Inc myc case,c Ic choosec Microsoftc andc it’sc veryc interestingc becausec ofc thec numberc ofc
lawsc andc regulationsc theyc carryc withc themc butc it’sc alsoc interestingc becausec thec lawsc
andc rulesc arec vitalc toc ensuringc publicc safetyc andc companyc property.c Ic knowc thatc certainc
companiesc sellc users'c informationc butc neverc privatec information,c thisc comesc intoc ac
privacyc actc wherec companiesc cannotc sharec sensitivec userc informationc andc onlyc thingsc
likec pagesc visitedc orc thingsc youc like.c Thisc isc howc targetedc adsc workc whichc arec majorc
moneymakersc forc Microsoftc andc companiesc likec google.c Therec canc bec hugec impactsc onc
ac companyc thatc violatesc anyc rulesc orc lawsc inc place,c whichc includesc areasc suchc asc thec
cyberc domain,c lawsuits,c andc otherc legalc issuesc thatc couldc leadc toc biggerc problemsc canc
happenc ifc ac companyc violatesc anyc ofc thesec rulesc setc orc doesc notc adherec toc them.c Therec
havec beenc manyc differentc lawsc passedc inc thec U.S.c andc aroundc thec worldc thatc affectc thec
cyberc domainc andc cybersecurity.c Onec ofc thesec lawsc isc thec Sarbanes-Oxleyc Act.c Thisc
lawc ensuresc thatc companiesc thatc housec personalc datac shouldc makec surec thec validityc ofc
thec financialc informationc andc shouldc notc sharec thec financialc informationc ofc anyone.c Thisc
lawc alsoc statesc thatc forc ac companyc toc stayc SOXc complient,c theyc mustc havec adequitec
standardsc andc securityc controlsc inc placec toc ensurec thec confidentiality,c integrity,c andc
avalibilityc ofc theirc financialc information.c Thisc lawc affectsc allc differentc businessesc thatc
storec financialc informationc soc thatc theyc mayc notc sellc thec informationc orc lackc securityc
protocolsc toc protectc thatc information.c Anotherc lawc thatc affectsc thec cyberc domainc isc thec
Electronicc Fundsc Transferc Act.c Thisc lawc statesc thatc anyonec electronicallyc transferringc
fundsc arec protectedc againstc errorsc andc fraud.c Thisc canc includec anyc companyc thatc isc
electronicallyc transferringc fundsc toc orc fromc anc account.c Thisc canc includec ATM's,c
telephonec billc payements,c andc POSc terminals.c Anotherc lawc thatc affectsc thec cyberc domainc
isc Healthc Informationc Technologyc forc Economicc andc Clinicalc Healthc Act.c Thisc lawc isc
ac directc modificationc toc thec HIPAAc lawc thatc whilec onc it'sc ownc isc directlyc targetedc atc
thec medicalc communityc butc withc thisc bringsc majorc modificationsc toc thec wayc thatc
patientsc informationc isc storedc andc accessed.c Itc statesc thatc patientc informationc storedc mustc
bec securedc inc ac reasonablec wayc andc helpsc toc expandc thec scopec ofc thec patientc
confidentialityc ofc HIPAA.c Afterc doingc extensivec researchc onc thec lawsc andc regulationsc
providedc inc thisc discussionc Ic havec comec toc thec conclusionc thatc thec lawc thatc impactsc
informationc securityc professionalsc thec mostc inc myc opinionc wouldc bec thec Healthc
Insurancec Portabilityc andc Accountabilityc Actc (HIPAA).c Thisc lawc basicallyc protectsc thec
patient’sc personalc informationc fromc anyonec besidec thec personc whoc isc treatingc them.c
Theirc caregiverc isc notc allowedc toc sharec anyc ofc thec informationc theyc receivec withoutc
consentc fromc thec patient.c Thisc lawc givesc reassurancec toc bothc parties.c Thec typec ofc
informationc thisc regulationc protectsc includes,c butc isc notc limitedc to,c yourc paymentc
information,c address,c healthc information,c andc phonec number.c Ic havec hadc manyc
experiencesc withc HIPAAc myselfc overc thec pastc couplec years.c Ic gotc intoc ac carc crashc andc
wasc severelyc hurt.c Ic wentc throughc fivec shoulderc surgeriesc toc tryc toc savec thec functionc
