LearningTopic4.docx

Learning Topic

Industry Specific Legal, Regulations, Investigations and Compliance

Print

Decorative image of a whiteboard with legal and compliance-related terms and images.

Compliance

Warchi / Signature Collection / Getty Images

Many industries, including financial, health care, and education, are required to follow specific regulations and compliance requirements. Failure to meet those requirements can lead to criminal prosecution, monetary fines, and/or civil sanctions. As an IT professional, you will want to align your knowledge with requirements backed by the Certified Information Systems Security Professional (CISSP) certification, in this case the Legal, Regulations, Investigations and Compliance domain of the CISSP body of knowledge. You will need to have a basic understanding of the general requirements of industry-specific laws and where they might be applicable. Some examples are listed below. 

· Payment Card Industry Data Security Standard (PCI DSS)

· Patriot Act

· General Data Protection Regulation (GDPR)  

· Computer Fraud and Abuse Act 

· Electronic Communications Privacy Act (ECPA)

· Gramm-Leach-Bliley Act (GLBA)

· Health Insurance Portability and Accountability Act (HIPAA)

· Sarbanes-Oxley Act  

· Family Educational Rights and Privacy Act (FERPA)

Payment Card Industry Data Security Standard (PCI DSS) 

The PCI Security Standards Council (PCI SSC) has developed standards to protect the credit card payment data of cardholders. Any businesses that store, process, or transmit this data are governed by these security standards, and all technical and operational system components must be in compliance with the rules set by the standards.

PCI DSS compliance to these standards helps to ensure that payments systems are safe from cyberattacks and that transactions conducted by those systems are secure (Ryan Technical Services, n.d.).

There are 12 core requirements associated with this compliance. The table below provides the PCI DSS requirements and the control objectives achieved by those requirements.

Control Objectives

PCI DSS Requirements

Build and maintain a secure network

1. Install and maintain a firewall configuration to protect cardholder data

2. Do not use vendor-supplied defaults for system passwords and other security parameters

Protect cardholder data

 

3. Protect stored cardholder data

4. Encrypt transmission of cardholder data across open, public networks

Maintaina vulnerability management program

5. Use and regularly update antivirus software on all systems commonly affected by malware

6. Develop and maintain secure systems and applications

Implement strong access control measures

7. Restrict access to cardholder data by business need-to-know

8. Assign a unique ID to each person with computer access

9. Restrict physical access to cardholder data

Regularly monitor and test networks

10. Track and monitor all access to network resources and cardholder data

11. Regularly test security systems and processes

Maintain an information security policy

12. Maintain a policy that addresses information security

Payment Card Industry Data Security Standard from  Wikipedia is available under a  Creative Commons Attribution-ShareAlike 3.0 Unported license. UMGC has modified this work and it is available under the original license .

Patriot Act

Under the Patriot Act, federal governmental agencies can use surveillance techniques against anyone who is suspected of crime or terror. The legislation provides federal investigators with a variety of investigative and intelligence surveillance tools and removed the legal barriers preventing law enforcement agencies from sharing intelligence with each other. The act’s actual title is the United and Strengthening America by Providing Appropriate Tools Required to Intercept and Obstruct Terrorism (USA PATRIOT) Act of 2001.

The act “creates a definition of 'computer trespasser' and makes such activities a terrorist act in certain circumstances” (Smith et al., 2002), enabling law enforcement officials to “intercept the communications of computer trespassers” (Smith et al., 2002). Many provisions of the law, particularly Title III, could affect e-commerce, in the areas of international money laundering and terrorism finance. “Over time, these provisions may affect e-commerce broadly, and electronic fund transfers specifically” (Smith et al., 2002)

In 2015, the USA FREEDOM Act updated some elements of the Patriot Act. Specifically, it set new limits on the bulk collection of telecommunication metadata by federal intelligence agencies. Agencies are now required to obtain targeted warrants before collecting this information (Diamond, 2015).

As political policies change over time, IT professionals should monitor any updates or revisions that could affect their organizations.

General Data Protection Regulation (GDPR)

The General Data Protection Regulation (GDPR) is the European Union's (EU) data privacy law that was implemented May 25, 2018. It applies to any organization that holds or uses data on citizens inside the EU, regardless of the physical location of the company itself (Kottasová, 2018). So, if your company deals with data on EU’s residents, you should be aware of the regulation’s restrictions.

The central idea behind this law is to require "privacy by default" with regard to the collection and handling of all personal data (defined as any information relating to an identified or identifiable person) (AWS, 2018).

