Overview of data privacy laws

Privacy issues are sweeping the information security landscape as individuals demand accountability from corporations, organizations and others that handle their data. As an information security professional, it's important that you have a basic understanding of data privacy laws and know the legal requirements your organization faces if it enters a line of business regulated by these laws.

You may have already dismissed these concerns as irrelevant because someone advised you that there's no legal requirement that you protect data. The Federal Trade Commission (the government agency charged with protecting the privacy of individuals in the United States) can only take action against you if you voluntarily post a privacy statement and then deliberately violate it. Therefore, many organizations have taken the advice of their attorneys and refuse to post a privacy statement.

This legal protection may work in some cases, but it's simply not true that there aren't privac...

BROWSE BY TAG Web Security Advisor,   Security Audit, Compliance and Standards,   Data Privacy and Protection,   VIEW ALL TAGS

RELATED CONTENT Web Security Advisor DNS rebinding defenses still necessary, thanks to Web 2.0 New defenses for automated SQL injection attacks PCI compliance and Web applications: Code review or firewalls? Worst practices: Bad security incidents to avoid Web scanning and reporting best practices Social networking website threats manageable with good enterprise policy Enterprise security in 2008: Building trust into the application development process PCI DSS Section 6: A plan for tackling application security Making the case for Web application vulnerability scanners Preparing for uniform resource identifier (URI) exploits Data Privacy and Protection New data protection laws MA 201 CMR 17 enforcement less likely with prompt reporting, cooperation Information security book excerpts and reviews Quiz: Compliance-driven role management Interpreting 'risk' in the Massachusetts data protection law Strategies for using technology to enable automated compliance How to prepare for a FERPA audit How to find virtual machines for greater virtualization compliance Quiz: Virtualization and compliance Compliance in the cloud Data Privacy and Protection Research

RELATED GLOSSARY TERMS Terms from Whatis.com − the technology online dictionary cypherpunk  (SearchSecurity.com) Data Encryption Standard  (SearchSecurity.com) P3P  (SearchSecurity.com)

RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary

y laws on the books in the U.S. Granted, these laws only apply if your organization fits into certain categories, but the categories are quite broad.

COPPA

The first category involves the privacy of children. The Children's Online Privacy Protection Act of 1998 (COPPA) provides specific guidelines for organizations that fit into one of the following three categories:

• Operate a Web site directed to children under age 13 that collects personal information.
• Operate a general audience Web site that knowingly collects personal information from children under 13.
• Operate a general audience Web site with a special section for children and collect personal information from children under age 13.

As you can see, quite a few Web sites fit at least one of these criteria. If your organization operates a site that falls under the jurisdiction of COPPA, you must post a privacy policy, notify parents about the information you're collecting, provide a mechanism for parental consent and a number of other actions. For more information on your COPPA responsibilities, see the FTC's COPPA Web site.

• Guest Commentary contributor Ira Winkler describes the impact of privacy laws on CISOs.
• How much do you know about IT laws and regulations? Find out with our compliance quiz.
• Learn some best practices for managing compliance with security standards.

HIPAA

The Health Insurance Portability and Accountability Act (HIPAA) also contains a substantial Privacy Rule that affects organizations that process medical records on individual citizens. HIPAA's "covered entities" include:

• Health care providers
• Health care clearinghouses
• Health care plans

The HIPAA Privacy Rule requires covered entities to inform patients about their privacy rights, train employees on the handling of private information, adopt and implement appropriate privacy practices and provide appropriate security for patient records. For more information on HIPAA, see the Department of Health and Human Services' HIPAA Web site.

GLBA

The most recent addition to privacy law in the United States is the Gramm-Leach-Bliley Act of 1999 (GLBA). Aimed at financial institutions, this law contains a number of specific actions that regulate how covered organizations may handle private financial information, the safeguards they must put in place to protect that information and prohibitions against their gaining such information under false pretenses.

If you're thinking to yourself, "That's fine, I don't work for a bank, hospital or children's Web site, so these laws don't apply to me," stop and think again. The FTC has interpreted GLBA with an incredibly wide definition of the term "financial institution." Some examples of industries covered by GLBA include:

• Banking
• Securities trading
• Insurance companies
• Lenders
• Tax preparers
• Credit counselors and financial advisors
• Real estate settlement services
• Debt collection services

Of course, this isn't a comprehensive list. For more information GLBA that can help you determine if you're covered, visit the FTC's GLBA site.

Data privacy is a complex and rapidly changing field. The legal landscape surrounding these issues is fluid and subject to new legislation and interpretation by government agencies and the courts. It's imperative that you keep current on the laws as they apply to your firm.

About the author
Mike Chapple, CISSP, currently serves as Chief Information Officer of the Brand Institute, a Miami-based marketing consultancy. He previously worked as an information security researcher for the U.S. National Security Agency. His publishing credits include the TICSA Training Guide from Que Publishing, the CISSP Study Guide from Sybex and the upcoming SANS GSEC Prep Guide from John Wiley. He's also the About.com Guide to Databases.