ofc myc arm.c Myc momc wasc notc allowedc toc getc anyc informationc aboutc thec accidentc orc
myc conditionc untilc Ic wasc consciousc andc gavec consent.c Shec wasc extremelyc upsetc aboutc
this,c butc Ic totallyc understoodc thec situationc becausec ofc thisc law.c Evenc thoughc shec wasc
myc mom,c someonec couldc havec actedc likec thatc justc toc getc myc information.c Therec isc ac
lotc ofc informationc thatc ac hospitalc receivesc whenc yourc beingc caredc for,c andc youc doc notc
wantc toc letc anyonec getc intoc yourc personalc information.c Notc everyonec hasc thisc security,c
butc Ic amc gladc Ic knowc myc informationc isc safec whenc Ic amc beingc caredc for.c Thec lawc
thatc affectsc myc organizationc thec mostc isc thec Fairc andc Accuratec Creditc Transactionc Actc
(FACTA).c Thisc isc becausec myc organizationc oftenc dealsc withc creditc applicationsc andc thisc
helpsc thosec customersc avoidc identityc theft.c Ifc wec followc thisc lawc asc ac company,c wec
willc notc havec anyc issues.c Notc allc nationsc havec thec samec rules,c butc Ic amc relativelyc
familiarc withc thec lawsc Ic needc toc bec following.c Thec threec lawsc andc regulationsc thatc Ic
seec thatc fitc toc thec companyc Ic chosec arec Sarbanes-Sarbanes-Oxleyc Act,c Federalc Rulesc ofc
Civilc Procedurec andc also,c onec thatc originatedc inc thec EUc thatc affectsc usc herec inc thec
statesc asc well,c thec Generalc Datac Protectionc Regulation.c Thec Sarbanes-Sarbanes-Oxleyc
Actc isc ac 2002c lawc wasc ac responsec toc corporatec fraudc andc isc designedc toc improvec
corporatec disclosuresc andc transparency.c Forc ITc andc securityc folks,c thatc meansc
informationc controlc andc integrity,c businessc continuityc andc disasterc recovery,c andc
protectingc informationc (andc financialc performance)c fromc thec impactc ofc ac datac breachc orc
loss.c Thec FRCPc discoveryc rulesc governc courtc proceduresc forc civilc lawsuitsc Itc makesc
clearc thatc electronicallyc storedc informationc isc discoverable,c andc theyc detailc what,c howc
andc whenc electronicc datac mustc bec produced.c Asc ac result,c companiesc mustc knowc whatc
datac theyc arec storingc andc wherec itc is;c theyc needc policiesc inc placec toc managec electronicc
data;c theyc needc toc followc thesec policies;c andc theyc needc toc bec ablec toc provec compliancec
withc thesec policies,c inc orderc toc avoidc unfavorablec rulingsc resultingc fromc failingc toc
producec datac thatc isc relevantc toc ac case.c Company’sc thatc wouldc bec affectedc byc thisc
wouldc bec anyc companyc thatc isc —c orc couldc bec —c involvedc inc ac civilc lawsuitc withinc
thec federalc courts.c Inc addition,c becausec statesc havec adoptedc FRCP-likec rules,c companiesc
involvedc inc litigationc withinc ac statec courtc systemc arec alsoc affected.c Thec EU'sc Generalc
Datac Protectionc Regulationc (GDPR)c tookc effectc onc Mayc 25,c 2018.c Thec GDPRc isc
designedc toc protectc thec personalc datac ofc EUc citizens,c andc toc doc soc itc regulatesc howc
suchc datac isc collected,c stored,c processed,c andc destroyed.c Thec definitionc ofc "personalc
data"c isc extremelyc broad:c Itc includesc names,c addresses,c andc bankc details,c butc alsoc datac
relatedc toc religion,c race,c mentalc orc physicalc characteristics,c andc evenc IPc addresses,c webc
cookies,c contacts,c andc mobilec devicec IDs,c ifc theyc identifyc anc individual.
Ic haven’tc hadc toc dealc withc thesec firstc hand,c otherc thanc beingc thec personc whoc collectsc
datac andc sincec I’mc onc thec frontc lines,c Ic makec surec thatc Ic doc notc givec outc anyc datac ofc
anyonec toc anyc personc withoutc followingc thec properc channelsc toc verifyc thec personc whomc
I’mc talkingc with.
