The security laws, regulations and guidelines directory

Need to find and understand security and privacy laws, regulations and guidelines? Here's a handy compendium with summaries plus links to the full text of each law.

This directory includes laws, regulations and industry guidelines with significant security and privacy impact and requirements. Each entry includes a link to the full text of the law or reg as well as information about what and who is covered.

The list is intentionally US-centric, but includes selected laws of other nations that have an impact on US-based global companies.

The security regulations and guidelines directory will be updated and expanded over time on CSOonline.com. Please email editor Derek Slater (dslater@cxo.com) with suggestions or updates.

Click on a link to skip to a subsection of the directory:

  • Broadly applicable laws and regulations Includes: Sarbanes-Oxley Act (SOX); Payment Card Industry Data Security Standard (PCI DSS); Gramm-Leach-Bliley Act (GLB) Act; Electronic Fund Transfer Act, Regulation E (EFTA); Customs-Trade Partnership Against Terrorism (C-TPAT); Free and Secure Trade Program (FAST); Children's Online Privacy Protection Act (COPPA); Fair and Accurate Credit Transaction Act (FACTA), including Red Flags Rule; Federal Rules of Civil Procedure (FRCP)
  • Industry-specific guidelines and requirements Includes: Federal Information Security Management Act (FISMA); North American Electric Reliability Corp. (NERC) standards; Title 21 of the Code of Federal Regulations (21 CFR Part 11) Electronic Records; Health Insurance Portability and Accountability Act (HIPAA); The Health Information Technology for Economic and Clinical Health Act (HITECH); Patient Safety and Quality Improvement Act (PSQIA, Patient Safety Rule); H.R. 2868: The Chemical Facility Anti-Terrorism Standards Regulation
  • Key state laws Includes: Massachusetts 201 CMR 17 (aka Mass Data Protection Law); Nevada Personal Information Data Privacy Encryption Law NRS 603A
  • International laws Includes: Personal Information Protection and Electronic Documents Act (PIPED Act, or PIPEDA)—Canada; Law on the Protection of Personal Data Held by Private Parties—Mexico; European Union Data Protection Directive; Safe Harbor Act

Section one: Broadly applicable laws and regulations

Sarbanes-Oxley Act (aka Sarbox, SOX)

What Sarbanes-Oxley covers: Enacted in 2002, the Sarbanes-Oxley Act is designed to protect investors and the public by increasing the accuracy and reliability of corporate disclosures. It was enacted after the high-profile Enron and WorldCom financial scandals of the early 2000s. It is administered by the Securities and Exchange Commission, which publishes SOX rules and requirements defining audit requirements and the records businesses should store and for how long.

More about Sarbanes-Oxley

Who is affected: U.S. public company boards, management and public accounting firms.

Full text of Sarbanes-Oxley Act: http://www.gpo.gov/fdsys/pkg/PLAW-107publ204/content-detail.html

Key requirements/provisions: The Act is organized into 11 titles:

  1. Public Company Accounting Oversight
  2. Auditor Independence
  3. Corporate Responsibility
  4. Enhanced Financial Disclosures
  5. Analyst Conflicts of Interest
  6. Commission Resources and Authority
  7. Studies and Reports
  8. Corporate and Criminal Fraud Accountability
  9. White-Collar Crime Penalty Enhancements
  10. Corporate Tax Returns
  11. Corporate Fraud Accountability

Source: SarbanesOxleyCompliance.com

Payment Card Industry Data Security Standard (PCI DSS)

What it covers: The PCI DSS is a set of requirements for enhancing security of payment customer account data. It was developed by the founders of the PCI Security Standards Council, including American Express, Discover Financial Services, JCB International, MasterCard Worldwide and Visa to help facilitate global adoption of consistent data security measures. PCI DSS includes requirements for security management, policies, procedures, network architecture, software design and other critical protective measures.

More about PCI DSS

The Council has also issued requirements called the Payment Application Data Security Standard (PA DSS) and PCI Pin Transaction Security (PCI PTS).

Who is affected: Retailers, credit card companies, anyone handling credit card data.

Link to the PCI DSS requirements:

The current version is PCI DSS v2.0, issued 10/28/2010. https://www.pcisecuritystandards.org/security_standards/documents.php

You will also find full text of the latest PA DSS and PCI PTS requirements on that page.