Electronic Communications Privacy Act (ECPA)

The Electronic Communications Privacy Act of 1986 (ECPA) authorized electronic data transmissions by computer to be subject to collection by authorized agents of the US government, thus protecting all electronic communication from unauthorized government access. Law enforcement agencies are required to obtain search warrants to access any electronic communication. In addition, the act prohibits wiretapping of employees' electronic data transmissions and telephone conversations, and also prohibits unauthorized access to employees' communication stored by employers.

The ECPA was amended and updated with the passage of the Patriot Act in 2001, which authorizes law enforcement officers to use search warrants to compel disclosure of voice mail stored with a third-party provider.

Computer Fraud and Abuse Act – Title 18 Section 1030

The Computer Fraud and Abuse Act (CFAA) delineates specific illegal acts relating to computer crimes. The CFAA covers the following:

· defines specific key terms used throughout the legislation

· outlines the components that do and do not constitute criminal acts

· specifies the consequences of those acts, as well as certain aggravating factors

·  describes exceptions to the criminality of these acts in cases of law enforcement and similar contexts

The scope of the CFAA covers seven criminal offenses, including accessing a computer without proper authorization to obtain national defense information, accessing a computer without proper authorization to obtain private, financial records, information from any US department or agency, or information from any protected computer, accessing a nonpublic computer of any US department or agency without proper authorization, accessing a protected computer with intent to defraud, causing damage to a protected computer by transmitting a malicious program, information, code, or command, trafficking passwords or similar information to access a computer without authorization, and extorting through the use of a computer. It should be noted that the CFAA defines a protected computer as a computer that is exclusively used by a financial institution or the US Government or a computer that is used for interstate or foreign commerce or communication, a definition that covers virtually every computer in use (US Department of Justice, n.d.).

Gramm-Leach-Bliley Act (GLBA)

Enacted in November 1999, the Gramm-Leach-Bliley Act (GLBA) establishes a requirement for financial institutions to protect the sensitive personal information of their customers. Also known as the Financial Services Modernization Act of 1999, GLBA "...requires financial institutions—companies that offer consumers financial products or services like loans, financial or investment advice, or insurance—to explain their information-sharing practices to their customers and to safeguard sensitive data" (Federal Trade Commission, n.d., a.). The act was authored by Senator Phil Gramm and Representatives Thomas J. Bliley Jr. and Jim Leach. GLBA contains the "Safeguards Rule," which establishes the requirement for financial institutions to protect the information they collect from their consumers.

GLBA has several requirements regarding privacy protection. The first is an annual requirement for customers to receive the financial institution's privacy notice. This notice must clearly state opt-out instructions for sharing personal financial information. GLBA also puts limits on the use or redisclosure of nonpublic personal information acquired from a financial institution. And, GLBA establishes requirements for securely storing personal financial information. Institutions subject to GLBA include nonbank mortgage lenders, loan brokers, some financial or investment advisors, tax preparers, providers of real estate settlement services, and debt collectors (Federal Trade Commission, n.d., b.).

Health Insurance Portability and Accountability Act (HIPAA)

The Health Insurance Portability and Accountability Act (HIPAA) was established in 1996 to improve the security of the storage and use of health care data.  These regulations define how health care agencies must secure patients’ personal information and regulate its disclosure.

IT professionals should understand how HIPAA applies to their work so they can correctly handle sensitive information and demonstrate the organization’s compliance with the law in order to protect patients and the organization (DNS Stuff, n.d.).  Unauthorized access or release of data can lead to problems for the individuals whose data has been compromised and also fines and penalties for the organization (Ashraf, n.d.).

Three rules within HIPAA are most relevant to professionals working in information technology:

· The  Privacy Rule requires safeguards to protect the privacy of personal health information and “sets limits and conditions on the uses and disclosures that may be made of such information without patient authorization (HHS, "Privacy Rule," n.d.). It provides patients the right to view health information and request corrections (HHS, "Privacy Rule," n.d.).

· The  Security Rule “requires covered entities to maintain reasonable and appropriate administrative, technical, and physical safeguards for protecting electronic personal health information” (ePHI) (HHS, "Summary of the HIPAA Security Rule," n.d.).

· The  Breach Notification Rule requires covered entities to notify patients when their protected information has been used without proper permission or disclosed in a manner that compromises privacy and security (HHS, “Breach Notification Rule,” n.d.).