Thec lawsc andc regulationc thatc arec evolvedc withc thec cyberc domainc canc bec veryc convolutedc
asc thesec lawsc arec evolvingc toc matchc societyc expectationsc ofc thec cyberc domainc toc
governedc andc notc freec gamec forc threatsc toc lingerc unchecked.c Thec ethicsc ofc thec cyberc
domainc especiallyc acrossc thec worldc multiplec governmentsc andc countriesc withc eachc theirc
ownc ethicsc andc lawsc drivenc fromc theirc culturec isc veryc enticingc toc threatsc asc thec
perceptionc ofc exploitingc andc committingc crimec withc minimalc riskc toc thec threat.c Thec
companyc Ic chosec inc weekc onec wasc Applec andc theyc havec ac crossc functionalc approachc
toc conductc businessc onc thec cyberc domain.c Meaningc theyc havec theirc ownc setc ofc ethicsc
andc principlesc ofc howc theirc customersc shouldc bec treatedc inc personc andc inc thec cyberc
domain.c Theyc alsoc havec expectationc toc securityc andc privacyc asc wec trustc themc withc
muchc ofc ourc personalc informationc andc financialc information.c Thec ethicsc andc principlesc
Applec hasc fromc whatc Ic canc tellc developedc fromc mostc ofc societyc inc thec Unitedc Statesc
evenc thoughc theyc havec customersc acrossc thec world.c Theirc legal,c principlesc andc ethicc arec
remarkablyc similarc fromc countryc toc countryc onlyc changingc whatc isc mandatoryc toc bec ac
legalc corporationc inc thatc country.c Thisc allowsc themc toc keepc manyc ofc theirc corec
principlesc toc theirc worldwidec customersc andc thec ethicalc dilemmasc ofc thec cyberc domainc
inc checkc forc theirc smallc portion.c Ic feelc asc thoughc allc lawsc andc regulationsc impactc
securityc professionalsc equallyc becausec inc today’sc societyc mostc sensitivec personalc orc
financialc datac isc storedc somewherec onc anc informationc system.c Thesec lawsc andc
regulationsc givec securityc professionalsc boundariesc toc workc withinc whichc helpsc themc toc
understandc toc whatc levelc informationc needsc toc bec protected.c Therec arec differentc typesc
ofc informationc beingc handledc dependingc onc thec servicec thatc ac companyc mayc provide.c
Companiesc thatc dealc withc electronicc transactionsc havec toc complyc withc regulationsc likec
paymentc cardc industryc datac securityc Standardc (PCIc DSS)c andc thec Electronicc Fundc
Transferc Act.c Bothc ofc thesec regulationsc keepc consumersc electronicallyc storedc informationc
safe.c PCIc DSSc providesc anc enhancedc securityc levelc whenc itc comesc toc ac customer’sc
paymentc accountc data.c Thisc setc ofc requirementsc includec thingsc likec securityc
management,c policies,c andc otherc protectivec measures.c Electronicc Fundc Transferc Actc
protectsc consumersc fromc errorsc andc fraudc whilec conductingc electronicc fundc transfersc
(EFT).c Thisc Actc coversc thingsc likec ATMc transfersc andc POSc terminalc transfersc inc stores.c
Inc 2010,c ac newc provisionc wasc addedc toc keepc companiesc fromc chargingc inactivityc orc
servicec feesc onc pre-paidc purchasesc likec giftc cards.c CACIc isc impactedc byc thesec lawsc andc
regulationsc onc manyc frontsc asc theyc tryc toc protectc theirc ownc datac fromc threatsc butc theyc
alsoc purchasec thingsc likec giftc cardsc forc theirc employees.c Inc thatc realmc theyc havec toc
makec surec theyc purchasec fromc lawc abidingc companiesc asc theirc employeesc canc bec
susceptiblec toc illegalc practices.c Thec companyc alsoc operatesc inc Nevadac andc Massachusettsc
soc theyc havec toc followc thosec statesc regulationsc inc referencec toc collectingc resident’sc
information.c Inc Nevada,c theyc enactedc ac datac securityc lawc toc encryptc customers’c personalc
informationc ifc itc isc toc bec storedc orc transported.c Thec statec ofc Massachusettsc requiresc thatc
companiesc thatc storec orc usesc residents’c personalc informationc developc ac regularc auditc
planc toc protectc thatc information.c Ic havec beenc ac victimc ofc identityc theftc backc beforec
manyc ofc thesec policiesc werec putc intoc place.c Nowadaysc thesec policiesc keepc usc protectedc
asc electronicc consumersc soc ourc datac isc betterc protected.c Thec rolesc andc responsibilitiesc
ofc thosec upholdingc thec lawsc likelyc include,c regularlyc testingc thec securityc ofc theirc