Support documents (including a summary of the significant differences between PCI DSS v1.2 and PCI DSS v2.0): https://www.pcisecuritystandards.org/security_standards/pci_dss_supporting_docs.shtml

Key requirements/provisions: Currently, PCI DSS specifies 12 requirements, organized in six basic objectives:

Objective 1: Build and Maintain a Secure Retail Point of Sale SystemRequirement 1: Install and maintain a firewall configuration to protect cardholder dataRequirement 2: Do not use vendor-supplied defaults for system passwords and other security parameters Objective 2: Protect Cardholder DataRequirement 3: Protect stored cardholder dataRequirement 4: Encrypt transmission of cardholder data across open, public networks Objective 3: Maintain a Vulnerability Management ProgramRequirement 5: Use and regularly update anti-virus softwareRequirement 6: Develop and maintain secure systems and applications Objective 4: Implement Strong Access Control MeasuresRequirement 7: Restrict access to cardholder data by business need-to-knowRequirement 8: Assign a unique ID to each person with computer accessRequirement 9: Restrict physical access to cardholder data Objective 5: Regularly Monitor and Test NetworksRequirement 10: Track and monitor all access to network resources and cardholder dataRequirement 11: Regularly test security systems and processes Objective 6: Maintain an Information Security PolicyRequirement 12: Maintain a policy that addresses information security

Source: PCI Security Standards Council

The Gramm-Leach-Bliley Act (GLB) Act of 1999

What it covers: Also known as the Financial Modernization Act of 1999, the GLB Act includes provisions to protect consumers' personal financial information held by financial institutions. There are three principal parts to the privacy requirements: the Financial Privacy Rule, the Safeguards Rule and pretexting provisions.

Who is affected: Financial institutions (banks, securities firms, insurance companies), as well as companies providing financial products and services to consumers (including lending, brokering or servicing any type of consumer loan; transferring or safeguarding money; preparing individual tax returns; providing financial advice or credit counseling; providing residential real estate settlement services; collecting consumer debts).

Link to the law: The Privacy of Consumer Financial Information rule within GLB: http://www.ftc.gov/os/2000/05/65fr33645.pdf

Laws and rules pertaining to GLB: http://www.ftc.gov/privacy/privacyinitiatives/financial_rule_lr.html

Key requirements/provisions: The privacy requirements of GLB include three principal parts:

The Financial Privacy Rule: Requires financial institutions to give customers privacy notices that explain its information collection and sharing practices. In turn, customers have the right to limit some sharing of their information. Financial institutions and other companies that receive personal financial information from a financial institution may be limited in their ability to use that information.

The Safeguards Rule: Requires all financial institutions to design, implement and maintain safeguards to protect the confidentiality and integrity of personal consumer information.

Pretexting provisions: Protect consumers from individuals and companies that obtain their personal financial information under false pretenses, including fraudulent statements and impersonation.

Source: Federal Trade Commission

Electronic Fund Transfer Act, Regulation E

What it covers: Enacted in 1978, this law protects consumers engaging in electronic fund transfers from errors and fraud. It carries out the purposes of the Electronic Fund Transfer Act, which establishes the basic rights, liabilities, and responsibilities of EFT consumers of financial institutions that offer these services. EFTs include ATM transfers, telephone bill-payment services, point-of-sale terminal transfers in stores and preauthorized transfers from or to a consumer's account (such as direct deposit and Social Security payments). Effective August 2010, a new provision states that institutions may not impose dormancy, inactivity or service fees for pre-paid products, such as gift cards, nor can they have an expiration date of less than five years.

Who is affected: Financial institutions that hold consumer accounts or provide EFT services, as well as merchants and other payees.

Link to the law:

http://www.fdic.gov/regulations/laws/rules/6500-3100.html

With 2010 updates: http://ecfr.gpoaccess.gov/cgi/t/text/text-idx?c=ecfr&tpl=/ecfrbrowse/Title12/12cfr205_main_02.tpl

Key requirements/provisions: Regulation E includes the following provisions:

  • Definition of access device (debit cards, PINs, phone transfers, bill payment codes, private label cards).
  • Consumer acceptance of device (either through a request for the device or validation of an unsolicited device).
  • Financial institution responsibilities, such as disclosure requirements and records retention.
  • Consumer rights and responsibilities, such as procedures for reporting lost or stolen access devices and notifying the institution of an error.
  • Rules for preauthorized debits and electronic check transactions.
  • Error resolution process.
  • Unauthorized EFTs.

Source: BankersOnline.com, Alston & Byrd LLP

Customs-Trade Partnership Against Terrorism (C-TPAT)

What it covers: C-TPAT is a worldwide supply chain security initiative established in 2004. It is a voluntary initiative run by U.S. Customs and Border Protection, with the goals of preventing terrorists and terrorist weapons from entering the U.S. It is designed to build cooperative government-business relationships that strengthen and improve the overall international supply chain and U.S. border security. Businesses are asked to ensure the integrity of their security practices and communicate and verify the security guidelines of their business partners within the supply chain.

More about C-TPAT and supply chain security

Benefits for participating in C-TPAT include a reduced number of CBP inspections, priority processing for CBP inspections, assignment of a C-TPAT supply chain security specialist to validate security throughout the company's supply chain and more.

