for open systems.

* Use of operational checks.

* Use of device checks.

* Determination that the people who develop, maintain or use electronic systems have the education, training and experience to perform their assigned task.

Source: LabCompliance

Health Insurance Portability and Accountability Act (HIPAA)

What it covers: Enacted in 1996, HIPAA is intended to improve the efficiency and effectiveness of the health care system. As such, it requires the adoption of national standards for electronic health care transactions and code sets, as well as unique health identifiers for providers, health insurance plans and employers.

(Note: HIPAA's requirements are significantly updated by the HITECH Act - see next entry).

More about HIPAA

* Managing HIPAA's pain

* Providence Health's CISO on recovering from HIPAA violations

Recognizing that electronic technology could erode the privacy of health information, the law also incorporates provisions for guarding the security and privacy of personal health information. It does this by enforcing national standards to protect:

* Individually identifiable health information, known as the Privacy Rule.

* The confidentiality, integrity and availability of electronic protected health information, known as the Security Rule.

The complete suite of rules is known as the HIPAA Administrative Simplification Regulations. It is administered by The Centers for Medicare & Medicaid Services and The Office for Civil Rights.

Who is affected: Health care providers, health plans, health clearinghouses and "business associates," including people and organizations that perform claims processing, data analysis, quality assurance, billing, benefits management, etc.

Link to the law: An unofficial version (as of February 2009) that presents all the regulatory standards in one document:

Official versions of the complete suite of HIPAA Administrative Simplification Regulations can be found at 45 CFR Parts 160, 162 and 164:

* 45 CFR, Part 160:

* 45 CFR, Part 162:

* 45 CFR, Part 164:

HIPAA Privacy Rule:

HIPAA Security Rule:

Key requirements/provisions: There are five parts to HIPAA's Administrative Simplification Statute and Rules:

1 2 3 4 Page 2
Page 2 of 4
The 10 most powerful companies in enterprise networking 2022