systemsc toc ensurec theyc cannotc bec breached.c Also,c updatingc whateverc securityc measuresc
orc softwarec theyc needc to.c Thisc probablyc canc bec appliedc toc allc ofc thec lawsc researched.c
Thec lawc thatc stoodc outc toc mec thec mostc inc regardc toc thec organizationc Ic chosec wasc thec
PCIc DSSc law.c Itc requiresc policiesc andc protectivec measuresc toc keepc customersc accountc
informationc safe.c Itc isc ac requirementc toc bec implementedc withc PCIc DSSc ifc youc acceptc
creditc cardsc noc matterc thec sizec ofc yourc business.c Whilec beingc implementedc isc ac
requirementc beingc compliantc isc not,c butc itc reducesc thec riskc ofc creditc cardc fraudc ifc youc
are.c Ifc yourc businessc isc notc complaintc withc PCIc DSSc andc youc experiencec ac securityc
breachc youc mayc havec toc payc fines.c Fromc whatc Ic havec beenc ablec toc findc itc seemsc
Europec usesc PCIc DSSc however,c Ic wasn’tc ablec toc findc ac fullc listc ofc countriesc itc isc usedc
in.c Ic don’tc knowc thatc Ic havec everc hadc anyc directc experiencec withc anyc ofc thec laws,c
HIPPAc isc thec lawc Ic amc mostc familiarc withc though.c Ic feelc thatc thec Federalc Informationc
Securityc Managementc Actc (FISMA)c mostlyc impactc professionals.c Professionalsc arec
responsiblec forc providingc securityc programsc forc informationc systemsc andc arec requiredc toc
performc assessments.c Somec ofc thec mainc rolesc forc thec professionalsc thatc arec heldc
responsiblec forc upholdingc thisc lawc includesc testingc andc evaluatingc howc effectivec thec
informationc securityc policiesc are.c Afterc researchingc throughc thec internationalc lawsc andc
regulations,c theyc focusc mainlyc onc protectingc disclosurec ofc personalc informationc fromc
businessesc andc organizations.c Myc experiencec withc thec lawsc andc regulationsc wouldc mostc
likelyc relatec toc thec Fairc andc Accuratec Creditc Transactionc Actc (FACTA),c includingc Redc
Flagsc Rule.c Ic workc inc anc officec buildingc thatc receivesc applicationsc fromc consumersc whoc
wouldc likec toc repairc orc retirec theirc vehicle.c Inc orderc toc determinec ifc theyc qualifyc forc
ourc program,c theyc havec toc bec incomec eligiblec andc providec proofc ofc theirc income.c Byc
law,c wec arec responsiblec forc upholdingc thec consumersc confidentialityc andc properlyc
disposec ofc theirc personalc informationc afterc processingc themc inc ourc database.c Ic amc onec
ofc thec fewc employeesc responsiblec forc properlyc disposingc thec consumersc applicationc afterc
scanningc andc processingc themc intoc ourc database.c Withc thec PCIc DSSc lawc thec companyc
obtainingc thec cardc datec forc whatc everc process,c isc responsiblec forc thec data.c thec ITc guyc
isc responsiblec forc maintainc thec systemsc andc loggingc vulnerabilitiesc alongc withc testingc
andc monitoring,c andc ifc Ic understandc correctlyc PCIc securityc standardc councilc isc
responsiblec forc enforcingc thec standard.c Thisc affectsc System76c byc thec wayc theyc collectc
paymentc forc customersc purchases,c theyc doc practicec somec transferencec ofc liabilityc byc
allowingc customersc thec optionc toc financec theirc purchase,c whichc atc thatc pointc thec creditorc
carriesc thec responsibilityc ofc maintainingc thec data.c Thisc processc isc wellc practicedc acrossc
thec boardc allc over,c itc seemsc toc mec likec mostc everyc retailerc onlinec hasc ac veryc similarc
wayc theyc processc paymentsc andc manyc offerc ac thirdc partyc creditc linec possibly,c whichc inc
turnc transfersc thec responsibility.c Ic understandc thec PCIc DSSc standards,c again,c simplyc
becausec itc isc justc thatc ac standardc thatc mostc everyc retailerc followsc bothc herec inc thec U.S.c
andc abroad.c Ic thinkc thec transferencec ofc responsibilityc isc becomingc morec ofc thec optionc
thec retailersc wouldc preferc sincec mostc majorc retailersc offerc somec kindc ofc creditc cardc
withc perksc attachedc toc them.c Cyberc securityc isc thec practicec ofc defendingc computers,c
servers,c mobilec devices,c electronicc systems,c networks,c andc datac fromc maliciousc attacks.c
It'sc alsoc knownc asc informationc technologyc securityc orc electronicc informationc security.c
Today,c therec isc noc consensusc onc whoc isc responsiblec forc datac privacy.c Somec consumersc