Who is affected: Trade-related businesses, such as importers, carriers, consolidators, logistics providers, licensed customs brokers, and manufacturers.

Link to overview of C-TPAT:

http://www.cbp.gov/xp/cgov/trade/cargo_security/ctpat/what_ctpat/ctpat_overview.xml

Security criteria for various players:

http://www.cbp.gov/xp/cgov/trade/cargo_security/ctpat/security_criteria/

Key requirements/provisions: C-TPAT relies on a multi-layered approach consisting of the following five goals:

  1. Ensure that C-TPAT partners improve the security of their supply chains pursuant to C-TPAT security criteria.
  2. Provide incentives and benefits to include expedited processing of C-TPAT shipments to C-TPAT partners.
  3. Internationalize the core principals of C-TPAT.
  4. Support other CBP initiatives, such as Free and Secure Trade, Secure Freight Initiative, Container Security Initiative.
  5. Improve administration of the C-TPAT program.

C-TPAT security criteria encompass the following areas:

  • Business partners
  • Conveyance security
  • Physical access control
  • Personnel security
  • Procedural security
  • Physical security
  • Security training/Threat awareness
  • Information technology security

Source: U.S. Bureau of Customs and Border Protection

Free and Secure Trade Program (FAST)

What it covers: FAST is a voluntary commercial clearance program run by U.S. Customs and Border Protection for pre-approved, low-risk goods entering the U.S. from Canada and Mexico. Initiated after 9/11, the program allows for expedited processing for commercial carriers who have completed background checks and fulfill certain eligibility requirements. Participation in FAST requires that every link in the supply chain -- from manufacturer to carrier to driver to importer -- is certified under the C-TPAT program (see above). Cards cost $50 and are valid for 5 years.

Benefits of using FAST and C-TPAT include:

  • Upon terrorist alerts, FAST/C-TPAT drivers will be allowed to cross the border.
  • Dedicated lanes for greater speed and efficiency
  • Reduced cost of compliance with customs requirements.

Who is affected: Importers, carriers, consolidators, licensed customs brokers, and manufacturers.

Link to FAST program details: http://www.cbp.gov/xp/cgov/trade/cargo_security/ctpat/fast/fast_driver/

Key requirements/provisions: Highway carriers authorized to use the FAST/C-TPAT program need to meet the following requirements:

  • A demonstrated history of complying with all relevant legislative and regulatory requirements.
  • Have made a commitment to security-enhancing business practices, as required by the C-TPAT and Canada's PIP program.
  • Use drivers that are in possession of a valid FAST commercial driver card when using FAST clearance.
  • In the case of carriers seeking FAST clearance into Canada, be bonded and have the necessary business processes required for the Customs Self Assessment (CSA) program.

Source: U.S. Bureau of Customs and Border Protection

Children's Online Privacy Protection Act

What it covers: COPPA, which took effect in 2000, applies to the online collection of personal information from children under 13. Monitored by the Federal Trade Commission (FTC), the rules limit how companies may collect and disclose children's personal information. They codify what a Web site operator must include in a privacy policy, when and how to seek verifiable consent from a parent and what responsibilities an operator has to protect children's privacy and safety online.

Who is affected: Operators of commercial Web sites and online services directed to children under 13 that collect personal information from children, as well as general audience Web sites with actual knowledge they are collecting personal information from children.

Link to the law: http://www.ftc.gov/ogc/coppa1.htm

Key requirements/provisions: Basic provisions of COPPA include:

  • Privacy notice, with specifics on placement and content.
  • A direct notice to parents, with specifics on content.
  • Verifiable parental consent, for internal use, public disclosure and third-party disclosure of information.
  • Verification that a parent requesting access to child's information is actually the parent.
  • Ability for parents to revoke consent and delete information.
  • The ability for industry groups and others to create self-regulatory programs to govern compliance with COPPA.

Source: Federal Trade Commission

Fair and Accurate Credit Transaction Act (FACTA), including Red Flags Rule

What it covers: Passed in December 2003, FACTA is an amendment to the Fair Credit Reporting Act that is intended to help consumers avoid identity theft. Accuracy, privacy, limits on information sharing, and new consumer rights to disclosure are included in the legislation. The Act also says businesses in possession of consumer information or information derived from consumer reports must properly dispose of the information.

The Red Flags Rule establishes new provisions within FACTA requiring financial institutions, creditors, etc. to develop and implement an identity theft prevention program. The Red Flags Rule has been delayed several times and is currently scheduled for enforcement by the FTC starting December 31, 2010.

Who is affected: Credit bureaus, credit reporting agencies, financial institutions, any business that uses a consumer report and creditors. As defined by FACTA, a creditor is anyone who provides products or services and bill for payment.