Sarbanes-Oxley Act

The Sarbanes-Oxley Act was enacted in 2002 to protect shareholders and the general public from accounting errors and fraudulent practices by publicly traded corporations. It is often referred to as SOX. The act was also called the "Public Company Accounting Reform and Investor Protection Act" in the Senate and "Corporate and Auditing Accountability, Responsibility, and Transparency Act," in the House (“Sarbanes-Oxley Act,” n.d.).

To comply with SOX, corporations must save all business records, including electronic records and messages, for “not less than five years,” according to the legislation. This means that IT departments must create and maintain an archive of corporate records with security controls that ensure that financial data is accurate and protected against loss (De Groot, 2019).

Family Educational Rights and Privacy Act (FERPA)

The Family Educational Rights and Privacy Act (FERPA) protects the privacy of student education records. The law applies to all schools that receive funds under an applicable program of the US Department of Education. Under FERPA, schools may disclose, without consent, directory information such as a student's name, address, telephone number, date and place of birth, honors and awards, and dates of attendance. However, schools must tell parents and eligible students about directory information and allow parents and eligible students a reasonable amount of time to request that the school not disclose directory information about them. Schools must notify parents and eligible students annually of their rights under FERPA.

References

Amazon Web Services (AWS). (2018). General Data Protection Regulation (GDPR) center. https://aws.amazon.com/compliance/gdpr-center/?sc_medium=AW_AWNS_FMM_GDPR_nb_041018&trk=70150000000mkld&s_kwcid=AL!4422!3!265937371174!e!!g!!gdpr&ef_id=WvTFNQAAALLzX2jc:20180731134307:s

Ashraf, A. (n.d.). PII and PHI overview: What CISSPs need to know. Infosec.  https://resources.infosecinstitute.com/category/certifications-training/cissp/domains/asset-security/protecting-privacy/#gref

De Groot, J. (2019). What is SOX compliance? 2019 SOX requirements and more.  https://digitalguardian.com/blog/what-sox-compliance

Diamond, J. (2015). NSA surveillance bill passes after weeks-long showdown. https://www.cnn.com/2015/06/02/politics/senate-usa-freedom-act-vote-patriot-act-nsa/

DNSStuff. (n.d.) What is HIPAA compliance? https://www.dnsstuff.com/what-is-hipaa-compliance

Federal Trade Commission. (n.d., a.). Gramm-Leach-Bliley Act. Retrieved from https://www.ftc.gov/tips-advice/business-center/privacy-and-security/gramm-leach-bliley-act

Federal Trade Commission. (n.d., b.). In brief: The financial privacy requirements of the Gramm-Leach-Bliley Act. Retrieved from https://www.ftc.gov/tips-advice/business-center/guidance/brief-financial-privacy-requirements-gramm-leach-bliley-act

Department of Health and Human Services (HHS). (n.d.). The HIPAA privacy rule. https://www.hhs.gov/hipaa/for-professionals/privacy/index.html

Department of Health and Human Services (HHS). (n.d.). The HIPAA security rule. https://www.hhs.gov/hipaa/for-professionals/security/laws-regulations/index.html

Department of Health and Human Services (HHS). (n.d.). Breach notification rule. https://www.hhs.gov/hipaa/for-professionals/breach-notification/index.html

Kottasová, I. (2018, May 21). What is GDPR? Everything you need to know about Europe's new data law. https://money.cnn.com/2018/05/21/technology/gdpr-explained-europe-privacy/index.html?iid=EL

Ryan Technical Services (n.d.). PCI DSS compliance. http://ryantech.com/pci-dss-compliance 

Sarbanes-Oxley Act. (n.d.). In Wikipedia. https://en.wikipedia.org/wiki/Sarbanes%E2%80%93Oxley_Act

Smith, M. S., Seifert, J. W., McLoughlin, G. J., & Moteff, J. D. (2002). The internet and the USA PATRIOT Act: Potential implications for electronic privacy, security, commerce, and Government. Congressional Research Service. https://epic.org/privacy/terrorism/usapatriot/RL31289.pdf

Solove, D. (2006). A brief history of information privacy law.  http://papers.ssrn.com/sol3/papers.cfm?abstract_id=914271

US Department of Justice. (n.d.). Prosecuting computer crimes. Computer Crime and Intellectual Property Section, Criminal Division.  https://www.justice.gov/criminal/cybercrime/docs/ccmanual.pdf 

US Department of Justice. (n.d.). Public law 99-508.  http://www.justice.gov/jmd/ls/legislative_histories/pl99-508/act-pl99-508.pdf

image1.png