agreec thatc thec responsibilityc liesc withc them,c butc othersc thinkc governmentsc orc businessesc
arec betterc equippedc toc dealc withc thisc complexc issue.c Datac breachesc havec becomec bothc
morec commonc andc morec severe.c Cyberc attacksc thatc werec previouslyc consideredc large-
scalec arec todayc seenc asc normal.c Hackersc arec morec agile,c Thec threatsc arec becomingc morec
sophisticated;c hackersc arec increasinglyc agilec andc arec usingc advancedc technologyc toc
launchc attacks.c Inc recentc years,c numerousc issuesc havec arisenc aroundc thec wayc enterprisesc
treatc theirc users’c information.c Personalc datac isc processedc forc politicalc andc economicc
reasonsc withoutc users’c consent.c Inc thec US,c devicec privacyc lawsc varyc dependingc onc thec
sector,c statec orc datac type.c Recently,c Californiac implementedc ac newc lawc thatc governsc
IoTc securityc onc ac statec level.c Technologyc leaders,c meanwhile,c arec pushingc forc federalc
privacyc laws,c andc arec beginningc toc seec privacyc asc ac humanc right.c Afterc doingc somec
researchc onc thec lawsc andc regulationsc thatc mostc impactsc informationc securityc
professionalsc therec wasc onec thatc stoodc outc toc mec andc thatc isc thec Healthc Insurancec
Portabilityc andc Accountabilityc Actc (HIPAA).c Thec Healthc Insurancec Portabilityc andc
Accountabilityc Atc isc intendedc toc improvec thec efficiencyc andc effectivenessc ofc thec healthc
carec system.c Itc doesc soc byc protectingc thec patientc identifiablec healthc informationc andc byc
protectingc thec confidentiality,c andc availabilityc ofc patientsc information.c Ic knowc aboutc thisc
actc fromc experiencec becausec Ic amc HIPAAc certified.c Soc Ic amc ac medicalc assistantc andc
wec arec onec ofc thec peoplec whoc hasc toc followc thec thec rulec ofc HIPAA.c Thisc isc veryc
importantc forc thec patientc becausec itc givesc youc ac piecec ofc mindc knowingc thatc yourc
personalc informationc suchc asc yourc paymentc information,c youc address,c phonec number,c
Healthc conditionc etc.c isc notc beingc broadcastedc toc thec worldc becausec ofc HIPPA.c Thisc isc
alsoc importantc becausec ac lotc ofc informationc isc locatedc onc anc EMRc whichc isc anc
Electronicc Medicalc Recordc andc ifc itsc digitalc thec therec hasc toc bec somec sortc ofc cyberc
securityc ofc elsec allc ofc thosec patientsc informationc canc bec stolenc isc thec systemc isc hacked.c
Whenc itc comesc toc thec cyberc domain,c allc employeesc arec responsiblec forc upholdingc thec
law,c butc thec informationc securityc professionalc hasc thec biggestc rolec dealingc withc thec
responsibilityc andc liabilityc forc privacyc andc securityc risks.c Thec professionalc mustc maintainc
upc toc datec withc lawsc andc regulations,c inc doingc soc theyc canc educatec managementc andc
employeesc onc legalc andc ethicalc obligations.c Thec companyc Advanced1c hasc toc makec surec
toc followc thec Federalc Rulesc ofc Civilc Procedurec (FRCP)c andc Federalc Informationc
Securityc Managementc Actc (FISMA)c sincec theyc arec dealingc withc electronicc datac producedc
forc theirc clientsc inc orderc toc reducec riskc ofc civilc lawsuits.c Internationalc privacyc andc
informationc securityc canc becomec complexc withinc ac companyc duec toc lawsc andc ethicsc
notc beingc thec samec internationally.c Inc thec U.K,c somec lawsc havec similaritiesc toc thec U.S,c
suchc asc thec Computerc Misusec Actc 1990,c Privacyc andc Electronicc Communicationsc (ECc
Directive)c Regulationsc 2003,c andc Policec andc Justicec Actc 2006.c Inc Europe,c thec councilc
ofc Europec adoptedc Conventionc onc Cybercrimec inc 2001c creatingc anc internationalc taskc
forcec overseeingc securityc functionsc inc internetc activitiesc andc standardizedc technologyc
lawsc acrossc internationalc borders.c Inc Asianc culture,c computerc technologyc ethicsc conflictc
westernc cultures.c Asianc traditionsc ofc collectivec ownershipc clashesc withc thec protectionc ofc
intellectualc propertyc allowingc softwarec infringement,c illicitc usec andc misusec ofc corporatec
resourcesc withoutc anyc lawfulc consequences.c Ic havec notc hadc anyc personalc experiencec
withc anyc ofc thec lawsc andc regulationsc thatc dealc withc thec cyberc domain.