Link to the law: http://www.ftc.gov/os/statutes/031224fcra.pdf

Red Flags Rule: http://www.ftc.gov/os/fedreg/2007/november/071109redflags.pdf

Key requirements/provisions: FACTA includes the following key provisions:

  • Free reports. Consumers can obtain a free credit report once every 12 months from each of the three nationwide consumer credit reporting companies.
  • Fraud alerts and active duty alerts. Individuals can place alerts on their credit histories if identity theft is suspected or if deploying overseas in the military, thereby making fraudulent applications for credit more difficult.
  • Truncation: Credit cards, debit cards, Social Security numbers. Credit and debit card receipts may not include more than the last five digits of the card number or the expiration date. Consumers who request a copy of their file can also request that the first five digits of their Social Security number not be included.
  • Information available to victims. A business that provides credit or products and services to someone who fraudulently uses your identity must give you copies of the documents, such as credit applications.
  • Collection agencies: If a victim of identity theft is contacted by a collection agency about a debt that resulted from the theft, the collector must inform the creditor of that. When creditors are notified that the debt is the work of an identity thief, they cannot sell the debt or place it for collection.
  • Red Flags Rule: Several provisions within FACTA require financial institutions, creditors, etc. to develop and implement an identity theft prevention program, aimed at early detection and mitigation of fraud. The program must include provisions to identity relevant "red flags," detect these early warning signs, respond appropriately and periodically update the program. Additional provisions include guidelines and requirements to assess the validity of a change of address request and procedures to reconcile different consumer addresses. The deadline for complying with the Red Flags Rule has been extended several times and is currently December 2010. Questions remain as to which companies need to comply with this part of FACTA.
  • Proper disposal of consumer reports. Consumer reporting agencies and any business that uses a consumer report must adopt procedures for proper document disposal to avoid "dumpster diving" by identity thieves. This includes lenders, insurers, employers, landlords, government agencies, mortgage brokers, automobile dealers, attorneys and private investigators, debt collectors, individuals who obtain a credit report on prospective nannies, contractors or tenants.
  • Disputing inaccurate information. Consumers can dispute data included in reports directly with the company that furnished it.

Source: Business Records Management, Privacy Rights Clearinghouse, Federal Trade Commission

Federal Rules of Civil Procedure (FRCP)

What it covers: In place since 1938, the FRCP discovery rules govern court procedures for civil lawsuits. The first major revisions, made in 2006, make clear that electronically stored information is discoverable, and they detail what, how and when electronic data must be produced. As a result, companies must know what data they are storing and where it is; they need policies in place to manage electronic data; they need to follow these policies; and they need to be able to prove compliance with these policies, in order to avoid unfavorable rulings resulting from failing to produce data that is relevant to a case.

More about ediscovery and electronic records

Security professionals may be involved in proving to a court's satisfaction that stored data has not been tampered with.

Who is affected: Any company that is—or could be—involved in a civil lawsuit within the federal courts. In addition, because states have adopted FRCP-like rules, companies involved in litigation within a state court system are also affected.

Link to the rules: http://www.law.cornell.edu/rules/frcp/

Key requirements/provisions: There are 13 sections to the FCRP. The major changes pertain to Chapter 5, Rules 26-37, as these require a detailed understanding of electronic data retention policies and procedures, what data exists and where, as well as the ability to search for and produce this data within the timeframes stipulated. Here is a summary of these rules:

Rule 26 (a): Makes clear that electronically stored information is discoverable and that companies must be able to produce relevant data.

Rule 26 (b)(2): Clarifies limits on discoverable data; for instance, companies are not required to produce data that would prove to be excessively expensive or burdensome, such as from sources that aren't reasonably accessible, like backup tapes used for disaster recovery and obsolete media.

Rule 26 (f): Stipulates that the parties involved need to discuss issues relating to the disclosure or discovery of electronic data before discovery begins.

Rule 33 (d): Establishes that a reasonable opportunity is provided to examine and audit the data provided.

Rule 34 (b): Establishes that electronic data is as important as paper documents, and that it must be produced in a reasonably usable format.

Rule 37 (f): Provides "safe harbor" when electronic data is lost or unrecoverable, as long as it can be proved that good-faith business operations were routinely followed.

Source: Cornell University Law School, Business Records Management

Section two: Industry-specific regulations and guidelines

Federal Information Security Management Act (FISMA)

What it covers: Enacted in 2002, FISMA requires federal agencies to implement a program to provide security for their information and information systems, including those provided or managed by another agency or contractor. It is Title III of the E-Government Act of 2002.

Who is affected: Federal agencies.

Link to the law: http://csrc.nist.gov/drivers/documents/FISMA-final.pdf

Key requirements/provisions: FISMA recommends that an effective security program include the following elements:

  • Periodic risk assessments.
  • Policies and procedures based on these assessments that cost-effectively reduce information security risk and ensure security is addressed throughout the life cycle of each information system.
  • Subordinate plans for information security for networks, facilities, etc.
  • Security awareness training for personnel.
  • Periodic testing and evaluation of the effectiveness of information security policies, procedures, practices and controls, at least on an annual basis.
  • A process to address deficiencies in information security policies.
  • Procedures for detecting, reporting and responding to security incidents.
  • Procedures and plans to ensure continuity of operations for information systems that support the organization's operations and assets.

Source: National Institute of Standards and Technology

North American Electric Reliability Corp. (NERC) standards

What it covers: The current set of 83 NERC standards were developed to establish and enforce reliability standards for the bulk-power system of North America, as well as protect the industry's critical infrastructure from physical and cyber threats. These overall standards became mandatory and enforceable in the U.S. on June 18, 2007. Critical Infrastructure Protection (CIP) elements of the reliability standard have been subsequently updated, most recently in 2009. CIP standards include identification and protection of both physical assets and digital ("cyber") systems.

Who is affected: North American electric utilities.

Link to the NERC reliability standards: http://www.nerc.com/files/Reliability_Standards_Complete_Set.pdf

Key requirements/provisions: NERC standards fall into the following 13 categories:

  • Resource and Demand Balancing
  • Communications
  • Critical Infrastructure Protection
  • Emergency Preparedness and Operations
  • Facilities Design, Connections and Maintenance
  • Interchange Scheduling and Coordination
  • Modeling, Data and Analysis
  • Nuclear
  • Personnel Performance, Training and Qualifications
  • Protection and Control
  • Transmission Operations
  • Transmission Planning
  • Voltage and Reactive
  • Source: NERC

    Title 21 of the Code of Federal Regulations (21 CFR Part 11) Electronic Records

    What it covers: Part 11, as it is commonly called, was issued in 1997 and is monitored by the U.S. Food and Drug Administration. It imposes guidelines on electronic records and electronic signatures in an effort to uphold their reliability and trustworthiness.

    Who is affected: All FDA-regulated industries that use computers for regulated activities, both in the U.S. and outside the country.

    Link to the law: http://www.accessdata.fda.gov/scripts/cdrh/cfdocs/cfcfr/cfrsearch.cfm?cfrpart=11

    With 2010 amendments: http://www.accessdata.fda.gov/scripts/cdrh/cfdocs/cfcfr/CFRSearch.cfm?CFRPart=58&showFR=1.

    Key requirements/provisions: Part 11 has 19 requirements, the most important of which include:

    • Use of validated existing and new computerized systems.
    • Secure retention of electronic records and instant retrieval.
    • User-independent, computer-generated, time-stamped audit trails.
    • System and data security, data integrity and confidentiality through limited authorized access to systems and records.
    • Use of secure electronic signatures for closed and open systems.
    • Use of digital signatures for open systems.
    • Use of operational checks.
    • Use of device checks.
    • Determination that the people who develop, maintain or use electronic systems have the education, training and experience to perform their assigned task.

    Source: LabCompliance

    Health Insurance Portability and Accountability Act (HIPAA)

    What it covers: Enacted in 1996, HIPAA is intended to improve the efficiency and effectiveness of the health care system. As such, it requires the adoption of national standards for electronic health care transactions and code sets, as well as unique health identifiers for providers, health insurance plans and employers.

    (Note: HIPAA's requirements are significantly updated by the HITECH Act - see next entry).

    More about HIPAA

    Recognizing that electronic technology could erode the privacy of health information, the law also incorporates provisions for guarding the security and privacy of personal health information. It does this by enforcing national standards to protect:

    • Individually identifiable health information, known as the Privacy Rule.
    • The confidentiality, integrity and availability of electronic protected health information, known as the Security Rule.

    The complete suite of rules is known as the HIPAA Administrative Simplification Regulations. It is administered by The Centers for Medicare & Medicaid Services and The Office for Civil Rights.

    Who is affected: Health care providers, health plans, health clearinghouses and "business associates," including people and organizations that perform claims processing, data analysis, quality assurance, billing, benefits management, etc.

    Link to the law: An unofficial version (as of February 2009) that presents all the regulatory standards in one document: http://www.hhs.gov/ocr/privacy/hipaa/administrative/privacyrule/adminsimpregtext.pdf

    Official versions of the complete suite of HIPAA Administrative Simplification Regulations can be found at 45 CFR Parts 160, 162 and 164:

    • 45 CFR, Part 160: http://www.hhs.gov/ocr/privacy/hipaa/administrative/privacyrule/adminsimpregtext.pdf
    • 45 CFR, Part 162: http://www.access.gpo.gov/nara/cfr/waisidx_07/45cfr162_07.html
    • 45 CFR, Part 164: http://www.access.gpo.gov/nara/cfr/waisidx_07/45cfr164_07.html

    HIPAA Privacy Rule: http://www.hhs.gov/ocr/privacy/hipaa/administrative/privacyrule/prdecember2000all8parts.pdf

    HIPAA Security Rule: http://www.hhs.gov/ocr/privacy/hipaa/administrative/securityrule/securityrulepdf.pdf

    Key requirements/provisions: There are five parts to HIPAA's Administrative Simplification Statute and Rules:

    1. Electronic Transaction and Code Sets Standards: Requires every provider who does business electronically to use the same health care transactions, code sets and identifiers. This rule is administered by The Centers for Medicare & Medicaid Services.
    2. Privacy Rule: Provides federal protections for personal health information held by covered entities and gives patients an array of rights with respect to that information. The rule permits the disclosure of personal health information needed for patient care and other important purposes. This rule is administered by the Office for Civil Rights.
    3. Security Rule: Specifies a series of administrative, physical and technical safeguards for covered entities to use to assure the confidentiality, integrity and availability of electronic protected health information. This rule is administered by the Office for Civil Rights.
    4. National Identifier Requirements: Requires that health care providers, health plans and employers have standard national numbers that identify them on standard transactions. This rule is administered by The Centers for Medicare & Medicaid Services.
    5. Enforcement Rule: Provides standards for enforcing all the Administration Simplification Rules.

    Source: U.S. Department of Health and Human Services, HIPAASurvivalGuide.com

    The Health Information Technology for Economic and Clinical Health Act (HITECH)

    What it covers: Part of the American Recovery and Reinvestment Act of 2009, the HITECH Act significantly modifies HIPAA by adding new requirements concerning privacy and security for patient health information. It widens the scope of privacy and security protections available under HIPAA, increases the potential legal liability for non-compliance and provides for more enforcement.

    Who is affected: Health care providers, health plans, health clearinghouses and "business associates," including people and organizations that perform claims processing, data analysis, quality assurance, billing, benefits management, etc.

    Link to the law: http://www.hipaasurvivalguide.com/hitech-act-text.php (easy to read format)

    More formal version: http://www.hhs.gov/ocr/privacy/hipaa/understanding/coveredentities/hitechact.pdf

    Key requirements/provisions:

    • Expansion of HIPAA security standards to "business associates," including people and organizations (typically subcontractors) that perform activities involving the use or disclosure of individually identifiable health information, such as claims processing, data analysis, quality assurance, billing, and benefit management, as well as those who provide legal, accounting, or administrative functions.
    • Increased civil penalties for "willful neglect."
    • Data breach notification requirements for unauthorized uses and disclosures of "unsecured PHI." These notification requirements are similar to many state data breach laws related to personally identifiable financial information data.
    • Stronger individual rights to access electronic medical records and restrict the disclosure of certain information.
    • New limitations on the sale of protected health information, marketing and fundraising communications.

    Source: U.S. Department of Health and Human Services, HIPAASurvivalGuide.com

    Patient Safety and Quality Improvement Act (PSQIA, Patient Safety Rule)

    What it covers: Enacted on January 19, 2009, PSQIA establishes a voluntary reporting system to enhance the data available to assess and resolve patient safety and health care quality issues. To encourage the reporting and analysis of medical errors, PSQIA provides federal privilege and confidentiality protections for patient safety information, which includes information collected and created during the reporting and analysis of patient safety events.

    These confidentiality provisions are intended to improve patient safety outcomes by creating an environment where providers may report and examine patient safety events without fear of increased liability risk. The Office of Civil Rights administers and enforces the confidentiality protections provided to PSWP. The Agency of Healthcare Research and Quality administers the provisions dealing with PSOs.

    Who is affected: Healthcare providers, patients and individuals/entities that report medical errors or other patient safety events.

    Link to the law: http://edocket.access.gpo.gov/2008/pdf/E8-27475.pdf

    Key requirements/provisions:

    • Subpart A: Defines essential terms, such as patient safety work product (information collected and created during the reporting and analysis of patient safety events), patient safety evaluation system and patient safety organizations (PSO).
    • Subpart B: Provides the requirements for listing PSOs. These entities offer their expert advice in analyzing the patient safety events and other information they collect or develop to provide feedback and recommendations to providers.
    • Subpart C: Describes the privilege and confidentiality protections that attach to patient safety work product and the exceptions to the protections.
    • Subpart D: Establishes a framework to enable HHS to monitor and ensure compliance with the confidentiality provisions, a process for imposing a civil money penalty for breach of the confidentiality provisions, and hearing procedures.

    Source: U.S. Department of Health and Human Services, The Agency of Healthcare Research and Quality

    H.R. 2868: The Chemical Facility Anti-Terrorism Standards Regulation

    What it covers: The CFATS regulation went into effect in 2007 and was developed as part of the Homeland Security Appropriations Act. It imposes federal security regulations for high-risk chemical facilities, requiring covered chemical facilities to prepare Security Vulnerability Assessments and to develop and implement Site Security Plans that include measures to satisfy the identified risk-based performance standards. The regulations are in place through October 2011, at which point they will either be made permanent or will be extended with tougher requirements. One requirement under consideration is the Inherently Safer Technologies provision that would require some facilities using, storing and manufacturing certain chemicals to possibly change processes and the chemicals used.

    Who is affected: Chemical facilities, including manufacturing; storage and distribution; energy and utilities; agriculture and food; paints and coatings; explosives; mining; electronics; plastics; and healthcare.

    Link to the law: http://energycommerce.house.gov/Press_111/20091001/hr2868_billtext.pdf

    Key requirements/provisions: CFATS uses performance standards rather than prescriptive standards. These standards are "risk-based," meaning that security measures vary depending on each facility's determined level of risk.

    To that end, DHS created a tiered system and assigned chemical facilities into one of four "risk" tiers, ranging from high (Tier 1) to low (Tier 4) risk. Tier assignment is based on an assessment of the potential consequences of a successful attack on assets associated with chemicals of interest.

    Once assigned a tier, facilities must comply with 19 categories of risk-based performance standards:

    1. Restrict Area Perimeter
    2. Secure Site Assets
    3. Screen and Control Access
    4. Deter, Detect, Delay
    5. Shipping, Receipt and Storage
    6. Theft and Diversion
    7. Sabotage
    8. Cyber
    9. Response
    10. Monitoring
    11. Training
    12. Personnel Surety
    13. Elevated Threats
    14. Specific Threats, Vulnerabilities, Risks
    15. Reporting of Significant Security Incidents
    16. Significant Security Incidents and Suspicious Activities
    17. Officials and Organization
    18. Records
    19. Address any performance standards the assistant secretary may specify

    Source: Department of Homeland Security

    Section three: Key state regulations (with broad impact in the US)

    Massachusetts 201 CMR 17 (aka Mass Data Protection Law)

    What it covers: This Massachusetts law—which went into effect March 2010—works to protect the state's residents against fraud and identity theft. It requires that any business that stores or uses personally identifiable information about a Massachusetts resident develop a written, regularly audited plan to protect this information. It takes a risk-based approach—rather than a prescriptive one—to information security. That means it directs businesses to establish a security program that takes into account the business size, scope, resources, nature and quantity of data collected or stored and the need for security rather than requiring the adoption of every component of a stated program.

    More about Mass 201 CMR 17 and data breach notification

    Who is affected: Businesses that collect and retain personal information of Massachusetts residents in connection with the provision of goods and services or for the purpose of employment.

    Link to the law: http://www.mass.gov/Eoca/docs/idtheft/201CMR1700reg.pdf

    Key requirements/provisions: Key requirements of the regulation include the following:

    • A documented information security program, detailing technical, physical and administrative measures taken to safeguard personal information.
    • Encryption of personally identifiable information -- a combination of a name, Social Security number, bank account number or credit card number—when stored on portable devices, such as laptops, PDAs and flash drives, or transmitted wirelessly or on public networks.
    • Selection of third-party service providers that can properly safeguard personal information.
    • Designated employees charged with overseeing and managing security procedures in the workplace, as well as continuously monitoring and addressing security hazards.
    • Limits on the collection of data to the minimum required for the intended purpose.
    • Computer system security requirements, including secure user authentication protocols, access control measures, system monitoring, firewall protection, updated security patches and security agent software and employee education and training.

    Source: Commonwealth of Massachusetts Office of Consumer Affairs

    Nevada Personal Information Data Privacy Encryption Law NRS 603A

    What it covers: In January 2010, Nevada was the first state to enact a data security law that mandates encryption for customers' stored and transported personal information.

    More about encryption

    Who is affected: Businesses that collect and retain personal information of Nevada residents.

    Link to the law: http://www.leg.state.nv.us/nrs/nrs-603a.html

    Key requirements/provisions: The law contains the following requirements:

    • Data collectors that accept payment cards comply with the current version of PCI/DSS (see above).
    • Businesses must encrypt any personal information that is electronically transmitted outside the business's secure system.
    • Business must encrypt any personal information stored on a device (computer, phone, magnetic tape, flash drive, etc.) moved beyond the logical or physical controls of the data collector or data storage contractor.
    • Businesses are not liable for damages of a security breach if they are in compliance with the law and the breach was not caused by gross negligence or intentional misconduct.

    Source: State of Nevada, Paul Mudgett

    Section four: Selected international security and privacy laws

    Personal Information Protection and Electronic Documents Act (PIPED Act, or PIPEDA)—Canada

    What it covers: This Canadian privacy law governs how public and private organizations collect, use and disclose personal information in the course of business. It went into effect in January 2001 for federally regulated organizations and in January 2004 for all others.

    In May 2010, Bill C-29 introduced numerous amendments to PIPEDA, involving exceptions for the use and disclosure of personal information without consent and further requirements for business transactions.

    Who is affected: All private-sector companies doing business in Canada.

    Link to the law: http://www2.parl.gc.ca/HousePublications/Publication.aspx?pub=bill&doc=c-6&parl=36&ses=2&language=E

    Bill C-29 amendments: http://www2.parl.gc.ca/HousePublications/Publication.aspx?Docid=4547739&

    Key requirements/provisions: PIPEDA establishes 10 principles to govern the collection, use and disclosure of personal information:

    1. Accountability
    2. Identifying Purposes
    3. Consent
    4. Limiting Collection
    5. Limiting Use, Disclosure and Retention
    6. Accuracy
    7. Safeguards
    8. Openness
    9. Individual Access
    10. Challenging Compliance

    Sources: BearingPoint, Office of the Privacy Commissioner of Canada

    Law on the Protection of Personal Data Held by Private Parties—Mexico

    What it covers: Published in July 2010, this Mexican law requires organizations to have a lawful basis—such as consent or legal obligation—for collecting, processing, using and disclosing personally identifiable information. While there is no requirement to notify processing activities to a government body, as in many European countries, companies handling personal data must furnish notice to the affected persons. Individuals must also be notified in the event of a security breach.

    Link to the law (Spanish language): http://www.dof.gob.mx/nota_detalle.php?codigo=5150631&fecha=05/07/2010

    Who it will impact: Mexican businesses, as well as any company that operates or advertises in Mexico or uses Spanish-language call centers and other support services located in Mexico.

    Requirements/provisions: In addition to addressing data retention, the law also incorporates eight general principles that data controllers must follow in handling personal data:

    • Legality
    • Consent
    • Notice
    • Quality
    • Purpose Limitation
    • Fidelity
    • Proportionality
    • Accountability

    Source: Information Law Group

    European Union Data Protection Directive

    What it covers: This 1995 European directive sets strict limits on the collection and use of personal data and demands that each member state set up an independent national body responsible for the protection of this data.

    Link to the law: http://eur-lex.europa.eu/LexUriServ/LexUriServ.do?uri=OJ:L:2001:008:0001:0022:EN:PDF

    Additional legislative documents and case law: http://ec.europa.eu/justice/policies/privacy/law/index_en.htm

    Who it impacts: European businesses, as well as non-European companies to which data is exported (see Safe Harbor Act, below).

    Requirements/provisions: The directive incorporates seven governing principles:

    1. Notice: Data subjects should be given notice when their data is being collected.
    2. Purpose: Data should only be used for the purpose stated.
    3. Consent: Data should not be disclosed without the subject's consent.
    4. Security: Collected data should be kept secure from any potential abuses.
    5. Disclosure: Data subjects should be informed as to who is collecting their data.
    6. Access: Data subjects should be allowed to access their data and make corrections to any inaccurate data.
    7. Accountability: Data subjects should have an available method to hold data collectors accountable for following these six principles above.

    Source: Europa, European Union Agency for Fundamental Rights

    Safe Harbor Act

    What it covers: The Safe Harbor Act, which went into effect in October 1998, prohibits the transfer of personal data to non-European Union nations that do not meet the European "adequacy" standard for privacy protection established by the European Union Data Protection Directive (see above). The Act was intended to bridge the different privacy approaches of the U.S. and Europe, thus enabling U.S. companies to safely engage in trans-Atlantic transactions without facing interruptions or even prosecution by European authorities.

    Who is affected: U.S. companies doing business in Europe.

    Link to the law: http://europa.eu/rapid/pressReleasesAction.do?reference=IP/00/865&format=HTML&aged=1&language=EN&guiLanguage=en

    Key requirements/provisions:

    • Companies participating in the safe harbor will be deemed adequate, and data flows to those companies will continue.
    • Member state requirements for prior approval of data transfers either will be waived or approval will be automatically granted.
    • Claims brought by European citizens against U.S. companies will be heard in the U.S., subject to limited exceptions.

    Source: Europa, Business Records Management

    More security directories and lists on CSOonline.com:

    Security policies, tools and templates

    The security certification directory

    The security recruiter directory

    Security jobs board

    The security events calendar

    Industry-wide events in digital and physical security, fraud prevention, business continuity planning and much more. (Post relevant events for free.)

    Coming soon: The security data source directory

    A handy compilation of links to research-based sources of security data.

    Insider: How a good CSO confronts inevitable bad news
    Join the discussion
    Be the first to comment on this article. Our Commenting Policies